Defining a Taxonomy of Social Network Spam

In the process of working on my thesis, I’ve had to write some new background content on the taxonomy of social network spam. I figured I would share these ideas here, since the probability of someone reading my search-indexed blog >> than the probability of someone reading a 150, non-indexed document. As usual, any views or opinions discussed herein are my own.

As the underground economy adapts its strategies to target users in social networks, attacks require three components: (1) account credentials, (2) a mechanism to engage with legitimate users (i.e. the victims that will be exploited to realize a profit), and (3) some form of monetizable content. The latter is typically a link that redirects a victim from the social network to a website that generates a profit via spamvertised products, fake software, clickfraud, banking theft, or malware that converts a victims machine or assets (e.g. credentials) into a commodity for the underground economy. With respect to Twitter, the underpinnings of each of these components can be outlined as follows:


What becomes apparent from this taxonomy is that, while there are several ways to engage with victims (and more constantly emerge as new features are added — such as Vine), the ingress and egress points of abuse are much fewer. For this reason, I typically advocate for anti-spam teams to develop URL-based defenses and at-registration time defenses. Strangling those two choke points collapses all the other pain points of social network spam and abuse which are arguably harder to solve given the diverse ways legitimate users engage one another within social networks.

The rest of this post spends a little time defining the different components of this abuse taxonomy.

Credentials — The Ingress Point

In order to interact users in a social network, criminals must first obtain credentials for either new or existing accounts. This has lead to a proliferation of fraudulent accounts — automatically generated credentials used exclusively to disseminate scams, phishing, and malware — as well as compromised accounts –- legitimate credentials that have fallen into the hands of miscreants, which criminals repurpose for nefarious ends. Notable sources of compromise include the brute force guessing of weak passwords, password reuse with compromised websites, as well as worms or phishing attacks that propagate within the network.

Engaging Victims

Any of the multitude of features on Twitter can be targets of abuse in a criminal’s quest for drawing an audience. While its possible to solve one facet of abuse, criminals are constantly evolving how they engage with users to leverage new features added to social networks as well as to adapt to defense mechanisms employed by online social network operators. The result is a reactive development cycle that never affords defenders any reprieve. To illustrate this point, here are just some ways in which criminals engage with users.

Mention Spam consists of sending an unsolicited @mention or @reply to a victim, bypassing any requirement of sharing a social connection with a victim. Spammers can either initiate a conversation or join an existing conversation to appear in the expanded list of tweets associated with a conversation between a victim and her followers.

Direct Message Spam is identical to mention spam, but requires that a criminal’s account be followed by a victim. As such, DM spam is typically used when an account has become compromised due to the low rate of fraudulent accounts (11% — “Suspended Accounts in Retrospect”) that form relationships with legitimate users.

Trend Poisoning relies on embedding popular #hashtags in a spam tweet, allowing the tweet to appear in real-time searches about breaking news and world events performed by victims. Even relevance-based searches can be gamed by inflating the popularity of a spam account or tweet, similar to search engine optimization.

Search Poisoning is identical to trend poisoning, but instead of emerging topics typified by #hashtags, spammers embed specific keywords/brands in their tweets such as “viagra” and “ipad”. From there, users that search for information relevant to a keyword/brand will be exposed to spam.

Fake Trends leverage the availability of thousands of accounts under the control of a single criminal to effectively generate a new trend. From there, victims looking at emerging content will be exposed to the criminal’s message.

Follow Spam occurs when criminal leverages an account to generate hundreds of relationships with legitimate users. The aim of this approach is to either have a victim reciprocate the relationship or at least view the criminal’s account profile which often has a URL embedded in its bio.

Favorite Spam relies on abusing functionality on Twitter which allows a user to favorite, or recommend, a tweet. Criminals will mass-favorite tweets from victims in the hopes they either reciprocate a relationship or view the criminal’s account profile, just like follow spam.

Fake Followers are distinct from follow spam, in that a criminal purchases relationships from the underground economy. The goal here is to inflate the popularity of a criminal’s account (often for SEO purposes).

Retweet Spam entails hundreds of spam accounts all retweeting another (spam) account’s tweet (often for SEO purposes).

Monetizing Victims

Profit lies at the heart of the criminal abuse ecosystem. Monetization strategies form a spectrum between selling products to a user with their consent to stealing from a victim without consent. In order to monetize a victim, users are funneled from Twitter to another website via a link. The exception to this rule is when abuse lacks a clear path for generating a profit. Examples of this are celebrities who buy fake followers to inflate their popularity (thus never requiring a link to achieve a payout — the payout is external to Twitter) as well as politically-motivated attacks such as censoring speech or controlling the message surrounding emerging trends (where the payout is political capital or damage control). While the latter attacks are realistic threats, the vast majority of abuse currently targeting social networks is more criminal in nature.

Spamvertised Products include advertisements for pharmacuticals, replica goods, and pirated software. Spam in this case is a means to an end to getting users to willingly buy products, freely offering their credit card information in return for a product.

Fake Software includes any malware or webpage that prompts a user to buy ineffectual software. The most prominent approach here is selling rogue antivirus, where users are duped into paying an annual or lifetime fee in return for “anti-virus” software that in fact provides no protection.

Clickfraud generates revenue by compromising a victim’s machine or redirecting their traffic to simulate legitimate traffic to pay-per-click advertisements. These ads typically appear on pages controlled by miscreants, while the ads are syndicated from advertising networks such as Google AdSense. Money is thus siphoned from advertisers into the hands of criminals.

Banking Theft, epitomized by information stealers such as Zeus or SpyEye, relies on installing malware on a victim’s machine or phishing their credentials in order to harvest sensitive user data including documents, passwords, and banking credentials. A criminal can then sell access to these accounts or liquidate the account’s assets.

Underground Infrastructure is the final source of potential profit. Instead of directly going after assets controlled by a victim (e.g. wealth, traffic, credentials), criminals can sell access to a victim’s compromised machine and convert it into a proxy or web host. Alternatively, criminals can sell installs of malware to the pay-per-install market or exploit-as-a-service market, whereby another criminal that specializes in one of the aforementioned monetization techniques utilizes the compromised machine, paying a small finders fee to the criminal who actually compromises a host.


The process of monetizing victims in social networks is a complex chain of dependencies. If any component of that chain should fail, spam and abuse cannot be profitable. To simplify the abuse process for spammers, an underground economy has emerged that connects criminals with parties selling a range of specialized products and services including spam hosting, CAPTCHA solving services, pay-per-install hosts, and exploit kits. Even simple services such as garnering favorable reviews or writing web page content are for sale.

Specialization within this ecosystem is the norm. Organized criminal communities include carders that siphon credit card wealth; email spam affiliate programs; and browser exploit developers and traffic generators. These distinct roles allow miscreants to abstract away certain complexities of abuse, in turn selling their speciality to the underground market for a profit.