Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Fake It ‘Til You Make It: Paid Retweet Service Targets Musicians

Twitter victims sold spam bots instead of promised real promoters.
Created: 27 May 2014 16:21:34 GMT • Updated: 27 May 2014 17:29:53 GMT • Translations available: Português
Satnam Narang's picture
+2 2 Votes
Login to vote


Symantec has discovered a paid retweet service targeting aspiring artists, managers and bands on Twitter with the promise of retweets from real users. These scammers are charging victims 50 cents for every "person" they hire to retweet every tweet for 30 days. Despite claiming that each account is operated by a real person, the service consists of little more than automated accounts, also known as Twitter spam bots.


Figure 1. Retweet service offering pitched to managers of artists

As you would expect, numbers define popularity on social media—from the number of Facebook "likes" to the number of Twitter followers and Twitter retweets. Retweets are a way to reach a larger audience. In the case of up and coming artists, the more eyes and ears their content reaches the more opportunity there is to build a following, which is why the marketing claims made by this group have proven to be effective.

Marketing a paid retweet service

The individuals operating this service market themselves using a large network of spam accounts. These accounts will retweet a random tweet from the target. They will then send automated tweets to the target using a canned message.

This automated tweet typically states how a team of "real people" will retweet every single one of their tweets. Included in this tweet is a Twitter handle belonging to a retweet broker. Some examples include:

  • "@Username I see you doing your thing. Maybe my team of 100+ girls can help by retweeting your every tweet. Talk to @[RETWEET BROKER]"
  • “@Username My girls rt’ed you. If u need a team of real people to rt every one of ur tweets. Talk to @[RETWEET BROKER] for info.”
  • "@Username You could get anyone's attention if you shouted them out and got 200+ RTs. Talk to @[RETWEET BROKER] for info."

Unlike the spam accounts, the retweet broker accounts are operated by real people, who engage with users through public tweets and direct messages to convince the target and close the deal.


Figure 2. Twitter exchange with a spam bot, intended target and retweet broker

If the intended target responds to the spam account’s tweet, the retweet broker will intervene, sending a reply like, “check out the link in my bio for more retweets”. Directing the target to the brokers’ profile is a preservation tactic to ensure their accounts won’t be flagged automatically as spam.

Our research uncovered multiple websites belonging to these individuals. Each site is used to promote the service and emphasize the fact that they provide retweets from what they call “real team members” and not spam bots.


Figure 3. Promotional website marketing image

In attempting to explain how the service works, one website states: “Every account has real followers, unlike other companies who offer retweets using accounts with fake followers, making those retweets useless”. This is actually partly true—many of the spam accounts do have real followers. The websites also claim that many major brands, from retailers to record labels use their service for promotion.

We constantly stress this idea that “if it sounds too good to be true, it is.” Naturally, some of the targeted Twitter users didn’t fall for the initial pitch. Some asked for a free trial to prove that the service is legitimate. These users were asked to tweet something using a hashtag, which would be met with a number of retweets. For instance, #dreamteampromo was one of the hashtags used.


Figure 4.  Promotional tweet gets over 500 bogus retweets

To highlight the power of their service, these tweets would receive on average over 100 retweets, while some would receive over 500 retweets. As you would expect, this trial helped convert some users into paying customers.

Paying for retweets

All of the promotional sites we uncovered featured a calculator that claimed each retweet is worth US$0.50. The websites fail to explain the details of how the cost factors into the service. Fortunately, we found a tweet from one of the retweet brokers that clears this up.


Figure 5. Breakdown of cost for paid retweet service

The above statement is not a mistake—users who sign-up for this service are paying US$0.50 per person to retweet every single tweet for one month, not per retweet.

Clearly, no real person would work that much for such a small fee. The only real thing about this service is the money being received. But just how lucrative is it? We were able to confirm that the individuals involved have been earning anywhere between $200 to $1,000 per month. Users that sign up for this service typically do so at the minimum level, paying between $5-10 per month, although some choose to spend as much as $50 per month.

Pretty girls sell retweets

Not surprisingly, every single retweet broker and spam account we encountered used images of beautiful and attractive women as their profile pictures, because marketing a service using avatars of pretty girls works.

Most of their spam accounts used bios from real Twitter users that usually did not match up. Some of these accounts have strange usernames, like @qaguqiganiva and @helywibyhify.

If that wasn’t enough, all of these accounts are filled with retweets or pitches to intended targets. Contrary to what their marketing materials state, this service clearly does not use “real people” at all and is violating many of Twitter’s rules.

Twitter swiftly responded by removing the known spam accounts found by Symantec and has since found and deleted more based on the information provided.

Using software to automate your service

While tracking this activity, we found that the individuals behind this scam had mistakenly revealed the tool they use to operate the service.


Figure 6. Misconfigured spam account reveals automation software

A number of spam accounts were misconfigured and accidentally tweeted out the file path used to automate the canned tweets sent to their targets. The file path reveals a tool called “Tweet Demon” is powering this campaign.

Tweet Demon (also known as Twitter Marketing Robot) is a program available for sale in various search engine optimization forums. It offers users a number of automation tools including a mass account creator, auto reply, and retweet “attack” modules. All of these features fill in the missing details on how this retweet service operates.

Real fans are earned, not bought

For those aspiring artists, managers and brands that have paid for the service or are thinking about signing up for such a service, understand that you get what you pay for. You are not paying for team members, but for a network of spam bots at a cost of $0.50 per account, per month. While it’s certainly challenging being an artist today, paying for fake followers or retweets isn’t going to deliver real engagement.

Twitter users should be wary of tweets offering a paid retweet service. If you encounter these spam bots, please report them to Twitter.