Blackmarket-Driven Collusion on Online Media: A Survey

To the best of our knowledge, this is the first survey to provide a detailed overview of collusive activities in online media. The aim of this survey is to provide readers with a comprehensive overview of the major studies conducted in the field of social network analysis to detect and analyze collusive activities across different online media platforms. The following four aspects make our survey unique and different from other related surveys:

We use the terms collusion and artificial boosting of social reputation interchangeably throughout the article. We refer to an action/appraisal as online media activity such as retweet, follow, review, view, and subscription, and an entity as a social entity such as user, tweet, post, and review.

To keep up with the pace of today’s turbo-charged world, a large number of users like to go against the stream [48, 113]. Although shortcuts to success always conflict with the enormous efforts needed to be successful, it may also lead to some costly mistakes, eventually undermining the true goals. Online media is considered as the perfect convergence of communication and information. It has already become the most important source for public information, organizations, and for individuals to promote their ideologies, products, and services. Manipulating such an important source of information can result in a significant gain in terms of fame and finance for individuals/organizations. This is clearly evident in online social networking platforms like Twitter in the form of attaining fake followers [3, 24], rating platforms like Amazon [99] in the form of posting fake reviews, video streaming platforms like YouTube/Twitch [111] in the form of synthetic gain in viewership count, and many more. With a huge competition in online media, it is hard for online media users who spend months creating new content but fail to reach their target audience. Blackmarket services serve as a complete social media toolkit that helps an online media entity gain a stronger social media presence among its competitors. It is very effective for (i) companies that want to hype a campaign; (ii) musicians who want to promote new projects, album, and releases; (iii) entertainment companies who want to publicize their shows; and (iv) online media moguls who need quick online media presence.

Detecting collusive activities is a challenging task. Dutta et al. [48] showed how collusive users show a mixed behavior of organic and inorganic activities. In the case of Twitter, these users, on the one hand, are involved in retweeting (following) genuine tweets (genuine users), and on the other hand, they are involved in retweeting (following) tweets (users) submitted to the blackmarket services. This kind of mixed behavior makes it difficult to be detected by traditional fake user detection methods [113]. Moreover, collusive users are not bots; these accounts are mostly controlled by normal human beings. This makes it difficult to be flagged by bot detection methods as shown in previous studies [8, 29, 48]. A recent study by Dutta et al. [50] investigated how collusion happens on YouTube. They designed web scrapers to collect a large set of YouTube videos and channels submitted to the blackmarket services for collusive appraisals. They further designed CollATe, an end-to-end neural framework that combines representation from three feature extractors (metadata, anomaly, and comment) to detect videos submitted in blackmarket services for collusive comment appraisals. In the case of rating platforms like Amazon, methods to detect collusive reviewers have not been successful so far due to the lack of enough labeled data. The dynamic nature of the propagation of collusive activities is quite complicated. Collusive activities can easily propagate and impact a large number of users in a short time by spreading misinformation. Kim et al. [77] developed CURB, an online algorithm that leverages information from the crowd to prevent the spread of misinformation. They also reported that fact-checking organizations like Snope and Politifact are not able to properly limit the spread of misinformation, as it requires significant human effort. Moreover, as collusion happens in multiple online media platforms, it is also a difficult task to understand the complete adversarial intent of the collusive entities. This raises concern on developing systems for early detection of collusive entities to limit its artificial social reputation. Finally, due to the restrictions of the online media platforms on collecting the public data, the research community has limited training data, which does not include all of the necessary information of collusive entities. Most of the previous studies [8, 50] had to design their own scrapers due to the limitations and restrictions of the APIs provided by the online media platforms.

Some related concepts to collusion are fake, bot, sockpuppetry, malicious promotion, spam, content polluters, relationship infiltrators, and slanderous users. We distinguish between these concepts and collusion in Table 1. Even though these concepts differ from collusion, they are highly related. Therefore, studying the literature that focuses on these topics will give us better knowledge of how to analyze and detect the collusive entities in online media platforms.

