A horde of Jane Austen-quoting bots leads to Russian porn sites
*Editor’s Note: All links included in this article are provided in the spirit of transparent, dispassionate, evidence-based, and open source research. However, some links included in this article are not suitable for all audiences.
There may be all the stylistic difference in the world between the novels of Jane Austen and twenty-first century pornography, but a major network of Twitter bots has bridged the gap.
@DFRLab identified a network of at least 35,000 accounts — quite possibly over 75,000 — whose purpose seems to be to steer users towards a cluster of pornographic chat sites registered in Russia. To mask their status as automated accounts, they quote snippets of text, many taken at random from Jane Austen’s “Sense and Sensibility.”
The botnet is of interest for its sheer size, the ways in which it tries to hide its presence from automated detection, and its origins: the great majority of accounts appear to have been hacked from genuine users and repurposed.
The first account identified in this network was @199975, screen name “Agnes Audley.” The account has been suspended, but is archived here. We discovered this account while assessing an account called @StoppingWW3, which was, at the time, the backup account of pro-Kremlin user @Ian56789.
This was an obvious bot. A reverse search of its profile picture showed it was taken from webcam model Cortana Blue. Its posts were a mixture of soft pornography and retweets in various languages, including English, Swedish, Turkish, and Italian. It posted two shortened URLs in its bio and pinned tweet, with explicit sexual comments. (We analyze these URLs below.)
The reverse search also showed that a very large number of other Twitter accounts had the same profile picture.
Among them was @LanaLana05, screen name “Kelly Andrews,” which had a similar bio (albeit with a different URL) and a similar pinned tweet. This, too, was an obvious bot. The account only posted eighteen tweets since its creation in July 2012. Two, innocuous and in Russian, dated to April and May 2013; the next, pornographic and in English, was posted on February 14, 2018.
Other accounts to use the same profile picture were @koczanattila (“Grace Kelly”), @landi_antonella (“Connie Andrews”), @chaesja (“Kelly Black”), @KeganWillard (“Stephanie Galbraith”), @the_zanna (“Beth Gilbert”) and @ermolaeva_olya (“Gladys Flatcher”).
These are visibly part of one network. All have the same profile picture. Six of the seven cited here, and many others with the same picture, have the same formula of bio (“Cosplay fan. Traveler,” or similar designations, plus an invitation to a website). All post the same sort of content, a mixture of multilingual retweets and similar or identical revealing photos.
All have creation dates ranging from 2011 to 2014, and their screen names do not match their handles; thus, @ermolaeva_olya’s screen name is “Gladys Flatcher,” rather than, for example, “Olya Ermolaeva.” Like @LanaLana05, @ermolaeva_olya’s posts jumped straight from innocuous Russian, in August 2012, to pornographic English, in March 2018.
Taken together, these features confirm that this is a botnet. Moreover, it is a botnet apparently built of hijacked accounts — accounts created by genuine users in the 2011–14 period, and then abandoned, to be taken over by bot herders at a later stage.
Hijacking accounts in this way allows bot herders to build up large networks without having to create masses of accounts at one time, and thus lets them avoid some of Twitter’s automated detection systems. Some effort seems to have been made to change the screen names to appropriate female ones, in keeping with the profile picture, and to delete some of the accounts’ earlier posts. It is likely that the remaining posts left in the timelines of @ermolaeva_olya and @LanaLana05 were an oversight.
Interestingly, three of the seven accounts here used “Kelly” as either a first name or family name. This suggests that the names were drawn from a list, with first and family names mixed at random to give them the appearance of individuality.
As we analyzed the network, we found more and more bots using other, similar biographies and profile pictures, of Cortana Blue and other models. Many shared one peculiar characteristic: they would periodically break off from their lingerie posts to quote fragments from Jane Austen’s Sense and Sensibility.
Thus, @bcdeeffg (screen name “Pamela Dodson,” profile picture Cortana Blue) tweeted, “saying but Lucy’s countenance” on May 21. As a check on Google Books shows, this phrase, properly punctuated, comes in a conversation between Elinor Dashwood and Lucy Steele.
Account @keamalao (screen name “Rebecca Eddington,” profile picture Cortana Blue) tweeted, “anybody butmyself.’ Elinor smiled, and.” Properly punctuated, this, again, is a quote from the elder and more sensible (in the modern sense) of the two Misses Dashwood.
Rebecca’s profile picture (or Cortana’s) was equally popular among Twitter users.
Bot @JikPoliPolansk (screen name “Amy Gibbs,” profile picture Danish model Natasha K Thomsen), meanwhile, tweeted, “ubject, Elinor?’ — hesitatingly itwas said. — Or w go,’” together with a shortened URL whose content would certainly have never made it into a Jane Austen novel.
Corrected, this — again — comes from dialog in Sense and Sensibility.
The purpose of these tweets — some posted as tweets, some as replies — again appears to be to fool Twitter’s algorithm, which spots bots in a number of ways, including by the number of apparently authored posts they make. The bots have evidently been programmed to scrape Sense and Sensibility and post random phrases from it, to give the appearance of authentic behavior.
