How Many Phish Can Tweet? Investigating the Effectiveness of Twitter's Phishing and Malware Defence System

Simon Bell

Research output: ThesisDoctoral Thesis

630 Downloads (Pure)


Phishing and malware attacks continue to plague the digital world; wreaking havoc on individuals, businesses, and governments worldwide. Attacks often target popular platforms, such as Twitter: a microblogging social networking service with over 330 million active monthly users, posting more than 500 million daily tweets.

This thesis explores how well-protected Twitter users are from phishing and malware attacks. We take an empirical, data-driven approach to investigate the effectiveness of Twitter's cybercrime defence system at time-of-tweet and time-of-click. We create Phishalytics: our measurement infrastructure that collects and analyses large-scale data sets. Our data feeds include Twitter's Stream API, Bitly's Clicks API, and 3 popular blacklists: Google Safe Browsing, PhishTank, and OpenPhish. We improve internet measurement studies by addressing soundness and limitations of existing work. Our studies include characterising URL blacklists, investigating blacklist delays, and examining Twitter's URL shortener ( We aim to better enable policymakers, technology designers, and researchers to strengthen online user security.

We provide empirical evidence highlighting the state, and scale, of cybercrime on Twitter. Key findings show over 10,000 phishing and malware URLs -- publicly tweeted to more than 131 million Twitter accounts -- received over 1.6 million clicks from Twitter users. Twitter's time-of-click defence system blocks only 12% of blacklisted URLs and web browsers miss up to 62% of non-blacklisted phishing websites. We recommend Twitter users ensure their risk appetite aligns with their cybercrime defence strategy. Furthermore, blacklists do not offer absolute protection and cybercriminals can exploit uptake delays.

Our findings suggest more can be done to strengthen Twitter's phishing and malware defence system and improve user security. However, measuring and evaluating effectiveness is complex and non-trivial. We discuss the importance of soundness, the significance of measurement study reproducibility, and the challenges of measuring an ever-changing landscape.
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Komisarczuk, Peter, Supervisor
  • Paterson, Kenny, Supervisor
  • Cavallaro, Lorenzo, Supervisor
Award date1 Jun 2021
Publication statusUnpublished - 2021


  • Phishing
  • Malware
  • Measurement Study
  • Twitter
  • Cybercrime
  • PhD Thesis
  • Doctoral Thesis

Cite this