Cloud Security Provider Armor Discovers 1088 Twitter Political Bots Actively Promoting November 6th Elections

November 07, 2018

Armor, a leading cloud security solutions provider, has uncovered what they believe to be 1,088 Twitter political bots.  Armor’s research team has identified Twitter accounts exhibiting a high degree of bot-like activity participating in active political debates/discussions.

How the Twitter Bots Were Initially Discovered

In researching the use of potential Twitter bots to influence political debates, the confirmation of Justice Kavanaugh was chosen as a current political issue drawing significant amounts of interest, and one which could affect mid-term election results.

Thus, a Twitter search was performed by Armor researchers to discover Twitter accounts participating in discussions between October 7th and October 11th, 2018 containing the key words  “Kavanaugh” and one or more of the following senators’ names, including: Joe Donnelly Claire McCaskill, Jon Tester,  Heidi Heitkamp,  Bill Nelson, Tammy Baldwin, Sherrod Brown, Bob Casey,  and Debbie Stabenow.

The search found that there were approximately 38,627 Twitter accounts which sent out a tweet(s), between October 7 and October 11th  with those key words.  The Armor team then used various publicly available analysis tools to analyze those Twitter accounts.   In addition, Armor researchers also looked at certain characteristics of the Twitter accounts so as to determine the likelihood that it was or was not a bot, including:

  • Volume of Tweets originating from the account over time
  • Percentage of retweets/lack of original content
  • Frequency of Tweets during unusual hours
  • Sparse profile data

In analyzing the Twitter accounts, the Armor team determined that 1,088 had a high probability of being bots. Although this number doesn’t seem very significant out of the pool of nearly 39,000 Twitter accounts, the accounts peaked the team’s interest, so they decided to delve further into the suspected bots to see what they could discover. (To see a portion of the criteria used by the analysis tools, while examining the Twitter accounts, see Appendix A at the end of this document).

Republican/Trump-Themed Bots Double Number of  Democrat-Themed Bots

By manually analyzing each of the 1088 bot-like accounts and their tweets, Armor researchers observed that 725 were expressing Pro Republican/Pro Trump sentiments and 363 expressed Pro Democrat sentiments.

The Armor team has yet to assess the total number of tweets sent out by each of the suspected  bots during their existence. However, they were able to determine that, among the observed accounts, both Pro Republican and Pro Democrat, their activity ranged from as little as 4,000 up to 425,000  tweets over their lifetime. Although each bot has a different date in which it was established, many of them have been extremely prolific in the past weeks and months. For example, we observed numerous accounts that have tweeted over 3,000 times between October 27 and November 5, 2018.

In addition to there being more Pro Republican accounts in the pool of 1,088  bots, it also appears that the Pro Republican bots are more active. The Armor team looked at the Twitter stats of a group of 20 Pro Republican bots  and a group of 20 Pro Democrat bots. The team excluded accounts with 150,000 or more tweets so as to take out the outliers. The average number of tweets for the 20 Pro Republican bots was 54,850, while the average number of tweets for the 20 Pro Democrat bots was 22,478.

Below are some examples of the tweets which have been sent out from Pro Republican and Pro Democrat bots since October 7, 2018.    

Republican-Themed Twitter Messages

“Republicans weren’t paying attention when Obama was president. He was bringing in hundreds of 1000’s of Somali & other Muslim refugees and placing them strategically in states they needed to turn blue. Also inviting illegals in & busing them to states where they needed votes.”

“INDEPENDENTS! When voting tomorrow, remember what the Democrats did to this GOOD MAN! Brett Kavanaugh has been CLEARED of ALL CHARGES by the Judiciary Committee! Dems & MSM LIED, ATTACKED, SMEARED & colluded to bring this man down! To ruin his family! #VoteRed #WalkAway.”

“The highest homeless population in the United States:  New York City: 76,501, Los Angeles: 55,188, Seattle: 11,643,  Washington D.C. 7,473, San Jose: 7,394, San Francisco: 6,858, Philadelphia:  5,693 . What do they all have in common? All have Democrat mayors. All voted for Hillary by 80%.”

“A President for ALL Americans. That doesn’t fit the left-wing narrative though! Trump’s First Monument Will Be Dedicated To Black Civil War Soldiers: CNN Fails To Comment.”

Democrat -Themed Twitter Messages

“ Remember that “Fox News” poll that Trump touted this morning, claiming that he had 40% approval among African Americans? It turns out that there is no such Fox News poll! It was another lie!”

“Trump screws up and admits Russia rigged the 2016 election for him -https://www.palmerreport.com/analysis/admits-russia-rigged-trump-screw/13872/”

“A FB friend made a great point: “During the Kavanaugh hearings, as he melted down like a toddler at nap time, people asked how someone falsely accused of sexual assault should respond I give you Robert Mueller. Falsely accused. Asks the FBI to investigate. The End That’s how.”

