Skip to content

Trending tags

Yesterday, a colleague of mine, Eero Kurimo, told me about something odd he’d seen on Twitter. Over the past few days, a number of pictures of cute puppies had shown up on his timeline as promoted tweets. Here’s an example:

 

“Mainostettu” is the Finnish word Twitter uses to denote that a tweet has been promoted. Eero checked a few of the promoted tweets to find out why they had shown up on his timeline. One of them was targeted at people over 35 years of age living in Finland:

Another had been promoted at men living in Finland.

Humorously, Twitter didn’t translate the word “men” from English to Finnish.

Clearly someone is buying ads on Twitter to promote tweets that contain pictures of puppies. We observed four different accounts promoting tweets in this manner, and in each case, the promoted tweet contained nothing more than an image. As we were digging around the Twitter interface, we noticed that, as we were typing one of the account names (“SabrinaTaranti”) into the search dialog, Twitter auto-suggested a number of accounts with different numbers appended to the end of the username (“SabrinaTaranti1”, “SabrinaTaranti2”, “SabrinaTaranti3”, etc.) Some of those accounts still existed. Others had been suspended. All of the related accounts we found contained a profile picture, and a written description. They were also all created in April 2019. Some of these accounts followed others. This was interesting enough to do a bit more digging.

I wrote a script to look at the followers and following of the users we identified, plus the multiple “SabrinaTaranti…” users, searching for other accounts that:

  • were created during April 2019
  • contained a location field
  • contained a description
  • contained a profile picture
  • whose last tweet was an image with no text

The script also contained logic to search for other accounts with numbers at the end of the username. If a username ended with a one- or two-digit number, the script attempted to locate accounts ending in all numbers from 1 to 30.

Based on the above criteria, I found a total of 65 active accounts of interest. All of them were set up to look like accounts owned by female users, with US-sounding names, and US-based locations.

Here are their profile pictures:

Some of the accounts had duplicated description fields. Here are some examples of the descriptions used:

And here is a collage of the images posted in their most recent tweets:

My script also found 113 related accounts that Twitter has already suspended:

Additionally, I found 56 accounts similar to the above, that weren’t suspended, but that weren’t behaving in a similar manner to the other sock puppet accounts. For instance, they didn’t have profile pictures, descriptions, or locations set, or their last tweet wasn’t a picture with no text. These accounts, however, had the same exact “name” field as the others. Obviously, whoever created these sock puppets has decided to create multiple identical personas, perhaps to evade mass suspension. Here’s an example of a few of those other accounts:

 

The 65 sock puppet accounts identified haven’t published many tweets (between 8 and 28). In almost all cases, these accounts started their lives retweeting travel-related content (from accounts such as @NatGeoTravel), and motivational/inspirational quotes before switching to tweeting pictures of cats and dogs (with no text). Some accounts have retweeted content in other languages, suggesting that perhaps these sock puppets are being used to target Twitter users in other countries via a similar tweet promotion scheme.

As to why the owner of these sock puppet accounts has been paying to promote pictures of puppies, my guess is that they’re doing it to gain engagement and followers, in order to make the accounts more “legit”. Since all of the sock puppet accounts contain female avatars, I would imagine that the choice to target male Twitter users is to gather followers. One might speculate that people over 35 are more likely to engage with pictures of puppies, and hence that was the reason to target people over 35. Finland probably has a rather small Twitter user base (it isn’t a very popular platform here), and hence putting out ads to target certain demographics across the whole of Finland probably doesn’t cost much money.

Due to the inexpensive and relatively inconspicuous nature of this targeted ads campaign, it might just be an experiment to see what works, what doesn’t, and what gets accounts suspended by Twitter’s automation.

Whatever the sock puppet’s owners are trying to do, they’ve somewhat succeeded – people are liking and retweeting the pictures, and some of those accounts have gained followers.

I have no idea what these accounts will evolve into. They may start promoting goods and services, they may be used to perpetrate scams, or they could even be used to spread disinformation. Whatever does end up happening, this whole thing smells really fishy.

 

F-Secure Global

01.07.19 4 min. read

Categories

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Highlighted article

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.