2012-thomas-adapting
findings extracted from this paper
-
56% of logins tied to legitimate users discussing the Russian election originated from Russia, compared to only 1% of logins for the 25,860 spam accounts, with Japan accounting for 14% of spam logins. 39% of IP addresses used by the attackers appeared in the CBL blacklist for email spam and malware distribution, compared to 21% of IPs tied to legitimate users, confirming that the attack infrastructure was shared with conventional spam/malware operations.
-
Twitter's relevance-ranked search returned 53% fewer bot-generated tweets compared to real-time chronological search across 1.1 million queries during the attack; restricting analysis to the top 5 most-recently returned relevance results reduced spam by 64% versus real-time. Relevance ranking incorporates social-graph overlap and content popularity signals to demote mass-produced low-engagement content.
-
The attack demonstrates that spam-as-a-service markets built for commercial spam (fake reviews, URL advertising) were directly repurposed for political censorship without modification, using the same compromised-host pools (39% blacklisted IPs) and bulk account infrastructure. This convergence means technical defenses against commercial spam infrastructure simultaneously constrain politically-motivated censorship operations by actors who lack direct Internet-access control.
-
Researchers identified four distinct account-registration patterns using regular expressions on mail.ru email addresses and screenname naming conventions; these patterns flagged 975,283 spam accounts with only 4% false positives on manual validation of 150 accounts. The 25,860 accounts deployed in the attack represent just 3% of the flagged pool, indicating a centralized spam-as-a-service vendor provisioned accounts in bulk and sold access.
-
An unknown attacker leveraged 25,860 fraudulent Twitter accounts to send 440,793 tweets targeting 20 election-related hashtags, peaking at 1,846 tweets per minute, in an attempt to dilute political conversations following Russia's December 2011 parliamentary election. The accounts were drawn from a pool of approximately 975,283 fraudulent accounts identified by the researchers, 80% of which remained dormant with zero friends, followers, or tweets.