Twitter suspended more than 70 million fake accounts in May and June – about one million accounts a day, but its efforts to purge malicious and spam accounts may have contributed to a 9.8 percent plunge in its stock Monday, as investors question whether the efforts will stymie user growth.
"When such news emerges, the first question that comes to mind is ‘how haven't they done it before?'" said Avishay Zawoznik, security research team leader at Imperva. "The answer is simple – it's always a balance between costs and risk management."
The uptick in suspensions put the spotlight on the companies claims that spammers and fake accounts make up less than five percent of its users, the Washington Post reported.
But Twitter seems to have "found the fight against fraud, bots and spam is worth the cost," Zawoznik said.
Most of the bot activity is simply "annoying, artificially inflating the egos of people prepared to pay for followers," said Comparitech.com Security Researcher Lee Munson, who applauded Twitter for "finally dealing" with an issue that it probably should have tackled earlier. But some of the activity "is quite malicious," spreading malicious links through topical news stories and their corresponding hashtags.
"Fake accounts have also been linked with fake news, a problem that really can have a great influence on the public conscious, not to mention election results it seems," said Munson.
Indeed, in the wake of revelations that Russian operatives leveraged social media platforms to sow division and mount an influence campaign during the 2016 presidential campaign, social media companies pledged greater transparency, bolstered privacy and have taken steps to banish fake accounts. "Thus, this move from Twitter will go a long way in making the platform both safer and more trustworthy at a time when social networks are coming under increasing media scrutiny."
Late last month Twitter said it would soon be offering support for universal two-factor (U2F) as part of its effort to fight spam and malicious automation.
The new feature will help protect users from remote attacks because unlike text message codes which can be intercepted, U2F uses a physical device such as a two-factor keyfob which requires a user to push a button to authorize a login.
Teasing out fake accounts isn't always easy. "The ever-growing sophistication of malicious actors makes bot detection and blocking harder with time," said Zawoznik. "Such protection requires a high-maintenance, comprehensive approach."
Twitter uses both behavioral and technical detection techniques as well as "a protection mechanism that introduces escalating challenges and enforcement for different scenarios," he explained. "We hope that more online businesses will take Twitter as an example for the attention that should be paid to fraud, bot and spam threats."