Social networks serve as a platform to build social relations among users of common interests (personal or professional). Platforms like Twitter, Facebook, and Instagram allow their users to perform actions such as post, like, retweet, follow, and share, among others. Today, these platforms also serve as real-time news delivery services and a medium for the business owners to connect with their customers and thus expand their outreach. However, the natural way to attract users is usually a tedious task and takes significant time. This motivates users to choose an artificial way of gaining appraisals.

Facebook. Facebook is the most popular social network to connect and share with family and friends online. Facebook has four types of appraisals: shares, likes, comments, and followers. The large number of appraisals on Facebook acts as a form of social proof for the sign of popularity and importance.

Twitter. Twitter is a microblogging service where users write tweets about topics such as politics, sport, cooking, and fashion. Twitter has three types of appraisals: retweets, likes, and followers. Acquiring more appraisals on Twitter helps increase the user’s social signals and attract more visitors to the profile.

Instagram. Instagram is a social networking platform that enables users to share images or videos with their audience. Users can upload photos and videos, then share them with their followers or with a group of friends. Instagram has three types of appraisals: likes, followers, and views. Higher appraisals are the key to visibility on Instagram. The more appraisals a post receives on Instagram, the higher is the post rank in search results and on the Explore page.

Pinterest. Pinterest is an image sharing platform that is designed as a visual discovery engine for finding ideas like recipes, home and style inspiration, and so forth. A message on Pinterest is known as a Pin. Pinterest has two types of appraisals: likes and followers.

Other than the common appraisals, we found a few blackmarket services where social networking users can request a verification badge. By verification badge, we refer to the Twitter white/blue verified badge⁷ and the Instagram blue verified badge.⁸Verifiedbadge,⁹ StaticKing,¹⁰ Prime badges,¹¹ and SocialKing¹² are the most popular platforms providing such appraisals. Verification badges are coveted checkmark badges that enhance the user’s social media presence and improve credibility on the platform. The minimum requirements to request verification badges through blackmarket services are as follows:

There is a vast literature on the detection and analysis of collusive entities in social networks. Shah et al. [113] and Dutta et al. [48] are two of the first few studies that investigate collusive entities on Twitter registered in blackmarket services. Dutta et al. [48] trained multiple state-of-the-art supervised classifiers using a set of 64 features to distinguish collusive users from genuine users. They also divided the set of collusive users into three categories: bots, promotional customers, and normal customers. Arora et al. [8] obtained better classification performance than Dutta et al. [48] by incorporating the content-level and network-level properties of Twitter users in a multitask setting. De Cristofaro et al. [40] performed the first work on Facebook where the authors presented a comparative measurement study of page promotion methods. Sen et al. [110] conducted the first work on Instagram, where they developed an automated mechanism to detect fake likes on Instagram. We discuss these studies in detail in Section 6.

Rating/review platforms allow users to rate or share their opinion about entities, such as products, applications, food items, restaurants, and movies. Examples of these platforms are e-commerce platforms (e.g., Amazon), travel platforms (e.g., TripAdvisor), and business rating platforms (e.g., Yelp, Google reviews), among others.

Amazon. Amazon is the world’s largest e-commerce platform and is considered the ultimate hub for selling merchandise on the web. It allows two types of appraisals: reviews and ratings. High ratings and reviews for a product on Amazon attract customers and make the product more trustworthy.

Google. Google provides valuable information to businesses and its customers using two types of appraisals: reviews and ratings. Higher ratings and reviews on Google help improve the business and enhance local search rankings.

TripAdvisor. TripAdvisor is an online travel platform that offers multiple services like online hotel reservations, travel experiences, restaurant reviews, and so forth. Similar to other platforms, TripAdvisor has two types of appraisals: reviews and ratings. Positive reviews from previous occupants help the business improve its reputation and increase the customer base.

