Angel or Demon? Characterizing Variations Across Twitter Timeline of Technical Support Campaigners


  • Srishti Gupta IIIT-Delhi
  • Gurpreet Singh Bhatia IIIT-Delhi
  • Saksham Suri IIIT-Delhi
  • Dhruv Kuchhal IIIT-Delhi
  • Payas Gupta Pindrop
  • Mustaque Ahamad Georgia Institute of Technology
  • Manish Gupta Microsoft
  • Ponnurangam Kumaraguru IIIT-Delhi



Technical Support spam, which abuse Web 2.0 and carry out social engineering attacks have been in existence for a very long time, despite several measures taken to thwart such attacks. Although recent research has looked into unveiling tactics employed by spammers to lure victims, damage done on Online Social Networks is largely unexplored. In this paper, we perform the first large-scale study to understand the behavior of technical support spammers, and compare them with the legitimate technical support offered to OSN users by several brands such as Microsoft, Facebook, Amazon.

We analyze the spam and legitimate accounts over a period of 20 months, and provide a taxonomy of the different types of spammers that are active in Tech Support spam landscape. We develop an automated mechanism to classify spammers from legitimate accounts, achieving a precision, recall of 99.8%.
Our results shed light on the threats associated with billions of users using OSNs from Tech Support spam, and can help researchers and OSN service providers in developing effective countermeasures to fight them.


H. Almeida, D. Guedes, W. Meira, and M. J. Zaki, “Is there a best quality

metric for graph clusters?†in Joint European Conference on Machine

Learning and Knowledge Discovery in Databases. Springer, 2011.

A. A. Amleshwaram, N. Reddy, S. Yadav, G. Gu, and C. Yang, “Cats:

Characterizing automation of twitter spammers,†in Communication

Systems and Networks (COMSNETS), 2013 Fifth International Conference

on. IEEE, 2013.

M. Balduzzi, P. Gupta, L. Gu, D. Gao, and M. Ahamad, “Mobipot: Understanding

mobile telephony threats with honeycards,†in Proceedings

of the 11th ACM SIGSAC Symposium on Information, Computer and

Communications Security, ser. ASIA CCS ’16. New York, NY, USA:

ACM, 2016.

F. Benevenuto, G. Magno, T. Rodrigues, and V. Almeida, “Detecting

spammers on twitter,†in Collaboration, electronic messaging, anti-abuse

and spam conference (CEAS), vol. 6, 2010, p. 12.

F. Benevenuto, T. Rodrigues, V. Almeida, J. Almeida, and M. Gonçalves,

“Detecting spammers and content promoters in online video social networks,â€

in Proceedings of the 32nd international ACM SIGIR conference

on Research and development in information retrieval. ACM, 2009.

J. M. Carrascosa, R. González, R. Cuevas, and A. Azcorra, “Are trending

topics useful for marketing,†Proc. COSN, 2013.

N. Christin, S. S. Yanagihara, and K. Kamataki, “Dissecting one click

frauds,†in Proceedings of the 17th ACM conference on Computer and

communications security. ACM, 2010, pp. 15–26.

Z. Chu, I. Widjaja, and H. Wang, “Detecting social spam campaigns

on twitter,†in International Conference on Applied Cryptography and

Network Security. Springer, 2012, pp. 455–472.

A. Costin, J. Isacenkova, M. Balduzzi, A. Francillon, and D. Balzarotti,

“The role of phone numbers in understanding cyber-crime schemes,â€

in Privacy, Security and Trust (PST), 2013 Eleventh Annual International

Conference on. IEEE, 2013, pp. 213–220.

M. Faloutsos, “Detecting malware with graph-based methods: traffic

classification, botnets, and facebook scams,†in Proceedings of the 22nd

International Conference on World Wide Web. ACM, 2013, pp. 495–496.

H. Gao, J. Hu, C. Wilson, Z. Li, Y. Chen, and B. Y. Zhao, “Detecting

and characterizing social spam campaigns,†in Proceedings of the 10th

ACM SIGCOMM conference on Internet measurement. ACM, 2010, pp.


S. Ghosh, B. Viswanath, F. Kooti, N. K. Sharma, G. Korlam, F. Benevenuto,

N. Ganguly, and K. P. Gummadi, “Understanding and combating

link farming in the twitter social network,†in Proceedings of

the 21st international conference on World Wide Web. ACM, 2012, pp.


C. Grier, K. Thomas, V. Paxson, and M. Zhang, “@ spam: the underground

on 140 characters or less,†in Proceedings of the 17th ACM

conference on Computer and communications security. ACM, 2010, pp.


P. Gupta, M. Ahamad, J. Curtis, V. Balasubramaniyan, and A. Bobotek,

“M3AAWG Telephony Honeypots: Benefits and Deployment Options,â€

Tech. Rep., 2014.