This suggests, at least, that the bot programmer has excellent literary taste.
Expanding The Network
In attempting to assess the size of the botnet, we began with this post from @LanaLana05, with a typographical error: the phrase “Wishes donât work unless you do,” with the apostrophe replaced with an â.
Typos make for excellent targeted online searches, since they greatly reduce the likelihood of incidental posts being caught.
Sure enough, a Twitter search for the phrase, including the typo, returned an apparently endless series of posts from accounts which also offered a variety of links to sex-chat sites, and which shared various pictures of Cortana Blue and Natasha Thomsen. We therefore considered this phrase, with the typo, diagnostic of the botnet.
We accordingly scanned it with the Sysomos online tool. Over the course of one year, and mostly since December 2017, this phrase, including the typo, was mentioned 25,468 times, by 21,800 users. The scan showed that 98.3 percent of those users had an authority score (a calculation based on an account’s interaction with others) of four or less, typical of bots. In an eyeball check of two dozen accounts, every one was a bot of the same type as “Kelly” and “Agnes.”
The eyeball scan also revealed a number of other tweets with typos: “Love isnât blind, it just only sees what matters;” “Never love anyone who treats you like youâre ordinary;” and “While Iâm breathing â I love and believe.”
Sysomos searches for each of these unique posts, over the past year, returned a little over 8,000 mentions per search.
To confirm the size of the network, we listed all the accounts which posted any of the four texts containing a typo, and deleted all duplications.
The result was 35,306 unique accounts which posted one or more of these diagnostic tweets.
Thus, the botnet contains at least 35,000 accounts. Even this is unlikely to be its full extent. Many of the bots we analyzed posted two other texts: “Be a bad ass with a good ass,” and variants on a theme of “x never looked so god damn fine” (where x could be “trouble,” “life,” “world,” “problem” and other nouns).
The former text generated 100,632 tweets from 81,500 users ; the latter, 94,261 tweets from 76,200 users. For both scans, upwards of 98 percent of users had the lowest authority levels, and an eyeball scan indicated dozens of bots in the network we have identified. Since these phrases could have been used by other users, they offer a lower degree of certainty. Nevertheless, it is likely that the botnet does number upwards of 75,000 accounts.
Likes, Tweets, and Porn
The botnet appears to have had overlapping purposes. Judging by the multilingual nature of the accounts’ retweets, they are likely to have been hired out to users who wanted amplification. Most followed dozens or hundreds of other accounts, making it likely that they also earned revenue as followers-for-hire.
The most consistent telltale, however, was the collection of shortened URLs they posted either in their pinned tweets or their biographies — such as the bit.ly link ending in -2IjeR7R, which @JikPoliPolansk added to Austen’s immortal prose. We have chosen not to give the full addresses here, to avoid giving the sites in question an SEO — search engine optimization — boost.
Expanded using the online tool checkshorturl.com, this gave a web address whose core element was the phrase local-chicks-here1.
This claims to be a sex site, rather than a dating site. A WhoIs search of the expanded URL returned a name and address in St. Petersburg, Russia.
A search for the same name on online tool website.informer.com revealed at least nine other dating sites owned by the same person.
Some of the bots in the network also advertised other sex sites. These included twichick.info, qoqo4.pro, checkmama.info, and go4date.info.
All ultimately redirected to the local-chicks-here1 site; three of them were registered with the Russian website registry reg.ru.
The last, qoqo4.pro, also led back to Russia.
It, therefore, appears that the network of chat and sex sites is based in Russia, and one of the purposes of the botnet is to advertise it to Twitter users. These chat sites are likely operated to generate revenue from clicks, or by charging users for part of the service.
While the addresses and accounts are different, the modus operandi is very similar to that identified by researcher Joseph Cox for Vice news in August 2016:
“This sprawling network of interconnected websites all came from just one Twitter account. It revealed a huge web constantly trying to to harvest your clicks and attention — perhaps to get you to hand over cash for extras, or pull together some advertising revenue.”
This botnet reveals the scale and the sophistication of the online porn operation. The botnet itself consists of at least 35,000 accounts, and possibly over 75,000.
It appears to have been built from hijacked accounts, rather than purpose-made ones, and set up with enough skill to scrape Jane Austen novels for random posts, in an attempt to evade automated detection.
The network of dating and sex sites behind it appears to be similarly sprawling, with over a dozen sites all leading back to the central node.
We cannot say whether the botnet was primarily designed to make money from likes, retweets and follows, or by steering users to the pornography sites. It is likely that it was meant to do both. It may even have served as a marketing A/B test, to see whether more money can be made from Twitter-based bot activity, or off-site pornography.
Either way, this is a commercial botnet, and cluster of sites, on a large scale. Perhaps its most impressive quality is the way it evaded detection by Twitter’s algorithms for so long.
Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).
Follow along for more in-depth analysis from our #DigitalSherlocks.