How I got 65K followers in one day…
Almost all social networks make the same mistakes in their beginnings, mainly by focusing on the roadmap and not paying special attention to security because… Who is going to want to attack me or take advantage of me when I barely have any users?
It is for this reason that the new social networks are the target of new “attackers” who want to take advantage of this vulnerability to be the first to dominate this new product/market.
Companies also benefit from these attacks by gaining media attention and increasing their visitor, user or activity statistics, a prerequisite for new funding.
In this case, I opted for one of the most famous social networks in Spain, a social network called Peoople, promoted by influencers and advertising media.
What’s Peoople? How it works?
To know how to stand out, it is necessary to first understand how this social network works, which behaviours it rewards and which are punished, in order to try to reach our target as quickly as possible.
In this network we find that there are different levels according to your “influence”, which is measured in followers, likes and friends that you bring to the platform. The levels are rookie, influencer, unicorn and star.
To reach the next level you have to meet certain requirements:
- Create enough content
- Invite to your friends
- Get followers
- Get comments on your pics
- Get likes on your pics
Each level requires higher values. For example, to receive the “star” level, you need to bring 100,000 friends to the social network, i.e. all these users must register with your code.
Yesterday 200 followers, 65.000 today ¡I’m an influencer!
To go from 200 to 65K followers what I did was to create my own army of bots that would act as I wanted them to.
By doing this we can have as many followers as we want to have, all fake but they can interact as if they were real users. They can like, they can follow, they can comment… they can do any action thought for a real user.
Once these objectives of followers and impact have been reached, the social network can be monetised 💸. And by being able to create as many users as you want, the economic objectives are distorted, for you and for everyone else, as you will far exceed any objective imposed on you.
In addition to having some scandalous numbers, I was also included in the 🔥 TOP influencers list on the Peoople main page, getting more attention and social repercussion.
How did I do it?
We could do it by the usual route where we already know the difficulties or we could find an additional route where we can obtain these advantages in less time. Of course we will take the latter option.
⚠️ To do this we will take advantage of the fact that the social network does not check the email with which the user registers. Thanks to this we can generate as many users as we want without having to check the email address.
To do this we will have to programme the actions we have seen previously that will allow us to level up, that is to say, we will have to create users who register with our code, follow us, like our publications and comment on our posts.
If we are going to create tens of thousands of followers we will have to generate a large set of data to simulate real users, with name, surname, email, password, etc…
Creating an army
The first thing I did was to generate a dataset with the minimum requirements to create users in the social network. Easy:
Then I created the users in the social network. To do this, I saved the requests that were made in the process of creating a user via email and programmed them in python code. Finally, I saved the created users with their identifier and other attributes needed to log in.
Finally, I programmed some basic functions for the bots to act in the social network pretending to be real users such as liking, following someone, visiting a profile, etc…
With this code and through parallel executions we are able to create our own army of bots within this social network.
What’s the solution?
First of all, when something like this has been done to us, is to identify what the user has done and how they have done it. Once identified, the first thing to do is to prevent them from continuing to do so.
To do this, Peoople should verify that the newly created user (our army) is real, or at least try to do so through various techniques:
- Use a verified account(Gmail, Facebook, Apple)
- Use telephone number to identify real users.
- Use captcha
- Of course, send email verification.
- Let’s use MFA.
Once you know that they can’t do the same to you, we would start with the investigation of how to eliminate all these fake users created, which are generally easy to detect because of the little and very focused activity. If you detect that in 1 minute you have had 30,000 likes on the same photo, it is very likely that they are bots. With patience and good SQL queries it is easy to differentiate the fake users from the real ones.