 Welcome to our talk, Venator, hunting and smashing trolls on Twitter by Santiago Perez Montaño and Mauro Eldridge from DC5411. Before we start, we'll make a short introduction about ourselves and about the main topics of this talk. My name is Mauro Eldridge, I'm an Argentine hacker and the founder of BCA and DC5411, which is the DEF CON group for Argentina and Uruguay. I spoke at DEF CON a couple of times before, different villages. I spoke also at other conferences around the world, including many places. Now my co-speaker Santiago is going to introduce himself. Okay, I am Santiago Perez Montaño. I am a security engineer at the BCA. I am a member of the DEF CON 5411 group, Argentina and Uruguay. I have the opportunity to give talks in different parts of the world, such as the grey hat in the United States, at the POSCON in Iran, and a digital self-defense or auto-defense digital in Argentina. Today I have the pleasure of being in one of my favorite conferences and in one of the most important hacking villas. I hope our talk is to your liking. So, this talk is about trolls, how their tactics work, how to identify them based on different behaviors and patterns they show, and how they turn social media into propaganda machines. We will explain a real case of a propaganda parade to see from the inside. This is something that we have been working on during the previous DEF CON, during the previous year, and we even published it on this same village in the Recon Village last year. Using a sub-papet account, we will be able to profile and analyze different members of this propaganda parade and show its results here. We will also try to profile ongoing campaigns that just happened some days ago. We will show different tools, not only to analyze but to combat these trolls, and among those tools, there will be Venator, our tool. Just a little disclaimer, all the information that you will see here was obtained via legit means, via OSINT. All the accounts which are going to be displayed during this investigation are anonymized. So no real user names will be displayed, even if those belong to a troll account, to a fake account, or whatever. And obviously, we were not involved in anything illegal. So, now my partner Santiago is going to give you a brief introduction on the core concepts that we will use on this talk, and then we will be able to further advance and to see this propaganda practice from the inside and start analyzing it. So Santiago, please go ahead. Introduction. First of all, let's talk about what propaganda is. It is known as the set of means, methods, and techniques by means of which a message is made known. Disemnated or disseminated with the aim of attracting followers or followers for its cause or influencing people's behavior. As such, propaganda has been used for privately, political, religious, social, or even military purposes throughout history. It is an important weapon of ideological struggles that uses all the media that are within its reach. From the traditional to the not traditional. It differs markedly from advertising and tries to push an agenda. In this talk, we will tell you how we use it daily in politics. What do trolls do and what are they? The objective of the troll on the internet is to sow discord, create confrontation, and in general, I know it by diverting the conversation from other users and attracting attention to him. How do you do that? In comments where you want to create conflict, it can be in social network, web page, or blogs that allow comments, forum, etc. Any online site where they can make a comment or ever chat live, as in an online game. It's a troll's playground. All you have to do is make a comment provocative enough that another user responds in a similar tone and follow the conversation on that line. In the end, the issue is distorted and the troll has acquitted his goal, which is to have been the center of attention and cause it an argument. Trolling can be more directed towards an entity such as company or company or a brand or towards a specific person. In this particular case, we are going to show you how the trolls act in favor of the political apparatus that is closely linked to a particular political party or ideology. And the trolls can't leave spam comments, fancams, are only any other material that would alter repeatedly, could turn the treat into something unbearable to follow for lesion commentators. Okay, how to detect them or how to spot them? It's simply, you just have to use the nature. Now like, it's just a joke or maybe not. The first thing we should look at that account is a profile picture. It seemed credible. Yes, it's really is that a person who claims to be then the numbers and the end of the its user. Yes, yes, it is not exactly long and substantial. If what you post has co coherence or simple publishes phrases or political attack. If you participate in discussions where controversy or trending hashtag are used. Behavior is vital. As he said in the presentation, this type of throw never work alone. So I'm behind you. They never come alone because he, he works at Robs. What is a propaganda? A propaganda apparatus is a system in detail created for a political, social, etc. What seeks to try to convince a sector that the new is true or simple to try to persuade that something is wrong and the simple missing from