P. Gupta, R. Perdisci, and M. Ahamad, “Towards measuring the role of

phone numbers in twitter-advertised spam,†in Proceedings of the 13th

ACM on Asia Conference on Computer and Communications Security,

ser. ASIA CCS ’18. New York, NY, USA: ACM, 2018. [Online].


P. Gupta, B. Srinivasan, V. Balasubramaniyan, and M. Ahamad,

“Phoneypot: Data-driven understanding of telephony threats.†in NDSS,

S. Gupta, P. Gupta, M. Ahamad, and P. Kumaraguru, “Exploiting phone

numbers and cross-application features in targeted mobile attacks,†in

Proceedings of the 6th Workshop on Security and Privacy in Smartphones

and Mobile Devices. ACM, 2016, pp. 73–82.

J. Isacenkova, O. Thonnard, A. Costin, A. Francillon, and D. Balzarotti,

“Inside the scam jungle: A closer look at 419 scam email operations,â€

EURASIP Journal on Information Security, vol. 2014, 2014.

P. Kumaraguru, L. F. Cranor, and L. Mather, “Anti-phishing

landing page: Turning a 404 into a teachable moment

for end users,†Conference on Email and Anti-Spam, 2009.

[Online]. Available:


K. Lee, J. Caverlee, and S. Webb, “Uncovering social spammers: social

honeypots+ machine learning,†in Proceedings of the 33rd international

ACM SIGIR conference on Research and development in information

retrieval. ACM, 2010, pp. 435–442.

K. Lee, B. D. Eoff, and J. Caverlee, “Seven months with the devils: A

long-term study of content polluters on twitter.†in ICWSM, 2011.

C. Lumezanu and N. Feamster, “Observing common spam in twitter

and email,†in Proceedings of the 2012 ACM conference on Internet

measurement conference. ACM, 2012, pp. 461–466.

E. G. Martín, N. Lavesson, and M. Doroud, “Hashtags and followers,â€

Social Network Analysis and Mining, vol. 6, no. 1, pp. 1–15, 2016.

A. Marzuoli, H. A. Kingravi, D. Dewey, and R. Pienta, “Uncovering

the landscape of fraud and spam in the telephony channel,†in Machine

Learning and Applications (ICMLA), 2016 15th IEEE International

Conference on. IEEE, 2016, pp. 853–858.

N. Miramirkhani, O. Starov, and N. Nikiforakis, “Dial one for scam: A

large-scale analysis of technical support scams,†in Proceedings of the

th Network and Distributed System Security Symposium (NDSS), 2017.

F. B. of Investigation, “Tech support scam - federal bureau of investigation,â€, June 2016.

M. Osborne and M. Dredze, “Facebook, twitter and google plus for

breaking news: Is there a winner?†in ICWSM, 2014.

R. Ottoni, D. B. Las Casas, J. P. Pesce, W. Meira Jr, C. Wilson, A. Mislove,

and V. A. Almeida, “Of pins and tweets: Investigating how users behave

across image-and text-based social networks.†in ICWSM, 2014.

M. S. Rahman, T.-K. Huang, H. V. Madhyastha, and M. Faloutsos,

“Frappe: detecting malicious facebook applications,†in Proceedings

of the 8th international conference on Emerging networking experiments

and technologies. ACM, 2012, pp. 313–324.

B. Srinivasan, P. Gupta, M. Antonakakis, and M. Ahamad, “Understanding

cross-channel abuse with sms-spam support infrastructure

attribution,†in European Symposium on Research in Computer Security.

Springer, 2016, pp. 3–26.

G. Stringhini, C. Kruegel, and G. Vigna, “Detecting spammers on social

networks,†in Proceedings of the 26th Annual Computer Security

Applications Conference. ACM, 2010, pp. 1–9.

K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song, “Design and evaluation

of a real-time url spam filtering service,†in 2011 IEEE Symposium

on Security and Privacy. IEEE, 2011, pp. 447–462.

K. Thomas, C. Grier, D. Song, and V. Paxson, “Suspended accounts in

retrospect: an analysis of twitter spam,†in Proceedings of the 2011 ACM

SIGCOMM conference on Internet measurement conference. ACM, 2011,

pp. 243–258.

S. Venkataraman, S. Sen, O. Spatscheck, P. Haffner, and D. Song, “Exploiting

network structure for proactive spam mitigation,†2007.

A. H. Wang, “Don’t follow me: Spam detection in twitter,†in Security

and Cryptography (SECRYPT), Proceedings of the 2010 International

Conference on. IEEE, 2010, pp. 1–10.

S. Webb, J. Caverlee, and C. Pu, “Social honeypots: Making friends

with a spammer near you.†in CEAS, 2008.

S. Yardi, D. Romero, G. Schoenebeck et al., “Detecting spam in a twitter

network,†First Monday, vol. 15, no. 1, 2009.