A Law Firm’s Twitter Spam Army – hiding in plain sight

If you’ve read my blog or followed me on Twitter for long, you know that I love to analyze patterns in spam and scams. Over most of 2010 and 2011, spammers (in particular the porn spammers in late 2012) were very prolific. I believe recent controls put in place are helping to regulate the amount of spam on Twitter to a better degree than before.

However, last week, something happened that exposed a weak point in whatever algorithm Twitter is using right now. On March 30, I had three new followers all within a very short period of time. Take a look:

At first glance, they look benign enough. Though all three used names and pictures of women, none of them used gratuitous cleavage (a tactic I’ve mentioned before that spammers often use, but can make them easily smacked down as spam).

But a couple of things still bothered me with all of them. First off, they all had gibberish characters at the tail end of their usernames (arguably, “Lilly” here could be a lawyer). Gibberish characters or common patterns (in this case, first name + 4 characters) are all great warning signs. Second, they all followed me within a matter of a few hours.

Using the tool that I built to check out accounts, I looked their profiles up.

“Armanda”:

“Lilly”:

“Annamarie”:

Now something definitely smelled bad. Created minutes apart, last August, with almost no interactivity in the account? Definite silent spam drones. Often spammers will “age” twitter accounts, so they don’t appear quite as eager as accounts that are created and immediately begin to prolifically spam. These had been created a while ago, laid dormant, and still hardly tweeted at all. Hiding in plain sight.

Looking at their accounts, the few tweets across them all mentioned one of two domains; either usapersonalingurylawyers.com or reminiscingvisions.com, both hosted within the 173.192.0.0 – 173.193.255.255 IP address range owned by hosting provider SoftLayer.

The first URL was simply a blog post talking about personal injury lawyers, and why you should get one. The second was similar, but featured this video:

More intriguingly, I now noticed that at the bottom of each of these pages, the site designer had included a social widget bar, including Facebook (no likes), Twitter (quite a few Tweets), and G+ (no +1’s). Twitter places a lovely hyperlink on theirs, so you can click back to Twitter and see who has tweeted about it.

Sure enough, when I clicked back from the first domain, I saw all of these Twitter accounts that had talked about it (the list went on for quite a while):

Same with the second site:

All following the same approach, all with drone accounts that looked legit if you looked quickly. I decided that someone with this similar MO had to be trying the obvious. I looked up the domain name of the law firm in that video, the Michigan law firm of Schulman and Associates (schulmanandassociates.com), and searched Twitter for that. Same deal:

Every account that had mentioned any one of these three links was a drone. Dozens and dozens of them, all following users, and responding to tweets, based upon the keyword “lawyer”. Simple keyword spamming, but done in such a broad way that the spam doesn’t appear obvious, and might not even get these accounts caught on the first try (normally).

I can’t be certain who did this on behalf of the law firm, but I believe strongly that Twitter should investigate who did this work for the law firm, as well as suspending all of these drone accounts. While I’m not a lawyer, I did speak with one, and he had concerns that depending on how this would be viewed by State Bar of Michigan, this might raise solicitation ethics concerns as well.