throughout the use of social networks or another type of communication channel. In this case, we have come to talk to you about the program propaganda devices of social networks, particularly in the social network, Twitter. As is obviously known, this is network is flooded with drugs and books to fulfill different purposes or missions that are a signal to it at a certain time to try to make a trend in a particular country. Depending on the country, how long it takes to become a trend. These devices are made up of real people trots and books. The best known cases are the gloves set in Russia, the 50 cent party in China, the United Front Department in North Korea, the Bolivarian Army of Trots in Venezuela and the cyber in Argentina. Propaganda apparatus is quick and massive interaction leading to fabricated trends. And depending on the country, how long it takes to become a trend. Why are social networks used? Because it is easier to realize. You can write a message from any device which has the internet. The ability to lead a propaganda machine from within arms reach without even taking five minutes. It's simply one of the greatest advantages that this type of people were dedicated to this runway. You can easily automate and delegate all kinds of functions within the trending topics. It is not expensive to maintain or create. But the only cost it has would be that of the Internet Service to access an account and give orders or simply execute them to meet your daily object. The big question, do social networks authorize these types of account and behaviors? Follow me and I will tell you in more detail on the next slide. In this slide, we can see which are the countries that suffer the greatest attack from the propaganda apparatus. Which have chosen to blow IPs, thereby causing the trust to be censored in some way. Thus avoiding to a large extent the great dimension of attack of this nature. These countries include Russia, China, Iran, North Korea, Syria and Pakistan. It doesn't mean that other countries do not do it as well. But that these are the countries that use it most frankly. Here we can see how the Pyrenees party created a social network to try to fight against imperant and establishment. But in reality, it is an organizing network of attack with votes and fraud that focuses on social network such as Twitter to launch its attacks. But the most surprising of all is that they coordinate from this type of social network to make more effective and massive attack. Thus pretending to fulfill its objective and task. Words of all this type of propaganda apparatus is endorsed by Argentina's Minister of Culture, where only its military participates. Summarizing all this, we can see what a propaganda apparatus was, which are trolls and bots, where they come from and what they are used for. I hope you draw your own conclusion to continue with the talk and to be able to understand even better this next stage of it. So your country has a propaganda apparatus? Yes. Ok, let's take a look inside. So trucking trolls, in this new chapter we are going to analyze at last a real case of a propaganda apparatus. So a real case here is the CyberK or K Troop group. This is an investigation that started last year and we were able to present it here at the Recon Village last year. So we don't want to repeat content from that previous talk. So in the next few slides we are going to summarize a whole year of investigation. So try to work with us because we are going to be a little bit fast-paced here. But the idea is to give you a context on how we got here, what are we doing actually here on this exact spot. So that context is needed. In case you want to see every detail, every single communication we had with this apparatus, every single thing we did, you can refer to our previous talk from the previous year. It will be linked on the Github repository for this talk. So you will be able to fetch all the information you need from there. This propaganda apparatus is Argentinian, so obviously all its communications are in Spanish. As a native Spanish speaker I have translated all the communications in English, so you don't have to worry about that part. Aside from being a propaganda apparatus based on the Spanish language, it has another thing that makes it very particular, which is that this propaganda apparatus is composed of real users, real people, bots that are mostly Twitter bots dedicated to retweet and to spread, to broadcast certain accounts, and trolls, these are fake accounts and puppets and so on. This propaganda apparatus is used to publicly retweet its leaders and to promote different hashtags that they have. Some legit users on Twitter reported that they have received invitations to join this apparatus, so that rang a bell on our heads and we said ok, how can we get that invitation for ourselves? How can we be invited there? So we decided to create a SockPapet account to get an invitation, to get this invitation. The SockPapet was created by hand. We had only used social engineering so far, we haven't used it any tool. We based our SockPapet on pure observation. We just started looking at their hashtags and the most promoted hashtags on the politics side of things. So we created a fake profile imitating the accounts that started broadcasting those hashtags. So we decided basically to be able to subtly