As many as 24 million Instagram accounts could be spambots created and sold on online black markets to inflate follower counts or likes of celebrities, politicians, and brands, according to new research published on Tuesday.
A group of researchers scanned and analyzed 10 million random Instagram accounts and found that 7.9 percent of those behave like spambots. How did the group know what bots act like? For their research, the group purchased 20,000 spambots from 10 different online vendors and analyzed their behavior, creating a profile that they used to spot other spambots among the 10 million accounts they scanned.
“I think Instagram should be more transparent because they have a real spambot problem,” Andrea Stroppa, the lead researcher, told Motherboard. “Now that they're selling ads they should offer more accurate data to investors and advertisers."
Instagram has “a real spambot problem.”
Moreover, the researchers found that a large number of the scanned Instagram accounts are virtually inactive. (The researchers declined to reveal exactly how they scanned Instagram, for fear of their method being blocked.)
Almost one in five (19.8 percent) of the accounts analyzed had no posts whatsoever, 10 percent had only one picture or video uploaded and almost half (46.7 percent) of the accounts had less than five posts.
The researchers believe that these numbers put into question Instagram’s claim that the photo-sharing network has 300 million active users, as well as last year’s much-hyped effort to curtail and weed out fake accounts and spambots.
The researchers found “ample evidence of widespread spambot activities,” even six months after Instagram’s so-called purge in December of last year, which resulted in the expunction of millions of fake accounts. Last year’s purge hit everyone from celebrities such as Justin Bieber, who lost 3.5 million accounts, to Instagram’s own account, which lost almost 19 million followers, according to data collected by web developer Zachary Allia.
An Instagram spokesperson declined to comment on the research, but said that Instagram uses the same spam-fighting tools, both automated and manual systems, as Facebook, its parent company. The spokesperson also stated that Instagram has 300 million monthly active users and 200 million daily active accounts, numbers that do not include inactive users.
The spokesperson also noted that Instagram counts users as active even if they don't post anything but simply log into the mobile app or the site.
While it’s true that Instagram has implemented several countermeasures to block spambots and fake accounts, “much more needs to and can be done,” the researchers wrote in their report.
The problem, according to them, is that the business of selling fake accounts is booming.
“People who are in this business make a lot of money and want to keep doing that, finding new ways to trick Instagram.”
“Instagram is very aggressive in blocking them, but people who are in this business make a lot of money and want to keep doing that, finding new ways to trick Instagram,” Stroppa, an independent security researcher who has also studied fake Twitter followers and social media ads for counterfeit goods, told Motherboard.
Stroppa believes that the number he and his colleagues have uncovered show that Instagram needs to do more to stop fake accounts, and needs to be more transparent when publishing active users numbers. Their research, Stroppa said, might even put into question Bank of America’s $37 billion valuation of Instagram, which was based on the number of users, according to a Bank of America spokesperson. (The spokesperson declined to share the original report because it is “proprietary for our clients.”)
SCANNING FOR SPAMBOTS
From August 2013 to May 2015, Stroppa and the other researchers found more than 270 vendors who offer followers, views or likes in bulk.
Some of these might be scams such as the one uncovered two years ago, which tricked more than 100,000 people into giving away their passwords. But the majority are legitimate spambot shops, which produce large numbers of fake accounts by creating, or purchasing, fake emails and cellphone numbers to verify the accounts, and even IP addresses, according to the researchers.
This is a sophisticated “de facto black market,” where some of these vendors are easily reached with a simple Google search, and others are more discreet and operate only via Skype, email or IRC chat, the researchers wrote.
The researchers estimate that as of June 2015, there are at least 190 of these vendors. And they are still operating despite the purge of December of last year, as “only a few black market vendors had to actually slow down their operations,” according to the researchers.
Yet, some of the vendors seemed to be affected by it, although after the purge they reassured their customers that business would go on as usual.
“All Instagram service will be running slowly,” read one notice on a vendor site, which is shown in the report. “We will fix our systems asap and thanks for your understand [sic].”
“Thanks everybody for your patience today while we sort through this major update,” another vendor wrote. “We are still running orders, but as you can imagine we are getting tons of orders.”
An example of an Instagram spambot.
For this research, Stroppa and the others bought 20,000 spambots and studied their behavior. They found that the average spambot uploads six images or videos, and follows 41 users for each follower it has.
Some vendors offer what the researchers call “targeted” spambots, which a customer can customize by gender, language, country or specific interests. These more advanced and expensive spambots include features such as automatic following and unfollowing based on the customers preferences. To minimize the risk of detection, some vendors offer to gradually increase the follower count day by day, selling, for example, 3,000 to 5,000 a day.
The researchers also estimated that running a spambot business of 1,000 fake accounts can cost up to more than $4,000. According to the researchers, a vendor can sell 1,000 regular (i.e. non-targeted) followers for as little as $10, but targeted accounts sell for $35. So the business can also be profitable, given that vendors average 30 customers per day, Stroppa said.
So next time you see those irritating cliche Lo-Fi sunset pictures on Instagram, be nice, it might just be a spambot.
This story has been updated to add a comment from Instagram's spokesperson about users being counted as active if they simply log in onto the app or site.