#BotSpot: Sex And Sensibility

A horde of Jane Austen-quoting bots leads to Russian porn sites

Background: Some of the many Twitter accounts using the same profile picture (Source: Google). Foreground above: tweet by @keamalao, archived on May 30, 2018. Below: quote from Sense and Sensibility. (Source: Twitter / @keamalao / Google Books)

*Editor’s Note: All links included in this article are provided in the spirit of transparent, dispassionate, evidence-based, and open source research. However, some links included in this article are not suitable for all audiences.


There may be all the stylistic difference in the world between the novels of Jane Austen and twenty-first century pornography, but a major network of Twitter bots has bridged the gap.

@DFRLab identified a network of at least 35,000 accounts — quite possibly over 75,000 — whose purpose seems to be to steer users towards a cluster of pornographic chat sites registered in Russia. To mask their status as automated accounts, they quote snippets of text, many taken at random from Jane Austen’s “Sense and Sensibility.”

The botnet is of interest for its sheer size, the ways in which it tries to hide its presence from automated detection, and its origins: the great majority of accounts appear to have been hacked from genuine users and repurposed.

Blue-haired Bots

The first account identified in this network was @199975, screen name “Agnes Audley.” The account has been suspended, but is archived here. We discovered this account while assessing an account called @StoppingWW3, which was, at the time, the backup account of pro-Kremlin user @Ian56789.

Accounts followed by @StoppingWW3, including “Agnes Audley” at bottom right. Both accounts have since been suspended, but were archived on April 19, 2018. (Source: Twitter / @199975 / @StoppingWW3)

This was an obvious bot. A reverse search of its profile picture showed it was taken from webcam model Cortana Blue. Its posts were a mixture of soft pornography and retweets in various languages, including English, Swedish, Turkish, and Italian. It posted two shortened URLs in its bio and pinned tweet, with explicit sexual comments. (We analyze these URLs below.)

The reverse search also showed that a very large number of other Twitter accounts had the same profile picture.

Results of reverse search for the profile picture of “Agnes Audley.” (Source: Google)

Among them was @LanaLana05, screen name “Kelly Andrews,” which had a similar bio (albeit with a different URL) and a similar pinned tweet. This, too, was an obvious bot. The account only posted eighteen tweets since its creation in July 2012. Two, innocuous and in Russian, dated to April and May 2013; the next, pornographic and in English, was posted on February 14, 2018.

Early posts from @LanaLana05. Note the jump in date from May 8, 2013, to February 14, 2018. We have blurred the image to keep @DFRLab’s output safe for work. Account archived on May 30, 2018. (Source: Twitter / @LanaLana05)

Other accounts to use the same profile picture were @koczanattila (“Grace Kelly”), @landi_antonella (“Connie Andrews”), @chaesja (“Kelly Black”), @KeganWillard (“Stephanie Galbraith”), @the_zanna (“Beth Gilbert”) and @ermolaeva_olya (“Gladys Flatcher”).

Left to right, profile pages of @LanaLana05 (“Kelly Andrews”), @koczanattila (“Grace Kelly”), @landi_antonella (“Connie Andrews”), @chaesja (“Kelly Black”), @KeganWillard (“Stephanie Galbraith”), @the_zanna (“Beth Gilbert”) and @ermolaeva_olya (“Gladys Flatcher”), all archived on May 31 and June 3, 2018. (Source: Twitter)

These are visibly part of one network. All have the same profile picture. Six of the seven cited here, and many others with the same picture, have the same formula of bio (“Cosplay fan. Traveler,” or similar designations, plus an invitation to a website). All post the same sort of content, a mixture of multilingual retweets and similar or identical revealing photos.

All have creation dates ranging from 2011 to 2014, and their screen names do not match their handles; thus, @ermolaeva_olya’s screen name is “Gladys Flatcher,” rather than, for example, “Olya Ermolaeva.” Like @LanaLana05, @ermolaeva_olya’s posts jumped straight from innocuous Russian, in August 2012, to pornographic English, in March 2018.

Taken together, these features confirm that this is a botnet. Moreover, it is a botnet apparently built of hijacked accounts — accounts created by genuine users in the 2011–14 period, and then abandoned, to be taken over by bot herders at a later stage.

