Each of the associated accounts had a pretty typical set up. Their profiles featured a photo of a woman and a female display name and tweets from these accounts nearly always included a sexually explicit phrase, followed by an exclamation point and an additional phrase meant to get targets to click the shortened URL at the end of the tweet. Once a user clicked on the link, they would be taken through a series of redirects before finally landing on a website that encouraged them to sign up for subscription pornography, webcam sites or fake dating webpages. SIREN accounts were able to attract over 30 million clicks.
ZeroFOX suggests that those behind the SIREN accounts were likely located in Eastern Europe due to many of the accounts’ user languages being set to Russian and a chunk of the display names containing cyrillic letters. It also noted that the tweets’ phrasing was often written in poor English. Some examples include “I want to fondle me?” and “Boys like you, my figure?” which sound a lot like the silly pickup lines produced by neural networks, but dirtier.
Last week, ZeroFOX reportedly submitted all of the SIREN Twitter profiles and URLs to Twitter, which then removed the accounts from the site and blacklisted the URL domains. “To our knowledge, the botnet is one of the largest malicious campaigns ever recorded on a social network,” ZeroFOX said in a blog post. Twitter hasn’t yet responded to a request for comment.
[Image: ZeroFOX]