Yelp. Yelp is a local business review platform that collects crowdsourced data from its users. Yelp has two types of appraisals: reviews and ratings. Getting more reviews in turn improves business reputation and gets a lot more customers with free traffic.

Today, online reviews/ratings are becoming highly relevant for customers to take any purchase-related decisions. As these appraisals play a significant role in deciding the sentiment/popularity of a product/business, there is a massive scope for collusion among sellers/buyers to manipulate it artificially. The work of Jindal et al. [74], Li et al. [88], and Wang et al. [74, 88, 137] represents a few initial studies on detecting fake reviews in review patterns representing unusual behaviors of reviewers. Another early work by Li et al. [89] identified fake reviews on Dianping, the largest Chinese review hosting site. The authors proposed a supervised learning algorithm to identify fake reviews in a heterogeneous network of users, reviews, and IP addresses. Mukherjee et al. [99] performed one of the first attempts to detect fraudulent reviewer groups in e-commerce platforms. Recently, Kumar et al. [81] identified users in rating platforms who give fraudulent ratings for excessive monetary gains. Most of the studies in review platforms are focused on e-commerce platforms. We believe that the newer platforms such as Google reviews, Yelp, and TripAdvisor would open more research questions, as these platforms contain reviews of millions of hotels, restaurants, attractions, and other tourist-related businesses.

Video streaming platforms are mostly used for sharing videos and streaming live videos. These platforms allow users to upload, view, rate, share, add to playlists, report, comment on videos, and subscribe to other users. Here, we discuss how appraisals on video streaming platforms are inflated artificially. With the increase in the popularity of live streaming came the concept of astroturfing, broader and sophisticated term referring to the synthetic increase of appraisals in an online social network by means of blackmarket services. The consequences of such synthetic inflation are not only restricted to increase monetary benefits, directory listings, and partnership benefits but also expanded to better recommendation rankings, thus doctoring the experiences of viewers who are recommended all of these boosted materials instead of genuine materials produced by the honest broadcasters.

YouTube. YouTube is a video sharing platform where users can create their own profile; upload videos; and watch, like, and comment on other videos. YouTube has four types of appraisals: likes, comments, subscribers, and views. Likes, comments, and views are for the videos, and subscribers are for the channels. The higher the number of YouTube users interacting with a video/channel, the higher that video/channel will be listed to other users. These appraisals are considered as the measure of engagement and not only make the entity popular but also help the channel with sponsorship opportunities and monetization options.

Twitch. Twitch is the most popular live streaming platform on the web. It is mostly used by gamers to stream their games while other users can watch them. Twitch has two types of appraisals: followers and views. The higher views a channel has, the higher is its popularity on Twitch and to be ranked on the featured list. Twitch is usually considered to be one of the most difficult platforms to earn quick popularity due to the presence of so many streamers using the platform.

Tiktok. Tiktok is a video sharing social network that is primarily used to create short videos of 3 to 15 seconds. Tiktok has two types of appraisals: likes and followers. Getting more likes on Tiktok posts increases the chance to maintain its presence and make it famous among the audience.

Vimeo. Vimeo is a video hosting and sharing platform that allows users to upload and promote their videos with a high degree of customization that is not available on other competing platforms. Vimeo has two types of appraisals: likes and followers. A higher number of appraisals helps show the video in the suggested videos list created by Vimeo’s algorithm.

Few studies addressed issues of astroturfing in video streaming platforms. Shah [111] made the pioneering attempt to combat astroturfing on live streaming platforms. He proposed Flock, an unsupervised method to identify botted broadcasts and their constituent botted views. Note that he did not disclose the name of the live streaming corporation on which the study was performed. In a recent study, Dutta et al. [50] proposed CollATe, an unsupervised method to detect collusive entities on YouTube. The method utilizes the metadata features, temporal features, and textual features of a video to detect whether it is collusive or not.