merge between those accounts, so we tried to imitate them to mimic them as much as possible. We used a really particular configuration for this account. For example, for the profile photo, we chose a really popular picture of President Fernandez and Vice President Fernandez together. Most accounts on this propaganda platus featured that very same picture, so we say why not? About the cover photo, while most of the accounts involved in these hashtags did have no cover photo, we decided to pick one for ourselves. But most of these accounts did in feature one. So we chosen one of Vice President Fernandez from a couple of years ago when she was a president, given a speech at Belles Stadium. We started following the president, obviously, and some minister, and a few pro-government accounts that were run by real people. Some of them or most of them were journalists or different political analysts from different TV programs or talk shows. And on the description field and on our round tweets, we started imitating their specific language and symbolism that they were using. We are not specialists on linguistics or anything. We only use the Twitter API to monitor all the tweets, all the hashtags, and extract the most repeated words forming a word cloud, which you can see here. Most of these words in Spanish are pejorative terms to refer to the opposition or to certain opposition leaders. So during the first hours of this sub-puppet account, we raised it around 100 followers in just a couple hours. We were only tweeting about their hashtags and using as much as possible their very same words. So in order to generate some affinity. After three days, somebody sent me a DM and that was our invitation. And I have it here. As I said before, all the accounts, those that represent real people or not, will be anonymized, no matter what. This person says, hi buddy, we are making Twitter groups to install hashtags. Do you want to join? And I'm going like, okay, hey buddy, sure, what am I supposed to do? Basically you have to tweet the hashtags that we send to the group. And that's more or less, that's it. I was added to a group number 300 and something of Soldiers of the National Project. This group contained 50 people. This is an important detail. And on that group, people started talking about different things, but mostly they were briefings about a specific situation and a hashtag to broadcast regarding that specific situation. For example, this person says here, hey guys, Ariel Garbaros is asking us to use Loretta is responsible. So as you can see on the picture on the left, there's a briefing on this picture on green with Spanish text. It says a small briefing. Finally, it proposes a hashtag to be broadcasted, to install this trend. This is a trending topic. Loretta in this case is the mayor of Buenos Aires City and it's a member of the opposition. Ariel Garbaros, as we discussed in our previous talk, is the leader of the propaganda apparatus. They don't hesitate on addressing him by his real name. As you can see here, and this is from a neutral source, getdaytrends.com, there were two hashtags proposed in that group, the number two and number four. Both of these hashtags are fabricated trends proposed on these groups, as you can see in the picture, in the previous picture. And they made it to the top five trends in my country. Now, taking a look at another third party source, like trending alia, we can see that both these trends lasted for at least 12 hours straight. This allows us to say and to state that these interventions are highly toxic. They remain for almost half a day. Now, another person goes like this. I will translate once again. With Ariel Garbaros, remember the leader of this propaganda apparatus, we format a group where he's the administrator and tells us what to publish and at what time, so we can get our trend to always be on first place. Once again, you see that they already assume what the consequences is going to be. So they are already sure that they will install this as a trending topic. And another one goes like, okay, yeah, it's like you say, we used to do the same long ago with the K-dude. The K-dude, it's the prototype of what is now the K-trube or the cyber case. It's part of the same group of people. And they say, okay, you have to set a day and a time and it's the best. So they are really used to do this thing. It's not something they are newbies at. Once again, certain slogans to be spread. As you can see in the blue picture and the purple one. And then WhatsApp chat, it's shared. Obviously, we entered to see how it's going to be like. But before jumping into the WhatsApp part, this is a screenshot from one of our Twitter accounts. Take a look at this. We have, according to our latest group we found, we have found 350 propaganda groups on Twitter alone. As you can see in this picture on the left, we were invited twice to different groups. So they do not have a real tight control on who belongs to each group. Each one of these groups holds 50 users, 49 plus 1 admin. And we can say that the total number of users in those groups is a little bit more than 17,000. That's quite a lot of users. And now jumping into the WhatsApp side, as you can see what the person sending the hashtag here, saying, okay, at half past seven, we are going to use this next hashtag, $Witre. The person