Seite 11

The University of Innsbruck was founded in 1669 and is one of Austria’s oldest universities. Today, with over 28.000 students and 4.000 staff, it is western Austria’s largest institution of higher education and research. For further information visit: www.uibk.ac.at.

"Sorry, I was Hacked"A Classification of Compromised Twitter Accounts

Eva Zangerle, Günther Specht

Seite 22

Motivation

•Twitter • 400 mio. tweets per day• 200 mio. monthly active users

•Huge crowd also attracts criminals• 355% inrease in spam on social media platforms in first half of 2013 [Nexgate]

• Higher click through rates [Grier et al. 2010]

• 0,003% of all promotional URLs within emails are clicked• 0,13% of all promotional URLs within tweets are clicked

• Spread spam messages containing URLs of affiliate websites• 8% of all URLs posted lead to scam, malware or phishing sites [Grier et al. 2010]

• 77% of all spam messages detected within one day [Grier et al. 2010]

Seite 33

Motivation

•4 main approaches for spreading spam on Twitter:• Set up (or buy) fake acount• Set up a bot• Set up a cyborg• Compromising of accounts

• Reach of messages • Send direct messages, tweets in name of legitimate account owner• Exploit trust relationship between users

Account Compromising Detection, Announcement of Compromising

Normal Behavior Abnormal Behavior Normal Behavior

Seite 44

Goals and Research Questions

• Shift the user back into focus!• How do Twitter users react after having recognized that their

account was compromised?• Which actions do these users take after having been hacked?

• Analysis of tweets announcing that account was compromised“If I sent you spams via DM, I’m really sorry – my account got hacked."

• Analysis via Support Vector Machine classification

Seite 55

Data Set

• Twitter API (Spritzer)• December 1st 2012 – July 30th 2013• Tweets containing ("compromised" or "hacked") and "account"

Seite 66

Data Set

Seite 77

Classification Methodology

• Workflow

• Data cleaning• Remove non-English tweets• RT and direct messages remain

• Filtering• Test and training data set created manually (5,000 tweets)• Classification via SVM• Grid search for tuning• Evaluation via 5-fold cross-validation: overall accuracy of 78.25%

Data Cleaning Detection of Classes Filter Classif-ication Result

Seite 88

Categories

1. Hacked Account"Ooh looks like I've been hacked! That explains the inability to get into my account! Will be putting that right"

2. Sorry for Tweets"My Account was hacked pls ignore all the tweets I sent today. I apologize for the inconvenience"

3. Sorry for Direct Messages"If I sent you spams via DM, I'm really sorry - my account got hacked"

4. New Account"Hey guys, go follow my new account because this one is hacked and is sending out spam"

5. New Password"Very sorry everyone. My account was hacked. password changed, hopefully that does the trick"

6. Hacked by Relative / Friend"my brother hacked my account, sorry"

Seite 99

Results

Seite 1010

Discussion

•Twitter help pages available:• Change password• Revoke connection to third-party applications• Update password in trusted third-party applications

•Guidelines for safe tweeting also available•Still: 27% of users create new account•Effort to redirect followers to new account

• 21,000 ask particular users to follow back• Leave account neglected

•Users are not informed properly•Users do not seek help in case of account compromising

• 1.105 tweets sent to @support

Seite 1111

Conclusion

• Analysis of compromised user accounts on Twitter• "How do users react after their account has been

compromised?"• SVM classification

• 27% change to new account• 28% apologize for unsolicited tweets or direct messages• 23% state that account was hacked

• User not informed properly or does not seek help

Seite 1212

Questions?

Contact and Social Media

@eva_zangerleeva.zangerle@uibk.ac.athttp://www.evazangerle.at

http://dbis-informatik.uibk.ac.at@dbisibk https://www.facebook.com/dbisibk