Recruitment platforms are employment-oriented platforms that also provide professional networking among users. These platforms offer the opportunity to discover new professionals either locally or internationally and help one with their professional endeavors. Hiring new employees is a crucial part of every organization, which starts with posting new job ads and ends with recruitment. It can be thought of as a multistep process, which is normally quite time consuming and prone to human errors. With the advent and rise of automated systems, the hiring process of an organization is being done in the cloud with the help of tools such as the Applicant-Tracking-System (ATS).¹³ ATS makes the hiring process faster and accurate by preparing job ads, posting them online, collecting applicant resumes, making efficient communication with them, and finding the best-fit resumes for the organization. However, increasing use of ATS also invokes various disadvantages such as spammers compromising the job seekers’ privacy, slandering the reputation of the organizations, and financially hurting it by manipulating the normal flow of functioning of the system—most frequently the job ads publishing process (often recognized as the employment scam).

LinkedIn. LinkedIn is the most popular online recruitment platform where employers can post jobs and job seekers can post their profiles. There are four types of appraisals on LinkedIn: followers, recommendations, endorsements, and connections. A higher number of connections and followers on LinkedIn helps the user gain attention. LinkedIn endorsements help add validity to the user’s profile by backing up his or her work experience.

Adikari and Dutta [1] identified fake profiles on LinkedIn. The authors considered state-of-the-art supervised classifiers designed on a set of profile-based features to detect fake profiles. Prieto et al. [102] detected spammers on LinkedIn based on a set of heuristics and their combinations using a supervised classifier. Another work by Vidros et al. [132] tackled the problem of Online Recruitment Frauds (ORF) (see Section 6 for more details). The authors also released a publicly available dataset of 17,880 annotated job ads (17,014 legitimate and 866 fraudulent job ads) from various recruitment platforms.

Discussion platforms are content sharing platforms primarily used to entertain community-based discussions. The discussions can be in the form of questions and answers (Q&A) or content that other users have submitted using links, text posts, or images. Next, we explain how collusion happens on discussion platforms.

Quora. Quora is a Q&A-based discussion forum that empowers the user to ask questions on any subject and connect with like-minded people who contribute unique insights and high-quality answers. Quora has four types of appraisals: followers, upvotes, downvotes, and comments. The higher the number of followers and upvotes a user gains for his or her answers, the higher is the ranking factor and the more the answers are displayed to other users. The aim of a user on Quora is to be named as a top writer in the long run. Answers written by top writers on Quora are considered as expert opinions and are also displayed in the featured list.

ASKfm. ASKfm is another Q&A-based discussion forum and is mostly used by users to post questions anonymously. The platform has two types of appraisals: followers and likes. Higher likes on answers grow its rating on ASKfm at a faster rate.

Reddit. Reddit is a social news based discussion forum that allows users to discuss and vote on content that other users have submitted. Reddit has five types of appraisals: subscribers, upvotes, downvotes, karma, and comments. Having more karma on Reddit allows the user to post more often on the platform and gives him or her more reputation. Having more upvotes on posts helps users gain more exposure, which eventually pushes the posts higher up on the targeted Reddit or Subreddit.

Studies in discussion platforms have been conducted with the goal of manipulating the visibility of political threads on Reddit [23]. The authors measured the effect of manipulation of upvotes and downvotes on article visibility and user engagement by comparing Reddit threads whose visibility is artificially increased. Another work by Shen and Rose [115] investigated polarized user responses on an update to Reddit’s quarantine policy.

Music sharing platforms enable users to upload, promote, and share audio. Here, we explain how collusion happens on music sharing platforms.

SoundCloud. SoundCloud is an audio sharing platform that connects the community of music creators, listeners, and curators. SoundCloud has three types of appraisals: plays, followers, and likes. A higher number of followers and likes creates a massive fan base for creators and gets more attention from the community. The popularity of a soundtrack in the platform is driven by the number of plays it receives. Plays allows users to popularize music and grow their brand on SoundCloud.

