Social media sites (e.g. Twitter and Pinterest) allow users to change the name of their accounts. A change in the account name results in a change in the URL of the user's homepage. We develop an algorithm that extracts such changes from streaming data and discover that a large number of social media accounts are performing synchronous and collaborative URL changes. We identify various types of URL changes such as handover, exchange, serial handover and loop exchange. All such behaviors are likely to be automated behavior and, thus, indicate accounts that are either already involved in malicious activities or being prepared to do so. In this paper, we focus on URL handovers where a URL is released by a user and claimed by another user. We find interesting association between handovers and temporal, textual and network behaviors of users. We show several anomalous behaviors from suspicious users for each of these associations. We identify that URL handovers are instantaneous automated operations. We further investigate to understand the benefits of URL handovers, and identify that handovers are strongly associated with reusable internal links and successful avoidance of suspension by the host site. Our handover detection algorithm, which makes such analysis possible, is scalable to process millions of posts (e.g. tweets, pins) and shared publicly online.
展开▼