sending this message with the phone ending in 8554, it's a real garbage itself. As you can see in this group name, all groups are numbered. This is the seventh group, so there are at least six more. Each one of these groups is already full, and it has at that time 255 users without taking the administrator into account. So if we multiply these users, we have almost 2,000 new users. And if we wrap up all the users into a single operation, we have almost 20,000 users. But note that some users may be present as it is our case in different groups at the same time. So there may be repeated users. This is an estimated number, so we can say for sure. Now you might say, okay, 20,000 users. Now that's a lot to fight back. Yeah, it's not easy, but there are some tools, not provided by Twitter, sadly, but provided by third parties, that will allow you to block massively certain accounts, for example, an account and all its followers, or all people that have interacted with a certain tweet, for example, liking it, and so on. We have these three alternatives that are pretty good, actually. Sadly, a blog together is running... I don't know if it's running out of business, or simple the project is going to be abandoned. I'm not pretty sure. It's something that's happening just as we speak, I think. And Megablog, for example, that says, okay, we'll let you nuke a tweet. It would allow you to block not only a person giving or writing a specific tweet, but all the people that interacted with it. Also, Twitter Blockchain, which is a third-party Chrome extension, works in a similar way. But again, there's nothing natively provided by Twitter, aside from the silence of blocking functions. And they are used one by one, so you can block or silence one account at a time. So, unless you are pretty good with the API and you know your way around and you know exactly what you are doing, yeah, it's going to be a little bit complicated. So, back to the analysis. Remember that we have this account, which was invited. With this invitation, we're going to main things. First, we're getting access to the group chats, which means that we have early access to the friends they are trying to install. And on the second hand, we have access to higher-ranking profiles that otherwise we won't be able to see. Why? Because these higher-ranking profiles in these groups are not involved in tweeting, are not involved in broadcasting these hashtags. In spreading this misinformation. They are involved only in coordinating the actions, so you will never see them tweeting about something. They will propose the hashtag but never say it aloud. So, having discovered this, I think that it's time to feed all this data into Benator. At last, Benator, hunting and smashing trolls, as we promised. Benator is our open source tool to try out different accounts on social media. When we started this investigation on last year, the original Benator was a Lua script, which was really rigid, really hard to maintain. It was a tool for which any change that we needed must be done multiple times in the source code. We didn't have anything quite tidy, quite organized, because we thought that Benator will be something disposable, something that we were going to use once or twice, or that will be bundled inside something else, maybe a framework or maybe another tool. But in the end, the reality is that we found ourselves using Benator on a daily basis. So, we agreed that we had to rework all of this application from scratch. So, this CLI tool that you see here became Benator RB, which is written in Ruby. This newest release features web interface and API access. And since this one uses a database backend, we are able to keep track over the time for changes on different reputation triages that we are carrying on different accounts. And also, it helps us to make formulas more elastic. We are going to use this tool, Benator, to profile one of the cyber case campaigns that is actually ongoing as we speak. As we are recording this talk, this campaign just happened a couple of hours ago. So, this is pretty fresh, pretty hot, too. So, our idea is to keep an eye on the most recent campaigns that we can share with you. So, this happened on August 2nd and 1st. It's pretty much this week. We are going to follow three hashtags. I'm not going to take the time to explain in each one of them because there's a long story of political rivalry here. So, it's pretty hard to explain. These are one-sided hashtags. These are going from the official propaganda apparatus against the opposition and are the following. Elisha's misogynist, which is Elisha's parliament member, the fugitive and the stranded, which are references to two politicians, and pro-smugglers. Pro is an old political party from the opposition, and they are calling them smugglers, basically. So, we have selected 70 accounts, which are the first 71 to engage with all the proposed hashtags, or at least one of the proposed hashtags, given that no other account is there to fill this number, to fill the 70 ranks that we have. So, before starting feeding this information, let's try to do some O-sync, some open source intentions over those hashtags. How it is started. Let's go with Elisha's misogynist. It's number three. And look at the graph. On the graphic, you can see that it's making a plane. It just rises, skyrocketed, and