ReverbNation. ReverbNation is an independent music sharing platform where musicians, producers, and venues collaborate with each other. The platform has two types of appraisals: plays and fans. The higher the number of plays in an audio or video, the higher is the rank of the artist on the platform.

Some studies have been conducted on fraudulent entity detection in music sharing platforms. Bruns et al. [20] investigated Twitter bots that help in promoting SoundCloud tracks. The authors also proposed a number of social media metrics that help identify bot-like behavior in the sharing of such content. Another work by Ross et al. [106] proposed a method to distinguish between two groups of SoundCloud accounts: bots and humans.

Interestingly, we found a few popular development platforms where collusion happens.

GitHub. GitHub is a repository hosting service that provides distributed version control and source code management (SCM) functionality. GitHub has three types of appraisals: followers, stars, and forks. User profiles with more followers make the account more popular. Similarly, stars and forks are the metrics to show the popularity of a repository. Blackmarket services help deliver GitHub followers, stars, and forks from real and active people.

Hacker News. Hacker News is the most popular discussion platform for developers. It has three types of appraisals: upvotes, karma, and comments. The higher the number of comments and upvotes on a post, the higher is its popularity. User profiles with high karma can perform additional appraisals on a post: downvote and making polls, among others. Blackmarket services help deliver upvotes and karma on Hacker News simply by adding the post link and making the payment.

Medium. Medium is an online publishing platform that is commonly used by developers to share ideas, knowledge, and perspectives. It has two types of appraisals: followers and claps. A higher number of claps in a post ranks it higher in feed and search results. Similarly, a higher number of followers increases the post’s reach and view. Blackmarket services help deliver followers and claps by adding the post link and making the payment.

Most of the studies in development platforms are on measuring user influence and identifying unusual commit behavior by analyzing the attributes of the platforms. Hu et al. [67] measured the user influence on GitHub using the network structure of the following relation, star relation, fork relation, and user activities. The authors also introduced an author-level H-index (also known as H-factor) to measure users’ capability. Goyal et al. [59] identified the unusual changes in the commit history of GitHub repositories. The authors designed an anomaly detection model based on commit characteristics of a repository. One potential research direction is to examine how collusive appraisals on these platforms help popularize the reputation of the repositories/users. Another potential research direction is to develop collusive entity detection techniques by considering the hidden relations between the entities of the platform.

Other than the online media, artificial boosting is also observed in other platforms. Website owners can avail premium/freemium blackmarket services to get traffic on their website. The idea is to endow the responsibility for the necessary amount of web traffic to some other company. In blackmarket terms, the appraisal is called hits or web traffic. Gaining artificial hits helps the website gain popularity faster compared to the slow process of working on growing organic visitors via Search Engine Optimization. Blackmarket services offer two types of web traffic: regional traffic, where the customers can opt for traffic from a specific country or region and, niche traffic, where customers can opt for targeted traffic that focuses on a specific type of business such as music based, e-commerce based, and so forth. To activate traffic to a website, customers have to enter the URL of the website, the number of visitors required, and the preferred timespan for delivery.

Overall, it can clearly be seen that collusion happens in multiple online media platforms and several studies have been conducted to detect collusive entities in these platforms. The common platform is the social network, where collusive entities attempt to spread misinformation. One of the major challenges to conduct studies on other platforms is collecting the data with the restrictions and limitations posted by the APIs. Moreover, once the data are collected, labeling them by experts is a time-consuming task and requires significant manual effort. We now dive deeper into the studies that target identification of collusive entities based on the mode of operation.

Individual collusion happens when the collusive activities of individuals are independent of each other; however, they are guided by centralized blackmarket authorities. Understanding individual collusion has been studied to some extent in the literature. Most of the existing studies used supervised models based on behavioral features and profile features [48]. Some network-based approaches infer anomaly scores for nodes/edges in the network (tweet-user network, product-user network, etc.) and rank them to spot suspicious users [29, 66, 81, 112, 137]. Existing studies mostly focus on the behavioral dynamics of individuals. However, these approaches fail when it comes to detecting group collusion. Group collusion can be more damaging, as it can take total control of the appraisals for an entity due to its size.

