Tactical Incursion Bots Infiltrate Unaware Twitter Users -- Part Two

Tactical Incursion Bots Infiltrate Unaware Twitter Users — Part Two

In Part One of this series, “Tactical Incursion Bots Infiltrate Unaware Twitter Users — Part One,” we explained that, while checking his Twitter “followed by” list, Steven Lundgren discovered the initial threat from a portion of bots as well as many new unknown followers. He examined and made screenshots of his unknown followers.

According to Steve, a majority of the unknown followers had the same type of message and links. When clicked, they take a user to a website containing more information about the subjects of the bot’s message or maybe a dead link that is no longer active.

Three of the questionable bots Steve found are illustrated below:Screen captures of three bot accounts being investigated.

This is an excellent time to discern the collected data.

The first image post contains ingredients to make an explosive combination. This post also supplies a link, apparently on the same subject.

The second image advertises links to a place to buy the ingredients that the first image shows.

The third image post, a combination of higher yield explosive, again a link to a related topic associated with the post subject.

Reading these posts is quite jarring, but are we checking our own “Followed by” lists? If not, why not? Twitter, in this case, does not identify all bots unless they are reported to them.

If you suspect activities or motives of a follower on your “followed by” list, use common sense. Not all followers agree or disagree with your tweets, but are sitting dormant on your “followed by” list. From the examples above, it is fairly clear the messages they post are not the sort most users would want in their message history.

The proliferation of these bots infiltrating the web is growing daily.


The PSB (Patriots’ Soapbox) researchers are ready for the challenge and embarked on the mission to track down the type and origin of the bots reported by Steven Lundgren.

As a result, a team was created to investigate the origins, as well as the possibility of the group or association operating the bots. The research team assembled is Pamphlet, Steve Lundgren, Trip Elix, RW, and others.

The image below charts the total number of categories of bots as well as the amount of bot activity, and other internet traffic from their 2016 report.

Bot traffic report of 2016, created by Impreva Incapsula

The traffic illustrated shows that of the total 2016 internet traffic reported, 48.2% was human-driven, 22.9% were good bots, while 28.9% were classified as bad bots.

Every bot released on the web is malicious in some way or another. The bots collect data for selective advertising, analyzing user habits, websites visited, as well as shopping data.

These types of bots create a profile of users. Profiles are sold to marketers, which in turn have their own bots. Those bots are aware when a user is online and may push content responsive to their data, with ads for their product, services, or political messaging.

Of all the “commercial crawler bots” our researchers have discovered, these bots appear to be of the political type, albeit these particular groups of bots leave traces of their visit and follow users. The traces they leave are those bots following you, many times being unchecked. The fact that bots with their messages are physically in your feed, has the potential of delivering an exponentially higher number of impressions to other users that follow you or the bot associated with another user, depending on its initial posting.

Do you want this? What can a bot’s controller “really” do?

Let’s follow the researcher’s approach to find the answers and much more.


Researching further bot activities, the group discovered a report from Reported Future dated 11 June 2019, written by Staffan Truvé. The article is titled “The Discovery of Fishwrap: A New Social Media Information Operation Methodology.

For several years, Recorded Future has been developing tools and methodologies for detecting and analyzing influence operations by nation-states and others. We have recently upgraded some of these tools and applied them to detecting a new kind of influence operation, which recycles old news about terror incidents by publishing them to appear as new. We refer to this technique as “Fishwrap.” This operation is also using a special family of URL shorteners that allow attackers to track click-through from social media posts used in their campaigns.


From the “Recorded Future” report, the following flowchart provides an insight into the process of how a bot is controlled and what information to deliver as they move around the internet.

Image: Recorded Future’s flow chart illustrating the method of bot control

With an established baseline from data in the above-associated reports, the IP (Internet Protocol) addresses of the bots’ links provided by an assortment of bots is a good starting point for researchers.

The team then created a spreadsheet containing links displayed as a message included in the bot posts.

Definition of “whois” from Technopedia: Whois is an Internet service and protocol that searches and displays information about a domain name from repositories of domain name registrars worldwide.

Whois service is a free Internet service that enables a user to search a specific domain name’s availability and, in the case that it’s registered, the assigned entity/person to whom it is registered. Whois was first conceived in 1982 as an enhancement to the Nickname protocol that was developed by ARPANET.

With the links in hand, the domain can be found using “Whois,” a free service that can trace the IP address to find the domain hosting service that the bot’s link in its message.

The “Whois” search consists of a shortlist of parameters: when the site was registered, the status of the servers, and the registrant’s information.

Finding the registrant’s name is the most significant parameter.  Not all the links the team found had names listed for the respective web site.

As an example of the process, I used “InterNIC—Public Information Regarding Internet Domain Name Registration Services” to run a “Whois” search for msn.com.

To explain the typical output displays, the image above is a screenshot of the data that the Whois query returned for msn.com.  The information is identifying registration data for the website’s domain.


Trip Elix, one of the PSB research team, gathered the data acquired from the websites listed in the bot’s message and recorded the link into his spreadsheet.

After hours of work, Trip completed his spreadsheet, as of this writing, and started looking among the posted links to the Twitter accounts, for common registrants of the websites discovered earlier.

The team’s analysis of the spreadsheet turned up a registrant’s name associated with many of the websites on the list documented in Trip’s spreadsheet.

The searches for the domains associated with the bots found has implicated a few domains, thought to be the bot farm. Bot farms are generally the entity or domain controlling the bots.

A few of the domain searches to find the origins of the bots returned results that indicate the bot farms have been created by different analytic companies.

In the next part of this article will dive deeper into our researchers’ findings.

As a note to the readers, the number of this type of bot has been increasing since the initial count referred to in Part One of this article.

More information to come as the investigation continues.

See a spelling or grammar error? Let us know! Highlight the text and press Ctrl+Enter.

Notify of
Inline Feedbacks
View all comments