Posted by Alok Shukla
PS: McAfee Official blog-site has an edited version of this blog. It was republished for wider audience.
An Indian investigative portal Cobrapost, recently released a report on alleged online reputation smearing/management/campaigns designed to gain/destroy political capital for who ever was the highest bidder or “customer”. Online world (social media) was abuzz with political motivations, and some were perplexed if it was even possible (amazed, surprised, dismissive etc.)
Some of the bloggers/twitterati offered their own explanations, instantly building near myths and false narratives in the process. My attempt is to disabuse readers from such false narratives and myths. I would skip political aspects of this conversation and largely focus on technological aspects.
Myth 1 – It is not possible to have fake followers on either Facebook or Twitter.
Fortunately, this myth has been widely debunked. Sites like Twitter Audit or Social Bakers can be easily used to discover if a twitter user has fake followers or not. Such fake followers are largely bots or proxy accounts run on behalf of real/fake individuals.
In fact, acquiring fake followers is not a difficult task and is actually a full-fledged online business. Take the case of twitterwind.com, a site that offers different packages for the numbers of followers a customer would like to acquire, so forth and so on.
There is an excellent story on this by New York times that describes buying and selling of fake twitter followers the worst kept secret in the Industry. Here is a NBC news post that questioned Mitt Romney’s sudden jump in his twitter account following by a factor of 100,000 followers last year. In may last year, NPR published a news article on how as low as $75 one could purchase 1000 Likes
Myth – 2 Real people are running any social media campaign, there is NO concept of fake (automated bots) followers.
This is largely a defensive reaction of individuals who find themselves on the other side of the first myth. However, even this myth/narrative is false.
Automated bots or bot-nets have existed since the initial days of attacks on computers and networks by hackers and malware/computer virus authors. Bots are compromised systems/user accounts that could be used for launching a malicious digital campaign/attack on an unsuspecting user/corporation or public at large.
In the case of social media, there are three ways to create such bots.
First way is to use an automated bot (compromised system) to do key-logging of individuals to find username/password of an existing user.
Second way is to create fake accounts through auto programming. Two Italian researchers Italian security researchers Andrea Stroppa and Carlo De Micheli reported on how such fake accounts could be created using software for sale. Washington post carried this story. NewYorker magazine also has an excellent article on such twitter bots.
Third way is to launch a phishing attack on real users and harvest their Twitter/Facebook accounts. Social media phishing is a new phenomenon. Some users would recall how AP had tweeted about bombing in white house, once their account had been phished and hacked. Even the satire magazine Onion had suffered a similar phishing attack
Twitter and Facebook both have taken a lot of steps to weed out such followers. Facebook cracked down last year on both fake followers and likes.
Myth – 3 There are no companies that actually can run such reputation enhancing/smearing campaigns.
There is actually a proper world for this activity – Crowd-Turfing!
“Crowd-Turfing” – term represents an activity of malicious crowd sourcing system that exist on social media and internet and display following behaviors – crowd sourcing and astro-turfing. University of California – Santa Barbara came out with this term in their paper “Serf and Turf: Crowdturﬁng for Fun and Proﬁt”
In other words, not only it is possible to manipulate social media through automated and manual means, it is very much prevalent in many countries such as US and China. Crowd-turfing is neither novel or earth shattering, however it might be a complete novelty for some Indians. However, it is largely illegal but requires extensive skill set in establishing a trail of evidence to legally nail the culprit.
This story is pretty old now from rest of the world perspective. UC Santa Barabara report on crowd-turfing mentioned such bots existing on very popular QQ services of Tencent and internet companies like Zubhajie again in China. This report documents purported activities of these companies including account creation, forum post, QQ blog post etc.
There is an additional story here, there is an entire business category for Online Reputation Management, that exists for improving online brands of individuals and companies. Forbes has a good article on how online reputation management companies. They also posted a follow-up article on how some of these companies seemed to be doing dirty things under the hood – blackmailing as an example.
Although, there are many more myths and narratives that could be challenged here, however if an informed spirit of enquiry could result from this, I would meet my objectives.
Disclaimer – I work for security firm McAfee in my professional life. I have written this post in my personal capacity. 🙂