With more than 450 million registered users, Kik is one of the most popular messaging apps in the world. Its biggest group of users are young, with around 40% of American teenagers having reportedly tried the service. Teens love Kik. But they share the network with another big contingent: bots.
These are fake, autonomous programs that more often than not, try to entice Kik’s users to click on paid-for sites with flirty conversations and the promise of porn — glorified chat bots with one thing in mind.
According to Kik, “porn bots” make up around 1% of the app’s entire message volume each day, suggesting that thousands of them regularly crawl its network.
Who is behind the porn bot epidemic? Security expert Cathal McDaid, who tracks spam on behalf of telcos and has looked into the matter extensively, says most of the porn spam is coming from a single criminal group. The group is probably English speaking and probably not from Russia, a country known for being the source of many other types of spam.
What’s more, it appears this spam team has been running porn bots like these since around 2010, on other services like MSN Chat.
The spammers may be in this for the long haul because they’re making good money. Typically a bot will offer to show a Kik user nude pictures, on condition they navigate to a dating or cam site, and enter their credit card information. When users balk, the bots will counter they need the card details to verify age, as in this example:
credit card is just to verify your age, you’ll get in for free thru my page but you need to verify that you’re an adult …can’t show *** and ***** to minors .. u know?
Anyone who falls for the trap will typically pay between $20 and $80 to access the site, says McDaid.
“The sign-up screens are notoriously difficult and misleading and users can find themselves signed up to multiple sites which drives up the cost,” he says.
Most Kik users are savvy enough to avoid being swindled, so conversion rates are low, at around 0.5% and 1%. Still, hitting users en mass means the spammers can make decent money. Last year McDaid tracked a flood of porn bots that spammed more than 80,000 Americans over three days, all via SMS .
Even with a 0.5% conversion rate, the attack would have drawn in around $16,000 for the spammers. Spammers also make money from simple click-throughs they get from links, or from stealing users’ credit card details outright.
Kik is trying to keep up.
Last May it boosted its privacy controls and blurred the images that users received on their lock screens to counter the problem. The Ontario-based startup has been grappling with porn bots for two years now, according to Dan Hendry, who leads Kik’s server team and wages an ongoing digital war on spam.
General spam makes up a low, single-digit percentage of Kik’s message traffic, Hendry says, and based on the different technical signatures they leave behind, he suspects he’s dealing with a small handful of spam groups in total.
He can’t verify if the porn bots are coming from a single group, as McDaid suspects, because Kik doesn’t analyze message content for privacy reasons, so it’s harder to track what messages belong to what sets of users. (McDaid bases his analysis on the screenshots that Kik users post on Twitter or forums.) It’s also hard to tell if these are the same porn spammers that have hit Snapchat, Tinder and Skype.
“It’s a limited number of highly-motivated individuals,” says Kik’s Hendry. “When we evolve, they evolve. We’ve seen entire shifts in what a particular spammer seems to be doing. It’s definitely not something that goes out, writes the spam code and is done with it.”
Hendry also suspects the spammers are located outside the U.S., because the biggest waves of porn bots hit Kik users late at night or early in the morning, rather than during the U.S. working day. He wouldn’t go into detail about how Kik detects the bots beyond when they’re reported in by users, but says he has a team of four people tasked specifically with fighting spam on Kik.
The trouble is that bot controllers are not only innovative, they’ve been doing this for years.