Uncovering the mystery of fake Twitter accounts is easier than I thought estevan Follow Feb 19, 2018 · 9 min read

My evening felt like a paranoid movie scene where some genius (or loser) is posting clues on a wall and trying to uncover the truth. The fact that this night was birthed from wasteful hours in the void we know as Twitter made the entire situation disquieting. Here I was thinking I am some amazing cyber sleuth uncovering the latest craze: Russian trolls.

So while on that high — teetering between excitement of the hunt and concern about wasting an evening — I found myself jumping at conclusions. Here’s a Russian troll! Another! In fact it’s probably a spy! After a day or two I calmed down, reflected on my evidence and decided to explain it. I realized the facts I found are very clear but only tell us so much.

I am of the generations that know life without the internet. I’ve been privy to experience many forms of human+computer interaction with the internet. I am also a web developer and UX architect. I study the concepts of “dark patterns” — methods of influencing or tricking users into conducting certain actions. Twitter is certainly full of dark patterns. I say this because I filter my experience that way. At the risk of sounding paranoid, when I interact with “people” online I am always suspect.

Maybe I am paranoid. Something told me a particular Twitter user who didn’t like my comment was not entirely legit. I acted on that impulse and here’s how it went.

Part 1

I used simple tools to find a few answers. I started with a reverse image search in Google. The kind made popular by the TV show, Catfish.

I had a typical, unfruitful interaction with this Twitter user. I forget the dialog. Something along the lines of:

Amy: Something something FBI! Go Trump!

Me: Actually, yadda yadda.

Then I was blocked.

Nothing unusual there. I wasn’t angry. That’s what the block feature is for. However her timeline sent red flags to me. It lacked variation in tone. It was consistently Pro-Trump, anti-liberal, all politics. It contained many hashtags. The kind of hashtags that make you think, “I don’t think that’s trending.” It was also mostly retweets.

Can this behavior be normal? Yes. Could I be naive or paranoid for finding it abnormal? Yes. Did my hunch prove me right? Possibly.

I generally believe an authentic social media presence requires variation, evolution, and moments of vulnerability. Many of us can tell the difference between a marketing Twitter account and a real person. “Amy” never discussed her day. A good experience. Her kids. Photos of friends. Nothing.

My reverse image search presented me with interesting Google results.

Do you see what I mean?

Part 2

The first underlined text is Russian for “on Twitter”. The second is an IP address I will discuss in a moment. The last underline is Russian for “date of registration”. The links provided by Google resulted in non-existent pages. I decided to research archived web pages on that server instead.

There are many services that save old versions of web pages for archival, research, and historical purposes. I used one called Archive.is. As it turns out, it contained one archived page.

If you look closely at the address bar, it’s for a Twitter user, “badwolf303”. That user is not Amy. I was left with more questions. Why did Google query a page that seems to refer to Amy but the archived page references another account? I didn’t know so I moved on.

Server addresses with no domain names often exist as a part of the “dark web” — places online that are hidden in obscurity. Using a domain name like “mysuspciousactivity.com” just isn’t something some people choose to do. So I thought this could be some dark web activity but then I saw the company logo on that page: NewIPNow.com.

An IP address tells people and computers the location of internet activity. The address of the link is: 104.223.48.240. This address refers to California. The company NewIPnow allows you browse the internet through their California IP. This means activity appears to derive from California even when it is not.

At this point we now have these facts:

Google crawled and saved a link to a page of either Amy or Badwolf303 that resides on a server used by an IP spoofing service. Someone had to manually type/paste that Twitter address into NewIPNow in order to use their service. Someone decided they needed to view that page from a California IP. Google shows the results of that page using the Russian language. Why?

We’re starting to see smoke.

Part 3

This is where things get blurry. During my process I frantically looked at many archived pages and along the way and through this process I discovered an archived page sitting on a new server, Sohuu.ml.

Here’s the embarrassing part. I don’t recall how I arrived there. I probably was searching for info on “Badwolf303”. It may have been a URL that actually loaded when I researching Amy. As you can tell I’m not a professional at this.

The ML extension at the end of Sohuu refers to the country of Mali. In 2013 they allowed users to obtain their domain extension for free. Normally this is a process that costs a fee. This article discusses how this decision can contribute to phishing scams and underground activity. Basically, not requiring a fee means users don’t need to identify themselves. Anyone can obtain the domain name and remain anonymous.

What I discovered is that there are many saved Twitter pages on the Sohuu server.

The homepage for this website however is in the Chinese language and appears to contain benign information about events and news.

This means we have saved Twitter pages, using a Mali domain extension, with a homepage in Chinese. What else? These Twitter pages are translated into mostly Russian or an eastern European language while a Chinese language floating bar appears at the bottom.