Group-level collusion takes place when a set of individuals collaborate as a group to perform collusive activities. Such collective behavior is therefore more subtle than individual behavior. At an individual level, activities might be normal; however, at the group level, they might be substantially different from the normal behavior. Moreover, it may not be possible to understand the actual dynamics of a group by aggregating the behavior of its members due to the complicated, multifaceted, and evolving nature of inter-personal dynamics [43]. Some properties of collusive groups are as follows: (i) members in a collusive group work in shorter time frames and create maximum impact (e.g., flooding deceptive opinions); (ii) members of the group may or may not know each other (agreement by a contracting agency); (iii) multiple accounts within a group can be controlled by a single master account (existence of sockpuppets [80]); (iv) the larger the size of the group, the more damaging the group is; and (v) group members have a high chance of performing similar activities (group members posting similar reviews or writing the same comments). Past studies in this direction mostly detected groups using Frequent Itemset Mining (FIM) and ranked groups based on different group-level spam indicators [62, 138]. Wang et al. [139] pointed out several limitations of FIM for group detection: high computational complexity at low minimum support, absence of temporal information, unable to capture overlapping groups, prone to detect small and tighter groups, and so on. Liu et al. [92] proposed HoloScope to find a group of suspicious users in rating platforms based on the contrasting behavior of fraudsters and honest users in terms of topology, temporal spikes, and rating deviation. Nilforoshan and Shah [100] discussed about group collusion and collusive entity detection via graph modeling. Cresci et al. [35] showed how group of spambots exhibit common patterns as compared to group of genuine accounts. The group behaviors are matched in a DNA-inspired fashion, and extensive experiments are performed to detect spambot groups. Cresci et al. [36] also highlighted approaches that leverage characteristics of groups of accounts performing fraudulent activities. Cresci et al. [37] further focused on collective behavior of spam accounts and how they are engineered to resemble genuine online media accounts. They proposed the social fingerprinting technique based on digital DNA modeling of account behaviors to identify spam and genuine accounts using supervised and unsupervised techniques. Stringhini et al. [126] proposed EVILCOHORT to identify communities of online media accounts that are accessed by a common set of computers using IP addresses.

The majority of the papers model the behavioral properties of the users in online media platforms. Feature-based methods can be used to distinguish between collusive entities from genuine entities. The aim is to design a set of features that can (well) represent and capture various behavioral characteristics of the entities. Recently, researchers have also focused on the linguistic behavior of the collusive entities, such as deceptive information [7, 57], lexical analysis [69], and sentiment analysis [44].

Dutta et al. [48] reported that collusive users show an amalgamation of organic and inorganic activities and there is no synchronicity among their behaviors. They substantiated their finding by comparing collusive retweeting behavior with that of normal retweet fraudsters. Here, normal retweet fraudsters are those retweeters who are abnormally synchronized in some patterns. The authors then collected data from four freemium blackmarket services (credit-based services). Three human annotators were asked to label the blackmarket customers into bots, promotional customers, and normal customers based on a set of annotation rules. The data are used to tackle two problems: a four-class classification problem (genuine, bot, promotional, normal) and a binary classification problem (genuine and combining all types of customers into a single class). To detect collusive retweeters, the authors developed ScoRe, a supervised model to detect collusive retweeters based on five sets of features: profile features, social network features, user activity features, likelihood features, and fluctuation features. The authors also developed a Chrome browser extension to detect the collusive retweeters in real time. To study the underlying behavior of the blackmarket services, Dutta and Chakraborty [47] extended their previous work [48] to provide an in-depth analysis of collusive users involved in premium and freemium blackmarket services. The authors collected the dataset from four premium and four freemium blackmarket services. They analyzed the activities of collusive users based on retweet-centric, network-centric, profile-centric, and timeline-centric properties. They showed that unlike premium services, the credit system in freemium services is the primary reason behind the unusual functioning of freemium collusive users. They also developed an updated version of the Chrome extension by incorporating the features calculated from both premium and freemium users. Figure 4 shows the wordcloud of the text present in the description of premium and freemium retweeters collected from the blackmarket services. It can be seen that premium retweeters are associated with high profile accounts having keywords such as “CEO,” “official,” “speaker,” and “founder.” However, freemium retweeters are associated with advertising agencies having keywords such as “like,” “agency,” “SocialMedia,” and “YouTubeMarketing.”

