Angel or Demon? Characterizing Variations Across Twitter Timeline of Technical Support Campaigners



Published Jun 25, 2019
  • Srishti Gupta
  • Gurpreet Singh Bhatia
  • Saksham Suri
  • Dhruv Kuchhal
  • Payas Gupta
  • Mustaque Ahamad
  • Manish Gupta
  • Ponnurangam Kumaraguru


Technical Support spam, which abuse Web 2.0 and carry out social engineering attacks have been in existence for a very long time, despite several measures taken to thwart such attacks. Although recent research has looked into unveiling tactics employed by spammers to lure victims, damage done on Online Social Networks is largely unexplored. In this paper, we perform the first large-scale study to understand the behavior of technical support spammers, and compare them with the legitimate technical support offered to OSN users by several brands such as Microsoft, Facebook, Amazon.

We analyze the spam and legitimate accounts over a period of 20 months, and provide a taxonomy of the different types of spammers that are active in Tech Support spam landscape. We develop an automated mechanism to classify spammers from legitimate accounts, achieving a precision, recall of 99.8%.
Our results shed light on the threats associated with billions of users using OSNs from Tech Support spam, and can help researchers and OSN service providers in developing effective countermeasures to fight them.

Abstract 550 | PDF Downloads 519


[1]H. Almeida, D. Guedes, W. Meira, and M. J. Zaki, “Is there a best quality
metric for graph clusters?” in Joint European Conference on Machine
Learning and Knowledge Discovery in Databases. Springer, 2011.

[2] A. A. Amleshwaram, N. Reddy, S. Yadav, G. Gu, and C. Yang, “Cats:
Characterizing automation of twitter spammers,” in Communication
Systems and Networks (COMSNETS), 2013 Fifth International Conference
on. IEEE, 2013.

[3] M. Balduzzi, P. Gupta, L. Gu, D. Gao, and M. Ahamad, “Mobipot: Understanding
mobile telephony threats with honeycards,” in Proceedings
of the 11th ACM SIGSAC Symposium on Information, Computer and
Communications Security, ser. ASIA CCS ’16. New York, NY, USA:
ACM, 2016.

[4] F. Benevenuto, G. Magno, T. Rodrigues, and V. Almeida, “Detecting
spammers on twitter,” in Collaboration, electronic messaging, anti-abuse
and spam conference (CEAS), vol. 6, 2010, p. 12.

[5] F. Benevenuto, T. Rodrigues, V. Almeida, J. Almeida, and M. Gonçalves,
“Detecting spammers and content promoters in online video social networks,”
in Proceedings of the 32nd international ACM SIGIR conference
on Research and development in information retrieval. ACM, 2009.

[6] J. M. Carrascosa, R. González, R. Cuevas, and A. Azcorra, “Are trending
topics useful for marketing,” Proc. COSN, 2013.

[7] N. Christin, S. S. Yanagihara, and K. Kamataki, “Dissecting one click
frauds,” in Proceedings of the 17th ACM conference on Computer and
communications security. ACM, 2010, pp. 15–26.

[8] Z. Chu, I. Widjaja, and H. Wang, “Detecting social spam campaigns
on twitter,” in International Conference on Applied Cryptography and
Network Security. Springer, 2012, pp. 455–472.

[9] A. Costin, J. Isacenkova, M. Balduzzi, A. Francillon, and D. Balzarotti,
“The role of phone numbers in understanding cyber-crime schemes,”
in Privacy, Security and Trust (PST), 2013 Eleventh Annual International
Conference on. IEEE, 2013, pp. 213–220.

[10] M. Faloutsos, “Detecting malware with graph-based methods: traffic
classification, botnets, and facebook scams,” in Proceedings of the 22nd
International Conference on World Wide Web. ACM, 2013, pp. 495–496.

[11] H. Gao, J. Hu, C. Wilson, Z. Li, Y. Chen, and B. Y. Zhao, “Detecting
and characterizing social spam campaigns,” in Proceedings of the 10th
ACM SIGCOMM conference on Internet measurement. ACM, 2010, pp.

[12] S. Ghosh, B. Viswanath, F. Kooti, N. K. Sharma, G. Korlam, F. Benevenuto,
N. Ganguly, and K. P. Gummadi, “Understanding and combating
link farming in the twitter social network,” in Proceedings of
the 21st international conference on World Wide Web. ACM, 2012, pp.

[13] C. Grier, K. Thomas, V. Paxson, and M. Zhang, “@ spam: the underground
on 140 characters or less,” in Proceedings of the 17th ACM
conference on Computer and communications security. ACM, 2010, pp.

[14] P. Gupta, M. Ahamad, J. Curtis, V. Balasubramaniyan, and A. Bobotek,
“M3AAWG Telephony Honeypots: Benefits and Deployment Options,”
Tech. Rep., 2014.

