Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Instagram Porn Bots Evolve Methods for Peddling Adult Dating Spam

Incentivized by affiliate programs, scammers are evolving how they utilize fake Instagram accounts to target users on the popular social media platform.

As social networking services rose to prominence in the early part of this century, the services themselves and all manner of other businesses saw the revenue potential that came with targeted advertisements tailored to individual interests. At the same time, scammers, who until this point had relied on email as their vehicle to promote adult dating and webcam-based scams, were quick to capitalize on the burgeoning platforms — albeit in shadier ways — in order to earn money from affiliate sign-ups. 

In the years since, an entire cottage industry of scammers has cropped up, using bots to redirect social media users to fake accounts in order to game the lead-generation system. Indeed, since 2016, Instagram users have been subjected to a variety of scammers peddling adult dating and webcam spam via porn bots. The activities of the porn bots range from simply following Instagram account holders to liking and commenting on their photos to, more recently, exchanging direct messages with them. 

To its credit, Instagram — which attained 1 billion monthly active users (MAU) in 2018 — has worked to try to thwart the efforts of the operators of these porn bot accounts, but, as you can imagine, it is a cat-and-mouse game. As someone who has been researching this space for many years, the cat-and-mouse game fascinates me. This post aims to highlight some of the notable trends I’ve recently observed with Instagram porn bots, such as the use of intermediary accounts and bots using literary quotes in their photo captions, and discusses the driving force behind their presence as part of my continued effort to educate Instagram users. 

Instagram Porn Bots

Instagram Porn Bots Evolve Methods for Peddling Adult Dating Spam

Historically, Instagram porn bots would be self contained, performing activities such as liking photos and following users with a link directly in their bio along with suggestive text, as seen in the example above. These porn bots have made some simple changes, for instance, altering their profile images with Story rings around them to make it seem as though they’ve posted an Instagram story and removing their suggestive text.

Instagram Porn Bots Evolve Methods for Peddling Adult Dating Spam

However, in an effort to bypass some of the mechanisms in place to detect this type of activity, porn bot operators began to leverage what I’m referring to as intermediary accounts.

How Porn Bots Use Intermediary Accounts

How Instagram Porn Bots Use Intermediary AccountsHow Instagram Porn Bots Use Intermediary Accounts

In this example, the intermediary account, “kayla” follows a user. Visiting this profile shows there are no photographs on the account. However, the bio contains emojis and the words “My Nude Pics Here” spaced out with periods in-between. The added punctuation is an attempt to bypass some automated measures Instagram may have in place to detect such activity.

The reason this is considered an intermediary account is because it instructs users to visit a different profile. In this case, the “kayla” intermediary account is linking to a “babe” account.

How Instagram Porn Bots Use Intermediary Accounts

Similar to the intermediary account, the “babe” account also doesn’t contain any photos. However, this bio contains no obfuscation of the text, directly stating “All nude pics posted on website, look” with a link to a Bitly-shortened URL.

Not having any sort of activity associated with the “babe” accounts allows it to persist on the service without getting flagged by automated means. Based on intelligence from some of the domains used in the babe campaign, it appears the person behind that particular campaign has been actively pursuing Instagram porn bot spam since at least the middle of 2016. They’ve registered close to 1,300 domains since 2016, registering nearly 100 in the last six months.

Prevalence of “Babe” and Similar Instagram Accounts

There are quite a few similarly named “babe” accounts on Instagram. They all have the phrase “ALL NUDE PICS POSTED ON WEBSITE, LOOK” along with emojis in their bios, but only a handful of accounts have Bitly-shortened URLs as well, indicating these are actively being used. It is unclear if the accounts without Bitly-shortened URLs have been abandoned after they served their purpose or if they are spare accounts ready to be used once the active accounts have been removed by Instagram.

Prevalence of “Babe” and Similar Instagram Accounts

In addition to the “babe” accounts, there are other accounts with a different naming convention that are essentially identical. The same Bitly-shortened URL was used by several  “babe” accounts, as well as an “n_” account, indicating that each batch of accounts was generated by the same person.

Prevalence of “Babe” and Similar Instagram Accounts

Prevalence of “Babe” and Similar Instagram Accounts

Use of “Novel” Porn Bot Accounts

Even as we see an uptick in the use of intermediary accounts, some porn bot accounts on Instagram still follow users directly to capture their attention. I recently observed a new batch of accounts that were slightly different from normal porn bot accounts. These accounts aren’t blank; they typically contain a maximum of three photographs. Their names contain two random emojis, one at the beginning and one at the end. For instance, one account named “Carolyn Jones” has the vulcan salute emoji followed by a smiling face with horns emoji.

Use of “Novel” Porn Bot Accounts

What’s peculiar about the photos on this account is the seemingly random nature of them, which is an intentional effort to thwart suspicion in three ways:

  • Most porn bot accounts would promote sexually suggestive imagery on their profiles. 
  • The woman in the images doesn’t look like the same person. 
  • The absence of any sort of tagline in the bio and no presence of a short URL.