Hijacking accounts in this way allows bot herders to build up large networks without having to create masses of accounts at one time, and thus lets them avoid some of Twitter’s automated detection systems. Some effort seems to have been made to change the screen names to appropriate female ones, in keeping with the profile picture, and to delete some of the accounts’ earlier posts. It is likely that the remaining posts left in the timelines of @ermolaeva_olya and @LanaLana05 were an oversight.

Interestingly, three of the seven accounts here used “Kelly” as either a first name or family name. This suggests that the names were drawn from a list, with first and family names mixed at random to give them the appearance of individuality.

Quoting Austen

As we analyzed the network, we found more and more bots using other, similar biographies and profile pictures, of Cortana Blue and other models. Many shared one peculiar characteristic: they would periodically break off from their lingerie posts to quote fragments from Jane Austen’s Sense and Sensibility.

Thus, @bcdeeffg (screen name “Pamela Dodson,” profile picture Cortana Blue) tweeted, “saying but Lucy’s countenance” on May 21. As a check on Google Books shows, this phrase, properly punctuated, comes in a conversation between Elinor Dashwood and Lucy Steele.

Above: Tweet by @bcdeeffg, archived on May 30, 2018. Below: Quote from Sense and Sensibility. (Source: Twitter / @bcdeeffg / Google Books)

Account @keamalao (screen name “Rebecca Eddington,” profile picture Cortana Blue) tweeted, “anybody butmyself.’ Elinor smiled, and.” Properly punctuated, this, again, is a quote from the elder and more sensible (in the modern sense) of the two Misses Dashwood.

Above: Tweet by @keamalao, archived on May 30, 2018. Below: Quote from Sense and Sensibility. (Source: Twitter / @keamalao / Google Books)

Rebecca’s profile picture (or Cortana’s) was equally popular among Twitter users.

Results of reverse search of “Rebecca”’s profile picture. (Source: Google)

Bot @JikPoliPolansk (screen name “Amy Gibbs,” profile picture Danish model Natasha K Thomsen), meanwhile, tweeted, “ubject, Elinor?’ — hesitatingly itwas said. — Or w go,’” together with a shortened URL whose content would certainly have never made it into a Jane Austen novel.

Corrected, this — again — comes from dialog in Sense and Sensibility.

Above, tweet by @JikPoliPolansk, archived on May 30, 2018. Below, quote from Sense and Sensibility. (Source: Twitter / @JikPoliPolansk / Google Books)

The purpose of these tweets — some posted as tweets, some as replies — again appears to be to fool Twitter’s algorithm, which spots bots in a number of ways, including by the number of apparently authored posts they make. The bots have evidently been programmed to scrape Sense and Sensibility and post random phrases from it, to give the appearance of authentic behavior.

This suggests, at least, that the bot programmer has excellent literary taste.

Expanding The Network

In attempting to assess the size of the botnet, we began with this post from @LanaLana05, with a typographical error: the phrase “Wishes don’t work unless you do,” with the apostrophe replaced with an â.

Typos make for excellent targeted online searches, since they greatly reduce the likelihood of incidental posts being caught.

Post by @LanaLana05, with the giveaway typo, archived on May 30, 2018. (Source: Twitter / @LanaLana05)

Sure enough, a Twitter search for the phrase, including the typo, returned an apparently endless series of posts from accounts which also offered a variety of links to sex-chat sites, and which shared various pictures of Cortana Blue and Natasha Thomsen. We therefore considered this phrase, with the typo, diagnostic of the botnet.

We accordingly scanned it with the Sysomos online tool. Over the course of one year, and mostly since December 2017, this phrase, including the typo, was mentioned 25,468 times, by 21,800 users. The scan showed that 98.3 percent of those users had an authority score (a calculation based on an account’s interaction with others) of four or less, typical of bots. In an eyeball check of two dozen accounts, every one was a bot of the same type as “Kelly” and “Agnes.”

Authority scores for accounts which posted “Wishes donât work unless you do.” (Source: Sysomos)

The eyeball scan also revealed a number of other tweets with typos: “Love isn’t blind, it just only sees what matters;” “Never love anyone who treats you like you’re ordinary;” and “While I’m breathing — I love and believe.”

Tweets with typos by @brendi1059 (top two pictures) and @bcdeeffg (bottom picture), archived on May 30, 2018. (Source: Twitter / @brendi1059 / @bcdeeffg)

Sysomos searches for each of these unique posts, over the past year, returned a little over 8,000 mentions per search.