Dutta et al. [49] proposed HawkesEye, a classifier based on the Hawkes process and topic modeling to detect collusive retweeters on Twitter. They collected tweets using three hashtags—#deletefacebook, #cambridgeanalytica, and #facebookdataleaks—and manually annotated the retweeters as “fake” or “genuine.” The HawkesEye model takes the temporal information of retweet objects of a user and topical information of the retweet texts as input. The temporal information is modeled using the Hawkes process due to its self-excitation property, and the topical information is modeled using latent Dirichlet allocation (LDA). The authors reported highly accurate results on the classification task. Comparisons were made with respect to well-known bot detection approaches [25] and collusive retweeter detection approaches [48].

More recently, Arora et al. [8] improved the collusive retweeter detection task by considering the multifaceted characteristics of a collusive user. They created multiple views for a user by examining representations from the content, attributes, and social network. They then proposed a multiview learning-based approach based on WGCCA (Weighted Generalized Canonical Correlation Analysis) to combine individual representations (views) of a user for deriving the final user embeddings. The authors reported that as each view is more and less helpful for the classification experiment (c.f. t-SNE visualizations in Figure 6), they assigned a weight to each view differently instead of treating each view equally. Overall, this analysis shows that the collusive entity detection task can be improved by incorporating multiple aspects of an online media user. This also calls for more research in the area of fraudulent entity detection in online media using a multiview mechanism that learns a low-dimensional vector of a user to capture information from each of their views. Moreover, the views represent different modalities and must be considered individually and not concatenated with each other.

Several research studies have been conducted on the automatic detection of collusive followers (follower frauds) on Twitter. In an earlier study, Liu et al. [93] proposed DetectVC to detect voluntary followers (volowers). They showed how volowers gain profit by following enough users for self- and product promotion. However, do these users act as a group to perform malicious activities? To answer this, Gupta et al. [62] proposed approaches to detect malicious retweeter groups. They found that the activities appear normal at the individual level. However, at the group level, they look suspicious and group activities vary across groups. Jang et al. [71] is the first work that detects collusive followers using geographical distance. The authors reported that when the distance between the legitimate users and collusive users increases, the legitimate users’ follower ratio between the number of followers and the total number of followers decreases. Aggarwal et al. [2] detected users on Twitter with a manipulated follower count using an unsupervised local neighborhood detection method.

Other studies have looked at how collusion happens on Facebook and e-commerce platforms. De Cristofaro et al. [40] conducted an in-depth analysis of Facebook pages where they collected likes via Facebook ads and other farms. The authors monitored the “liking” activity by creating honeypot pages and crawling them after every 2 hours to check for new likes from the blackmarket services. Badri Satya et al. [12] conducted an in-depth analysis of fake likers on Facebook collected from the blackmarket services. They reported that fake likers behave quite differently from genuine likers in terms of their liking behaviors, longevity, and so on. Mukherjee et al. [99] proposed an unsupervised approach to detect and rank collusive spammer groups in Amazon. They used FIM to extract the set of reviewer groups. The extracted reviewer groups were labeled by the domain experts into spammer and genuine groups. Their proposed method GSRank considers various group-level spam behavioral indicators and individual spam behavioral indicators, then models the inter-relationship between reviewer groups, members of those reviewer groups, and products they reviewed to find the spammer groups.

