Adult entertainment-themed Twitter bots – known as pornbots – have emerged as the most recent scourge on the social media service, creating big headaches for companies that use Twitter for outreach.
Analysts at Flashpoint found that the bot accounts (a mix of compromised accounts and accounts specifically created to advertise pornography) post tweets with hashtags containing trending topics or popular brand names, alongside random risqué terms with links to porn sites, escort services or video websites featuring online "cam girls.”
The effort is a high-volume one: Each of the observed pornbots posted tweets at a rapid cadence, with some posting more than 50 times per day. Most of the observed pornbot accounts boasted more than 10,000 tweets.
The unfortunate brands being mentioned in the bots’ ad campaigns suffer in at least two ways: potential reputational damage and distorted social media engagement campaign metrics.
“Companies often use hashtags to monitor the spread and reception of marketing campaigns and sponsored events,” said Rob Cook, senior analyst at Flashpoint. “More crucially, emergency services may use hashtag tracking to gain real-time insight into current situations during natural disasters and other crises. In a worst-case scenario, pornbots or other spambots could identify a trending hashtag and distort the conversation by sharing unrelated or false information.”
Multiple accounts were found to share similar bios and pinned tweets, which also contain links to adult content sites. Despite sending out high volumes of tweets, these accounts typically had fewer than 200 followers. The profile pictures were all obtained from public profiles on open-source websites, primarily Instagram and Pinterest. Reverse searches using Google Images indicated these stolen images were reused by multiple pornbots.
Flashpoint analysts identified three distinct sets of pornbots using identical hashtags, indicating that they were likely part of the same organized campaign. While similar in appearance and often using a common set of profile pictures across the groups, each promoted a different adult website. However, the three adult websites linked the profiles were hosted on one of two common servers, which may indicate the pornbots share a common origin.
“Related sets of pornbots systematically coordinated their tweets,” Cook explained. “One pornbot would post a tweet containing a hashtag, and other pornbots within its group would subsequently post tweets containing the same hashtag, followed by random and unrelated terms.”
In the positive column, Flashpoint analysts did not detect any malicious files on the servers hosting the websites advertised by the pornbots.
"This report was done when I started seeing a Twitter bot development. I was coming across a lot of accounts,” said Cook. “Additionally, clients were asking why their brand was being hashtagged; it was causing them unnecessary work researching it. Twitter bots are a profitable business: think of the ability to sell followers, influence trends and so forth. Think Russia and Twitter bots. All of these bots work in the same way, but the content being pushed is different.”
Cook said that brands can reduce the number of false detections and aid in validating social media metrics by asking their social media teams to identify and block pornbots and spambots following company social media accounts; this impacts the bots' ability to capture and retweet relevant and branded tweets. These accounts should also be reported through Twitter's abuse function. Additionally, social media teams and companies’ cyber-teams should notify each other when this kind of activity is detected.