Mohammad Majid Akhtar (School of Computer Science and Engineering, University of New South Wales, Sydney, Australia), Rahat Masood (School of Computer Science and Engineering, University of New South Wales, Sydney, Australia), Muhammad Ikram (School of Computing, Macquarie University, Sydney, Australia), Salil S. Kanhere (School of Computer Science and Engineering, University of New South Wales, Sydney, Australia)
Malicious actors on online social networks (OSNs) use script-controlled social bots that engage users through replies or comments. These bots are programmed to activate only when specific trigger keywords appear in posts. We refer to such advanced context-aware campaigners as trigger bot (TB) agents, which aim to deceive users into making payments for illicit products or revealing sensitive financial credentials. This paper presents a systematic and data-driven study on the detection and characterization of TB agents. We introduce TBTrackerX, a novel framework designed to collect and analyze TB activity. Using this system, we captured 4,452 TB agent replies from 2,647 unique TB agents, targeting our honeytrap account, and uncovered interactions with over 84K users on X. Our results show that TB agents evade detection by using contextually similar replies (with similarity scores up to 0.97), exhibiting intermittent posting patterns (in bursts ranging from 15 seconds to 5 minutes), and adopting dormant behavior after peak campaign activity. Furthermore, we identify a coordinated TB ecosystem, characterized by fake TB followers and shared TB masters. This study underscores the pressing need for better moderation and detection mechanisms to combat these sophisticated forms of social media manipulation.