[15] P. Gupta, R. Perdisci, and M. Ahamad, “Towards measuring the role of
phone numbers in twitter-advertised spam,” in Proceedings of the 13th
ACM on Asia Conference on Computer and Communications Security,
ser. ASIA CCS ’18. New York, NY, USA: ACM, 2018. [Online].

[16] P. Gupta, B. Srinivasan, V. Balasubramaniyan, and M. Ahamad,
“Phoneypot: Data-driven understanding of telephony threats.” in NDSS,

[17] S. Gupta, P. Gupta, M. Ahamad, and P. Kumaraguru, “Exploiting phone
numbers and cross-application features in targeted mobile attacks,” in
Proceedings of the 6th Workshop on Security and Privacy in Smartphones
and Mobile Devices. ACM, 2016, pp. 73–82.

[18] J. Isacenkova, O. Thonnard, A. Costin, A. Francillon, and D. Balzarotti,
“Inside the scam jungle: A closer look at 419 scam email operations,”
EURASIP Journal on Information Security, vol. 2014, 2014.

[19] P. Kumaraguru, L. F. Cranor, and L. Mather, “Anti-phishing
landing page: Turning a 404 into a teachable moment
for end users,” Conference on Email and Anti-Spam, 2009.
[Online]. Available:

[20] K. Lee, J. Caverlee, and S. Webb, “Uncovering social spammers: social
honeypots+ machine learning,” in Proceedings of the 33rd international
ACM SIGIR conference on Research and development in information
retrieval. ACM, 2010, pp. 435–442.

[21] K. Lee, B. D. Eoff, and J. Caverlee, “Seven months with the devils: A
long-term study of content polluters on twitter.” in ICWSM, 2011.

[22] C. Lumezanu and N. Feamster, “Observing common spam in twitter
and email,” in Proceedings of the 2012 ACM conference on Internet
measurement conference. ACM, 2012, pp. 461–466.

[23] E. G. Martín, N. Lavesson, and M. Doroud, “Hashtags and followers,”
Social Network Analysis and Mining, vol. 6, no. 1, pp. 1–15, 2016.

[24] A. Marzuoli, H. A. Kingravi, D. Dewey, and R. Pienta, “Uncovering
the landscape of fraud and spam in the telephony channel,” in Machine
Learning and Applications (ICMLA), 2016 15th IEEE International
Conference on. IEEE, 2016, pp. 853–858.

[25] N. Miramirkhani, O. Starov, and N. Nikiforakis, “Dial one for scam: A
large-scale analysis of technical support scams,” in Proceedings of the
24th Network and Distributed System Security Symposium (NDSS), 2017.

[26] F. B. of Investigation, “Tech support scam - federal bureau of investigation,”, June 2016.

[27] M. Osborne and M. Dredze, “Facebook, twitter and google plus for
breaking news: Is there a winner?” in ICWSM, 2014.

[28] R. Ottoni, D. B. Las Casas, J. P. Pesce, W. Meira Jr, C. Wilson, A. Mislove,
and V. A. Almeida, “Of pins and tweets: Investigating how users behave
across image-and text-based social networks.” in ICWSM, 2014.

[29] M. S. Rahman, T.-K. Huang, H. V. Madhyastha, and M. Faloutsos,
“Frappe: detecting malicious facebook applications,” in Proceedings
of the 8th international conference on Emerging networking experiments
and technologies. ACM, 2012, pp. 313–324.

[30] B. Srinivasan, P. Gupta, M. Antonakakis, and M. Ahamad, “Understanding
cross-channel abuse with sms-spam support infrastructure
attribution,” in European Symposium on Research in Computer Security.
Springer, 2016, pp. 3–26.

[31] G. Stringhini, C. Kruegel, and G. Vigna, “Detecting spammers on social
networks,” in Proceedings of the 26th Annual Computer Security
Applications Conference. ACM, 2010, pp. 1–9.

[32] K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song, “Design and evaluation
of a real-time url spam filtering service,” in 2011 IEEE Symposium
on Security and Privacy. IEEE, 2011, pp. 447–462.

[33] K. Thomas, C. Grier, D. Song, and V. Paxson, “Suspended accounts in
retrospect: an analysis of twitter spam,” in Proceedings of the 2011 ACM
SIGCOMM conference on Internet measurement conference. ACM, 2011,
pp. 243–258.

[34] S. Venkataraman, S. Sen, O. Spatscheck, P. Haffner, and D. Song, “Exploiting
network structure for proactive spam mitigation,” 2007.

[35] A. H. Wang, “Don’t follow me: Spam detection in twitter,” in Security
and Cryptography (SECRYPT), Proceedings of the 2010 International
Conference on. IEEE, 2010, pp. 1–10.

[36] S. Webb, J. Caverlee, and C. Pu, “Social honeypots: Making friends
with a spammer near you.” in CEAS, 2008.

[37] S. Yardi, D. Romero, G. Schoenebeck et al., “Detecting spam in a twitter
network,” First Monday, vol. 15, no. 1, 2009.