As those who've followed our research know well, during the last four years we have worked on systems that can automatically detect malicious activity on online social networks. In particular, last year we presented COMPA, a system that learns the typical behaviour of social network accounts and raises an alert if an accounts posts a message that does not comply with such behaviour. We showed that COMPA is a reliable tool to detect accounts that have been compromised, and we showed how our behavioural modelling could have helped in preventing high-profile social network compromises, such as the ones against the Skype Twitter account and the associated press Twitter account.
Flash forward by a year or so, Honda reported that their Twitter account had been hacked last week. The alleged culprit was the cartoon villain and Robot Chicken celebrity Skeletor.
.@PeopleMag I demand a recount for #SexiestManAlive #BoneStructure #Skeletakeover pic.twitter.com/qFMFYZTfiG— Honda (@Honda) December 1, 2014
Obviously, fictional characters do not hack Twitter accounts, and it was soon clear that this hack had only been simulated for promotional purposes. It is not the first time that such a thing happens, Chipotle did the same a little over a year ago. Apparently Twitter compromises became so mainstream that faking one is an attractive marketing technique. This trick even works, or so it seems. In the day of the simulated compromise, Chipotle collected more than 4,000 followers, an order of magnitude more than what they typically attract.
The clever marketers at these companies did not take into account COMPA though. Our system was able to correctly assess that nothing was anomalous about the malicious tweets sent by Honda, as well as about the ones sent by Chipotle. Basically, our tool is not only useful in detecting messages that are sent by attackers who gained access to social network accounts, but can also detects compromises that are only simulated.
Next time you stage a Twitter compromise, make sure that your messages look anomalous, otherwise we can detect your bluff.