To confirm the size of the network, we listed all the accounts which posted any of the four texts containing a typo, and deleted all duplications.

The result was 35,306 unique accounts which posted one or more of these diagnostic tweets.

Meet the Yvonnes: some of the over 35,000 unique accounts in the list. (Source: Twitter, via Sysomos scan / @DFRLab)

Thus, the botnet contains at least 35,000 accounts. Even this is unlikely to be its full extent. Many of the bots we analyzed posted two other texts: “Be a bad ass with a good ass,” and variants on a theme of “x never looked so god damn fine” (where x could be “trouble,” “life,” “world,” “problem” and other nouns).

The former text generated 100,632 tweets from 81,500 users ; the latter, 94,261 tweets from 76,200 users. For both scans, upwards of 98 percent of users had the lowest authority levels, and an eyeball scan indicated dozens of bots in the network we have identified. Since these phrases could have been used by other users, they offer a lower degree of certainty. Nevertheless, it is likely that the botnet does number upwards of 75,000 accounts.

Likes, Tweets, and Porn

The botnet appears to have had overlapping purposes. Judging by the multilingual nature of the accounts’ retweets, they are likely to have been hired out to users who wanted amplification. Most followed dozens or hundreds of other accounts, making it likely that they also earned revenue as followers-for-hire.

The most consistent telltale, however, was the collection of shortened URLs they posted either in their pinned tweets or their biographies — such as the bit.ly link ending in -2IjeR7R, which @JikPoliPolansk added to Austen’s immortal prose. We have chosen not to give the full addresses here, to avoid giving the sites in question an SEO — search engine optimization — boost.

Expanded using the online tool checkshorturl.com, this gave a web address whose core element was the phrase local-chicks-here1.

Short and expanded version of the bit.ly link. (Source: checkshorturl.com)

This claims to be a sex site, rather than a dating site. A WhoIs search of the expanded URL returned a name and address in St. Petersburg, Russia.

WhoIs results for the local-chicks-here1 site. We have blurred the address and contact information. (Source: whois.icann.org)

A search for the same name on online tool website.informer.com revealed at least nine other dating sites owned by the same person.

(Source: website.informer.com)

Some of the bots in the network also advertised other sex sites. These included twichick.info, qoqo4.pro, checkmama.info, and go4date.info.

All ultimately redirected to the local-chicks-here1 site; three of them were registered with the Russian website registry reg.ru.

WhoIs records for go4date.info, checkmama.info and twichick.info, all registered via reg.ru. (Source: whois.icann.org)

The last, qoqo4.pro, also led back to Russia.

WhoIs information for qoqo4.pro, showing the registrant’s country (Russia) and city (Moscow). (Source: whois.icann.org)

It, therefore, appears that the network of chat and sex sites is based in Russia, and one of the purposes of the botnet is to advertise it to Twitter users. These chat sites are likely operated to generate revenue from clicks, or by charging users for part of the service.

While the addresses and accounts are different, the modus operandi is very similar to that identified by researcher Joseph Cox for Vice news in August 2016:

“This sprawling network of interconnected websites all came from just one Twitter account. It revealed a huge web constantly trying to to harvest your clicks and attention — perhaps to get you to hand over cash for extras, or pull together some advertising revenue.”

Conclusion

This botnet reveals the scale and the sophistication of the online porn operation. The botnet itself consists of at least 35,000 accounts, and possibly over 75,000.

It appears to have been built from hijacked accounts, rather than purpose-made ones, and set up with enough skill to scrape Jane Austen novels for random posts, in an attempt to evade automated detection.

The network of dating and sex sites behind it appears to be similarly sprawling, with over a dozen sites all leading back to the central node.

We cannot say whether the botnet was primarily designed to make money from likes, retweets and follows, or by steering users to the pornography sites. It is likely that it was meant to do both. It may even have served as a marketing A/B test, to see whether more money can be made from Twitter-based bot activity, or off-site pornography.

Either way, this is a commercial botnet, and cluster of sites, on a large scale. Perhaps its most impressive quality is the way it evaded detection by Twitter’s algorithms for so long.


Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Follow along for more in-depth analysis from our #DigitalSherlocks.