then it maintained a certain number of interactions over the time. Here you can see it with more detail. It started skyrocketed and started trying to... and struggled a little bit after a couple hours to still remain between the most ranked trends. Now, how is it going? Look at this trend. Don't you see something strange? Trends do not normally skyrocket, then fall down abruptly. Something is amiss here. This indicates clearly that there was a coordinated action, because it skyrocketed at first, with the struggle to be maintained among the highest ranks of the trending topics, and also it reached the place number one, as you can see here. And after a couple of hours, it just fell. It just absolutely fell abruptly. So this is a good indicator that somebody say, okay, start with this, and that also somebody say, okay, cut it out, finish with this. We are done with this. And it lasted for a good couple of hours. Now, what about the other trends? They were just bite and switch. They just started, and automatically fell. Look about the other. This is the pros-modelers one. Look at the fugitive and the stranded. It lasted for a couple of hours, a little bit more than the last one, but it was more like a bite and switch. They started and automatically dropped it. Now, this is an analysis from Binator. We are interested in those trends that have the inspect button in red, because those are the market hashtags we want to follow. Realistic misogynist has almost 2,000 interactions, and it's number first in the trends. But look at number two. That means in Spanish, the life we want. It only has 110. Why so much difference? Remember that we have only subscribed 70 users to Binator. So, are you going to tell me that 70 users just shared Iglesias misogynist 2,000 times? That's pretty weird. Now, what about the pros-modelers? 60. This means that a couple of this account haven't engaged in that hashtag. Now, take a look at the other one, the stranded and the positive. 21 interactions. That's pretty few. And remember that users tend to tweet these hashtags more than once. So, there's a high chance that a lot of people are just alone tweeting and retweeting this hashtag. And this doesn't represent, for example, 21 real users here. This can belong all to the same account. So, as you can see, most of these hashtags, these trends are politically motivated. But we can't stop doing a time constraint. We can't stop to analyze each one of them. So, let's keep going. Let's see this. Details and distribution. This is a blacklisted hashtag. I blacklisted it myself in order to be able to analyze it. It was seen almost 2,000 times, as I said, on 70 users. And these are the users that share this hashtag the most. Look at the count column. One of them shared it 136 times. Other people shared it almost a hundred times. Now, go ahead and tell me that this is not a coordinated campaign. Let's go ahead. Now, Vinator identifies this user with this avatar. That it's a fake one. Now, I will explain. Identify this user as the top distributor. And then other distributors follow him or her. Let's take a look at this user. But first, before making accusations so lightly, let's do a fast rewind. Let's try to remember how to spot those thoughts. I told you back then that this information will be important later. So, now's the time. Default settings. Remember this. If you lack a profile picture, or if you are using a fake or stock one, if you are using one that represents celebrity or something else, Vinator will take that as a negative score. Lots of numbers in your handler. For instance, if I had Reconvillage 2788878, Vinator won't like that. If you have a lot of numbers, that probably means that you haven't changed your default username given by Twitter. The platform, if your selected name is not available, will give you one followed by a string of numbers. Remember that trolls share a common language, common terms and phrases. So, if you tweet like a troll, Vinator will trade you like one. Remember that they agree to a common version to answer debates. So, again, treating specific things will make Vinator create a relationship between you and the malicious hashtag. And the swarm behavior. Remember that they never come along. That's why Vinator has a blacklist user follow check. You can blacklist different users, and we did. We did blacklist the leader of this propaganda, Paratus Ariel Garbaros. So, if an account is following him, this will take away points from its reputation. That's the idea, to start generating a network to see what are the different aspects that can be dangerous to this social network. That can be toxic, that can be part of a collective effort to spread this toxicity. So, let's check this user. Automatically, you can see that this avatar belongs not to this person. The person depicted here is the vice president, Fernandez, with a political slogan. Then the riskor rises to the max. Highly suspicious behavior. But why? Just because this person thinks different than other people? No, it's not because that. It's because all of this. Take a look. This person has joined it three years ago. So, that's okay for Vinator. It has more followers than followers. This doesn't take a lot of score from its reputation, but if you have, for example, 5,000 following and zero followers, it will definitely take some score risk. It