Use of “Novel” Porn Bot Accounts

The random images themselves don’t contain links or any suggestive commentary either. Instead, they include some text that appears to be truncated. In the example above, the image contains a quote from The Count of Monte Cristo by Alexander Dumas.

Similarly, another porn bot account named “Pamela Turner” included another truncated Dumas quote from The Count of Monte Cristo, albeit from a different source.

Use of “Novel” Porn Bot Accounts

Another porn bot account named “Denise Sanders” had very little text on each image, save for one image that included a shorter, truncated quote.

Use of “Novel” Porn Bot Accounts

This account wasn’t quoting any of Dumas’ novels, opting instead to use a truncated quote from George R.R Martin’s famous Game of Thrones novel.

In some respects, these accounts are novel in their approach, and at the same time they also use quotes from novels, which is why I’m referring to these as “Novel Accounts.”

“Conversing” With A Porn Bot in Direct Messages

Since Novel Accounts and other porn bot accounts with nothing in their bios aren’t promoting their adult dating spam in public, they do so privately in direct messages. Following one of these accounts and initiating a conversation leads to "conversations" in broken English, such as this one with “Carolyn Jones” from earlier.

“Conversing” With A Porn Bot in Direct Messages

A similar “conversation” occurred with "Pamela Turner" as well.

“Conversing” With A Porn Bot in Direct Messages

What is interesting about these “conversations” is the delay between responses. The “Carolyn Jones” porn bot account took an hour to respond to the initial message, while the “Pamela Turner” porn bot account took five hours to respond. A subsequent message did not receive a response for nearly 22 hours. The reason for the delay is unclear. It could be a feature in the bot configuration to attempt to evade automated mechanisms looking for bot-related behavior within Instagram Direct Messages.

In both “conversations,” the same domain was used in the initial message with a different name in the path (Alison, Amy) despite their account names being entirely different (Carolyn, Pamela). Interestingly enough, in the latter exchange the second link used a different URL but with the same path (Amy).

One thing to note is that, while these Novel Accounts appear to be unique and may be operated by a single spam operator, engaging with Instagram users via direct messages to peddle spam links isn’t unique.

Fake “Safe” Instagram URL Message

Another Instagram porn bot tactic I’ve observed involves faking an Instagram page that claims a URL has been deemed as safe by Instagram.

Fake “Safe” Instagram URL Message

The porn bot in this case links a user to a website via the short URL service TinyURL. The “Leaving Instagram” page is hosted on a .xyz domain and merely acts as an obfuscation layer to convince the user that the link they’re browsing to is indeed safe.

Non-Mobile Users Redirected to Benign Pages

In some instances, if a link is visited from a computer, users will be redirected to a non-adult themed page. For instance, one of the campaigns I’ve observed while browsing on a desktop will serve up a saved copy of an old article from the Planetary Society that contains broken images and stylesheets.

Non-Mobile Users Redirected to Benign Instagram Pages

Visiting this same link from a mobile device will result in a 302 redirect to the scammer’s intended website. While this might be viewed as an effort to thwart examination by a researcher on a computer, there are ways around it for research purposes. However the real intention behind the redirects is likely to ensure that the “lead” is coming from a mobile device and not a computer, to ensure compliance with the adult dating affiliate program guidelines.

Group Instagram Direct Messaging

Outside of intermediary or Novel Accounts, some scammers opt to take a more direct approach when pushing adult dating spam: send out a group direct message to a large number of users.

Porn bots use Group Instagram Direct Messaging

In the case above, a porn bot account named “Dorothy” added 25 users to an Instagram Direct message chat. According to Instagram, users can add up to 32 users to an Instagram Direct message thread.

While anyone can send an Instagram Direct message to users, they get filtered out into a separate “Message Requests” section. They normally don’t change the group name, but sometimes they name groups like “my very hot  photos” for example.

Porn bots use Group Instagram Direct Messaging

A mass Instagram Direct message from one of these porn bots asks the user if they want to let “Dorothy” message them; the link and image thumbnail aren’t displayed to the recipient.

Porn bots use Group Instagram Direct Messaging

Once the message request is accepted, it reveals a link and thumbnail claiming to direct the user to the pin-up model community site, SuicideGirls.

Porn bots use Group Instagram Direct Messaging

In another example, the porn bots include links claiming to direct users to OnlyFans, a social networking service with a less-restrictive content policy that’s used by models and porn actors to offer content via subscriptions.

Porn bots use Group Instagram Direct Messaging

These links do not lead users to the SuicideGirls or OnlyFans websites after all. Just like the other porn bot accounts above, the links leads to a hookup site intermediary page.

Intermediary Pages for Adult Dating and Webcam Sites

While I’ve noted the presence of Intermediary accounts, Instagram porn bot operators also leverage intermediary sites (referred to as a “prelander” page) designed to serve up varying campaigns to direct users to different adult-themed dating and webcam sites.