“Barack Obama: “Let’s take a look at what they’ve been up to – they promised to take on corruption. Instead they have racked up enough indictments to field a football team.” http://hill.cm/sv2SZCF.

Origin of the Bots?  Created from Scratch or Legitimate Twitter Accounts that have Been Taken Over

The Armor team has just begun its investigation into what percentage of the political bots appear to have originated as fake accounts and what percentage are  legitimate Twitter accounts, which have been taken over and are being used without the account owner’s knowledge, to disseminate political messages.

Thus far, Armor has identified several of these bots which appear to have started as legitimate accounts and have since been taken over.  One such Twitter account states in its profile that it was registered in January 2017. It includes what looks like a non-stock photo and personal details to identify the owner.  According to Twitter, the account has sent out 141,000 tweets since being established in January 2017. Using analysis tools, the team assessed that on November 2th alone, the account tweeted 563 times and between October 27, 2018 and November 5, 2018, the account tweeted over 3,000 messages, with the majority being political, such as the one captured below.  

“I understand why we need to vote like storm troopers this Tuesday! Time to repeat 2016, only this time for MAGA candidates who support @POTUS We want to keep him & the progress we’ve made! We want another 4 years! #VoteRed #MakeAmericaSafeAgain #Trump2020

In researching the apparent account owner, a Facebook account was discovered. The Facebook account was also created in 2017, and included the same name, a profile picture which looks like the same person pictured on the Twitter account, similarly vague personal information, and several friends who list their home town and state as the same as the Facebook account owner.  The subject’s activity on Facebook is sparse compared to the Twitter account as there are only five posts made from September 2017 to February of 2018, and none of those posts appear to be personal in nature, with three being political in nature.

Public records indicate that a woman with the same name, location, and estimated age exists. Additionally, a search of breach dumps for the email addresses, of which there are two (Gmail and Yahoo), associated with the Twitter and Facebook accounts indicates that both have appeared in multiple breaches. This indicates that they are potentially compromised and adds to the likelihood that the discovered Facebook and Twitter accounts for this person are either fake or compromised.

In addition to the evidence that the account is potentially fake or has been compromised, it also appears to be used in an influence campaign, the Armor team observed that the subject’s Twitter profile page went from simply having a small, personal photo on the home page to having a professional-level graphic as its banner.  The team discovered that the graphic, shown below, is one of a handful of professional-level banner images being distributed by the Twitter account; @VoteTrumpPics in support of the Midterm Elections.

Another interesting item which changed on the subject’s twitter profile on the morning of Monday, October 22 was the addition of the word “Nationalist” which was placed in front of her profile name. Coincidentally, it was the same day in which President Trump began calling himself a Nationalist.  https://www.esquire.com/news-politics/a24103912/donald-trump-nationalist-george-orwell/.

Based on the sheer number of tweets which this account is sending out,  the overall lack of original content, the predominance of political subject matter, and the timely addition of the high-end graphics and “Nationalist” rhetoric, this account is likely either fake or has been taken over and is being used as a moderated political bot.  

Armor researchers have attempted to reach out to the subject referenced above using the publicly available email addresses discovered, but  with no success. The Armor team has just completed the first phase of this research and is in the process of reaching out to Twitter to share its findings thus far.

Security Tips to Protect One’s Social Media Accounts

  • Never reuse passwords between your email accounts, social media accounts, and other key accounts, especially those which involve Personally Identifiable Information (PII) or financial data. Periodically check some of the publicly available websites, such as https://haveibeenpwned.com/,  to determine if your email is part of a data dump.
  • Always utilize multi-factor authentication, if available on any online accounts.
  • If you have established various social media accounts, be sure to monitor them on a regular basis to ensure that they have not been compromised.   
  • If you are no longer using a specific social media account, first set the account to the strictest privacy mode possible, then remove as much data as you can from it, especially any PII, including pictures, and then delete your account.

Appendix A:

A Portion of the Criteria Used to Assess a Twitter Bot by the Analysis Tools

  • Creation dates that appear synchronized with each other and align with spikes in political activity
  • Obtaining a large following in a short period of time
  • Tweeting more often than is likely or, in some cases humanly possible
  • Constantly promoting/retweeting other bot and/or spoofed Twitter accounts
  • Regularly tweeting/retweeting misinformation/fake news
  • Regularly tweeting to nonexistent, i.e. deleted/renamed accounts
  • Showing evidence of being stolen, account take over. For example:

     -Evidence of tweets from the account owner claiming it has been hacked

     -Accounts that are dormant for long periods of time and suddenly show heavy political activity

     -Accounts referenced as stolen in underground channels

In addition to using various analysis tools, Armor researchers also looked at certain characteristics of a Twitter account as to whether it was a political bot, including:

  • Volume of Tweets originating from the account over time
  • Percentage of retweets/lack of original content
  • Frequency of Tweets during unusual hours
  • Sparse profile data