will absolutely add some risk to your score. If you divide the quantity of tweets by the quantity of years this account has been active, it gives us the idea that it has little activity. This won't take away score, but will raise a batch at the end to notify this. This is a non-verified user. This doesn't affect the final score. Has low activity. Has been involved in dangerous activity. Why? Because it has malicious hashtags, and it has tweeted them more than the normal. You can have tweeted once using a hashtag market as malicious, twice or even three or four times. But going beyond that number will trigger Vinator to start counting malicious attempts and taking different numbers of reputation from yourself. Also, this user follows our blacklisted user. So, obviously, all of this is really respectful and doesn't seem normal at all. Now, let's take a look at another profile, the number two. The last one was the top distributor. This will be the second one. It has obviously a fake profile. This is Diego Maradona, the soccer player. The risk score is fairly high, and it's treated as malicious because this user has an outstanding activity. If you take a look, it is an all account, four years old. It has little difference between following and followers, but the account, if you divide this number, 70,000 tweets in four years, I can guarantee this gives you a lot of tweets more than the average Joe will tweet on a normal day. So, we have outstanding activity and this outstanding activity, it's tied to treating malicious hashtags. So, this is obviously a malicious effort. Again, we can easily see that this is not a real account. Now, a third one. As you can see, this lady here is our vice president once again. I think this is from a couple of years ago. So, the risk score, again, is highly suspicious. But why? Look at this. This is an account that was recently created less than a year ago. Or not a couple. Yeah, I think it's... Yeah. So, it was recently created. It has just a few more following than followers, so this is not making up this score. But once again, it's using this account for tweeting in an outstanding way. It has an outstanding activity. In less than a year, this person tweeted 14,000 times. That's a lot. Also, it used different hashtags that were raised up as suspicious. In this case, he tweeted only once, our blacklisted hashtag. But it also has a suspect handler. This means that it has a couple of numbers. And it was recently created. So, the score raised it. And actually, Vinator was right. This is not a real account. This is not a real profile. Going to the next one, the fourth one. It says in Spanish, I always buy your site. And again, this is Vice President Fernandez. So, risk score is fairly high again. It should be around in the order of the 60s, 70s, I think. I'm sorry. So, this account is 11 years old. This definitely looks like a legit account. But the photograph is not real. Take a look at the batch below. It says default pictures. Since that, either there's no background picture, no profile picture, or a default one, or a picture that was marked by ourselves as a stock. Stock picture, or fake picture, or celebrity picture. So, this will be automatically rendered as default picture. It will receive the same score penalty. This is the first case where the account has more followers than following. And that looks normal to be natural. Nevertheless, the score won't go down. Tweets, again, an outstanding activity. But only one of these hashtags were malicious. So, moving forward. And here we have the best camouflage award. This is the not my damn job award from this year. This guy absolutely didn't give any single F. He only left the default profile and started tweeting like that. So, I would like you to take a last look at this. At all this profile, at this fabricated trend, at all these fabricated users. And now tell me again how much you trust information on the social media, especially on the politics side. Okay, it's time to say goodbye, sadly. Conclusions are that, even if it seems obvious, always inform yourself through professional and verified sources. I know that they are not always available and they are not easy to get, but try. And just because a word or a phrase are trending, it doesn't mean that it is for real or that it represents the thinking of a majority. Remember that every day, somewhere, and sometimes people pay for this, groups of people and machines work together to install biased thoughts and debates in society. So, that's why you should really choose verified sources. Because a few have seen before in this talk just a few slides back. Will you really trust whatever comes from social media? If you want to get in touch with us, we are available on Twitter, we're always happy to reach out and if you have any questions or anything you want to share with us, projects or anything you're working on, you can find us here. And we are also available on GitHub if you want to clone this project or to take a look at the first investigation we did last year, everything will be linked there. So, if you have any questions, we are happy to answer them at the Discord server. Before we go, I would like to give a heartfelt thanks to Sandeep and his team for inviting us today. So, take care and we will be waiting at the Discord channel if you have any questions.