Intermediary Pages for Adult Dating and Webcam Sites

Intermediary Pages for Adult Dating and Webcam Sites

The user is asked to fill out a “survey” about their sexual preferences, which leads to the intended adult dating or webcam website. In these instances, they lead to websites called Snapcheat and Sinder, a play on the popular social networking and dating apps Snapchat and Tinder. Included in these URLs are query strings containing parameters about campaign identifiers and, most importantly, affiliate identifiers.

Intermediary Pages for Adult Dating and Webcam Sites

Affiliates and Bots: Like Peanut Butter and Jelly 

As discussed in a VICE piece about the money trail behind Instagram porn bots, the goal of the intermediary pages is to get male Instagram users to sign up for adult dating and webcam services like Snapcheat and Sinder. The services themselves rely on affiliate programs to bring in new users. Affiliate programs are quite common and used by many e-commerce sites. In the world of adult dating and webcam sites, these affiliate programs are not so stringent when it comes to cracking down on fraudulent activity. After all, the goal is to get more users to sign up to their websites.

In most cases, the affiliate can earn a lead by simply convincing the user to sign up to one of these adult dating or adult webcam websites. This is usually defined in the affiliate offers as flow. In most cases, when a user completes the “free user registration” flow, it qualifies as a converted lead, and this is usually worth anywhere between $2 and $5 per lead. 

The Holy Grail of leads is when an affiliate offer includes verbiage like "CC submit," which is when an affiliate can convince the user to submit their credit card to sign up for a service for a free trial. If the user doesn’t cancel the supposedly “free” trial, they are often billed between $40 and $100, which ensures that the affiliate gets a higher payout versus a free user registration lead.

In the case of most Instagram porn bot spam, the affiliates are leveraging free user registration affiliate offers. Therefore, we can surmise that those responsible for Instagram porn bot spam are focused on generating a large quantity of leads via simple sign-ups, versus pursuing the more lucrative offers that require the user to submit a credit card. The latter tactic has a higher barrier to entry which is, therefore, reflected in the affiliate payout amount. Despite the intermediary pages asking users if they are over the age of 18, users are still directed to the adult dating and webcam sites, making it likely that even underage teens are clicking on the links and signing up for the websites.

We reached out to Bitly and Instagram to provide them with information about the scam activity. Bitly confirmed it has suspended the account and removed the URLs generated by the scammer. Instagram did not respond as of the time of this publication. 

Link Activity from Instagram Spam

The URLs used in Instagram porn bot spam can vary between direct links to intermediary sites or short URLs that mask the actual destination URL. Based on the short URL statistical data we were able to obtain from a limited number of campaign activities, the average number of clicks per link is roughly 285. This number is also skewed due to the varying degree of clicks on the link, between nine clicks as the lower bound and over 1,000 clicks as the upper bound.

Bitly provides a breakdown on the clicks for each short URL. For instance, below is a breakdown of one of the of the larger volume short URLs used in one of the “babe” campaigns. 

Link Activity from Instagram Spam

When we pulled the statistics for this particular Bitly link on June 21, it showed over 1,000 clicks, 97% of which originated from Instagram, with a smaller subset coming from Facebook and a more generic bucket.

Link Activity from Instagram Spam

Geographic distribution of interaction with the Bitly link shows it is highly concentrated in the United States, but its reach spreads across 80 locations worldwide.

Conclusion

As long as Instagram has such a high volume of active users, it will continue to be a haven for porn bot scammers. After all, just as advertisers flock to social networking services like Instagram looking to capitalize on all of the eyeballs affixed to their screens, one should expect scammers won’t be far behind.

However, the only thing constant is change, so we anticipate these tactics will deviate over time, as the cat-and-mouse game continues to be played. For these scammers, one particular Dumas quote accurately depicts their efforts: “all human wisdom is summed up in two words; wait and hope.”

Learn more:

订阅 Tenable 博客

订阅
免费试用 立即购买

选择 Tenable.io

免费试用 30 天

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即注册。

立即购买 Tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65资产

$2,275

立即购买

免费试用 立即购买

免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级版支持,获取一年 365 天、一天 24 小时的电话、邮件、社区和聊天支持。完整介绍见此处。

免费试用 立即购买

试用 Tenable.io Web Application Scanning

免费试用 30 天

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 FQDN

$3,578

立即购买

免费试用 联系销售人员

试用 Tenable.io Container Security

免费试用 30 天

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器映像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器映像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

了解有关 Industrial Security 的详情

获取 Tenable.sc 演示

请将您的联系方式填写在下方表格中,我们的销售代表很快与您联系安排演示。您也可以写下简短评论(不得超过 255 个字符)。请注意,带星号 (*) 的字段为必填项。

免费试用 联系销售人员

试用 Tenable Lumin

免费试用 30 天

通过 Tenable Lumin 实现对 Cyber Exposure 的直观呈现及探索,长期追踪风险降低状况,并比照同行业者进行基准衡量。

购买 Tenable Lumin

联系销售代表,了解 Lumin 如何帮助您获取整个企业的洞见并管理网络风险。