What do a public figure, a political yet tacky online store and an all natural herbal remedy site have in common? Answer; A mysterious and controversial twitter botnet.

Scrolling through the Twitterverse can land you in some of the most confusing and shocking Twitter feeds. (We’ve all scrolled past Trump). Constantly we come across propaganda, blatant racism, pure idiots and stolen content. We sift through endless threads on conversations we didn’t even know could exist. But while you’re following these bizarre conversations on Twitter, are you aware these actions can also be responsible for malware and viruses on your computer/device? This malicious conspiracy clickbait started somewhere, and we intended to find out more.

We discovered a possible botnet of one public figure in particular who piqued our interest. Her name is Ali Tmak and her twitter account [at]ALI_TMAK was started in 2014. A quick search on TMAK shows it also stands for ‘Target Marketing Action Kit’. Which hits close to home with this account and dozens of bots promoting her and the TMAK brand.

Stock image used by the botnet with overlay-ed text that changes messaging based on. It’s effective.

Discovery

A question you may be asking is “How the hell did you find these accounts?” Well our methods are similar to the ones used in our last discovery of the Tokyo Botnet. @AltDIA running a Python Twitter streamer to analyze live data and @altGS_rocks using R to scrape specific TMAK accounts, and sample tweets to help pave the way of these findings and progressions. In this case, our streamer picked up a group of accounts tweeting the same exact tweet from a popular automated site twittbot[dot]net. The specific tweet was promoting a Trump shirt sold on Ali Tmak’s store.

Scrolling through these account feeds we discovered a slew of unnecessary characters, tweets linking to her Skreen shop, and other online stores. The items she sells ranges from trump T-shirt’s to Obama pins. There’s comments on Arabs, references to other public figures and countless posts linking to virus-ridden site called iherb.com. Since it’s creation this twitter botnet has heavily linked to an iherb site using a user-specific promotional code.

We informed the medicinal herb retail website of what dangers it’s site posed. Looking through reviews of the site it seems a long standing well run business has faced recent troubles internationally when it comes to deliveries not being delivered or bogus excuses for why an order is cancelled or not refunded. Is this poor customer service, or is something more sinister coming to that website?

Twitter Account: Ali_Tmak

Bot researching often leads us to odd corners of Twitter where automated accounts go unchecked, free to pollute the Twitterverse with their discount codes, racist merchandise, and bizarre agendas. The Tmak bots are a prime example of such social media behavior. At first glance what seemed like a woman promoting a herbal website and her personal brand, led to the unraveling of a large, aged, and mysterious operation.

Feel the weird hate.

ALI’s Crazy Store & Some Sample Products

The TMAK Botnet

The initial handful of accounts sharing the exact same link to the Tmak store led us to a network of over 40 accounts and more are being discovered every day. (Shout out @Saill and @MegaEliz for the help!)

The accounts list:

Ali_Tmak 00_Millionaires Ali_Tmak_Store Annet_Gelink aurora_perezz Best__Mom__Ever Blondes__R_Us brenda__James Carly__Joness Coupn_Folotrain Cristy_Whitman dacey4you Dany_Reese Follow__Global FollowBack__Pig Global__Coupons Global__Team_00 Globl_Modeling Globlpromotions Happy__Brthday Health__Nature Jane_Richardss Janet__Clark Lea__Branson liz_Krevik maria__cisneros marilyn_Mercerr Maryann__Turner Merry____Xmas molly__ferg nadia_abakumva NFLShoutoutSale Norma__Chavez Penny_Pincherr Ramona_Websterr Roberta_Emmings Steph__Wilsonn Susan_lamota t erryy_garcia Tmak_Xmas

These accounts have cloned tweets that they post almost every hour. This is a red flag for automated accounts to stick to a strict posting schedule. We’ve discovered the sources of these tweets are from websites infamous for controlling and hosting botnets. Specifically twittbot.net and IFTTT. Cloned tweets and sources like this is what we look for when bot searching. Below you see an example of this automated activity. Ali Tmak bots artificially promote the Tmak store, a bizzare Youtube video and a coupon code for iherb[dot]com, a site very popular in Russia.

Promotion Code:

As seen on Twitter with a quick search for “AQU143”

So we would like to showcase a few of the useless and crazy things we found reviewing the accounts the accounts interacting with the Tmak bots.

See below for a closer look at what that image is above…In Russian no less.

Don’t ask us what all this garbage means but some human being with time made it for some purpose.

And then there is this (below). See anything unusual? No? look harder. There you go….POTUS. oh dear. The connections to Russians and MAGA and other far-right conspiracies is making us all like: “Illuminati Confirmed” *insert pyramid*

iHerb[dot]com

Code first appeared in this Youtube video in 2012

We investigated a common promotional tweet from the Tmak botnet which references the herbal retail shop iHerb. Each tweet for iHerb includes a user specific coupon code “AQU143” for Alicia’s account. A related Youtube channel for user Alicia8094 included a video message with the same coupon code as early as 2012 (two years before the creation of Ali Tmak’s twitter account). Upon closer inspection the iHerb site had multiple viruses despite it’s clean and colorful design. Responsive or not, this site requires caution.

As you can see this retailer has been around for quite some time.