Thursday, 31 May 2012

Pro tips for Twitter hackers

There's clearly a pretty strong market opportunity for criminals who aren't complete idiots to reorganize the "hack a Twitter account, send out spam tweets" industry.

Whoever hacked Tyler Cowen's account used it to send out two spam Tweets:"An amazing new weight loss product! It worked for me and I didnt even change my diet!" and "Lose 5 lbs of Fat in a week", both sending the user to some address I dare not hit. It's hard to imagine anybody who follows Tyler would have seen those and thought it more likely that he'd sent them than that his account was hacked.

I would have thought that Twitter account hackers would have run everything through a filter. Anybody with small numbers of followers or low Klout scores would get the lame spam tweets. But Tyler has a Klout score of 60 and about 20,000 followers, including some of the world's top economists and surely some top of the world's top government and central bank officials (among those on Twitter). I would have thought that a flag would go up for hackers that accounts with >10k followers or Klout >50 just might be worth a bit more individualised attention.

What sort of individualised attention? A decent proportion of Tyler's followers would have hit a link recommended by @TylerCowen to something like "This is the new best explanation of how the Euro crisis will unfold". I'm (obviously) not even trying to make it sound like Tyler. Scrape the content from some page from the Economist, FT, Scott Sumner - whatever. Put it on a malware infection site. A thousand really high value computers get directed to the site; maybe you get 250 infections depending on the strength of folks' security settings.

Just flip through the first 50 Tweets and see what's drawn a lot of clicks (hover over a link sometime). Based on the feed, I'd have set up malware sites with fake reviews of Tyler's new book (Twitter teaser: Now this review of *An Economist Gets Lunch* is particularly unfair [link]); something on the EuroCrisis, a eulogy to Doc Watson, and something on fear of GMO foods. All of those drew lots of click-throughs. And throw in one like "A handy guide for every central banker as the Euro dissolves." Scrape dummy content into malware sites for each.

So obviously Twitter spammers aren't doing this. Or at least Tyler's hacker didn't. We can then conclude:

  • The expected per user returns to malware infections are very low, even for potentially high value infections;
  • I'm overestimating how easy it is to do this; cognitive limitations are more binding that I expect.
  • Tyler's followers just got a lucky draw; he was hacked by somebody who installed FireSheep and isn't linked into any particularly sophisticated networks. 
The first one's potentially plausible. The second one isn't - somebody will figure it out and will pay more for hacked account login details than will other spammers. The third can be sustained in equilibrium if you've always new hackers downloading FireSheep and imperfect information on who's paying most for hacked accounts. 


  1. You are missing the meta-hack problem. It doesn't matter who has the account, it is just the quantity of accounts that enable infiltration. I don't think hackers sit around going, "mmm... might hack the Obama twitter account today, how can I be sneaky about it". They just run some software that tries to gain control of the maximum number of accounts. So if it hacks 50,000 accounts of people with <50 followers, and just a few accounts of +10,000 followers, these people don't warrant the extra attention, because they are a tiny proportion of the likely click-through successes.

    That's my guess.

    1. I agree with you! I'm arguing that the same software though could pretty easily scrape out follower numbers or Klout scores, and bump anything they've found that's either F>10000 or K>50 into a special bin for individualised attention. Sure, you'll get more click-throughs in total from the small time accounts. But imagine finding you've a shot at installing malware on reserve bank machines. That has to be worth something to somebody.