Studies have also looked at artificial manipulation of viewership/comment/subscription count in video streaming platforms such as YouTube and Twitch. Shah [111] introduced FLOCK, an unsupervised multistep process for identifying botted views and botted broadcasts. FLOCK performs the following steps: (i) it models a normal broadcast as a collection of multiple views, (ii) it classifies whether a given broadcast has inflated popularity by looking at the collective behavior of all the views in a broadcast, and (iii) it classifies whether individual views of the broadcast are botted. For modeling the normal broadcast behavior, the authors included temporal features of the constituent views of broadcast, such as start time and end time of a particular view. It is also worth noting that they avoided using descriptive features (like browser used, country of origin) and engagement-based features to make the proposed solution easier. In a very recent study, Dutta et al. [50] proposed three models to detect three types of collusive entities on YouTube: (i) videos submitted for collusive like requests, (ii) videos submitted for collusive comment requests, and (iii) channels submitted for collusive subscription requests. They analyzed the videos submitted to blackmarket services for collusive appraisals (likes and comments) based on two perspectives: propagation dynamics and video metadata. They also analyzed the collusive YouTube channels based on location, channel metadata, and network properties. Their analysis on the structural properties of the giant component present in the collusive channel network shows that it is a small world. To detect the collusive videos and collusive channels, they designed one-class classifiers based on features calculated from video metadata and temporal information. The models were evaluated in terms of true positive rate, achieving state-of-the-art results. The authors also proposed CollATe, a denoising autoencoder model that leverages the power of three components—metadata feature extractor, anomaly feature extractor, and comment feature extractor—to learn feature representation of videos. Note that CollATe can only detect videos submitted in blackmarket services for collusive comment requests, as unlike temporal information of like activity, the temporal information of the comments is publicly available in the YouTube API.¹⁴ Figure 7 shows the snapshot of collusive entities detected using their model. Figure 7(a) shows a video where the number of likes is much higher than the number of views. The authors claimed that the blackmarket services use YouTube API using the credentials of its users to help these videos gain likes. Similarly, Figure 7(c) shows the snapshot of a video submitted to blackmarket services for collusive comment subscriptions with a higher number of comments as compared to views and likes. Figure 7(b) shows a YouTube channel that was submitted for collusive subscriptions. The authors claimed that collusive YouTube channels make proper use of promotional keywords to attract more subscribers to their channel.

The work by Vidros et al. [132] is the only work that deals with recruitment-based fraud detection. The authors introduced this problem as ORF, more specifically relating to employment scams. The dataset used in this work contains numerous job ads and their corresponding annotations (legitimate or fraudulent). They performed an in-depth analysis of the dataset by applying standard state-of-the-art machine learning classifiers. In these cases, the trapped user(s) unknowingly become a medium for scammers to complete their jobs, often even driving the individual to complete a direct wire transfer for them under the careful and believable disguise of working visa or travel expenses. With this much being said about employment scams, it is worth noting that although they share some similar characteristics with problems such as email phishing, online opinion fraud, trolling, and cyber-bullying, they are very much different in many aspects.

Limitation. The main limitation is that in cases where user features are used, it can be restrictive to a particular online media platform and not generalize to others. Moreover, if collusive activities are performed by new online media accounts, it is difficult to collect user behaviors for such accounts. The drawback of using linguistic features is the lack of generalizability across multiple languages and circumstances. It has been reported in the literature [6, 84] that linguistic features designed for one circumstance may not work perfectly for other circumstances.

In this section, we present and discuss the graph-based models for collusive entity detection. Recently, graph-based models have been developed particularly for spotting outliers and anomalies in networks. The advantage of using graph techniques is to efficiently capture long-range correlations among the interdependent data objects [5].

Chetan et al. [29] proposed CoReRank, an unsupervised approach to capture the interdependency between the credibility of users and the merit of tweets using a recurrence formulation based on network and behavioral information of users, as well as topical diversity of tweets. The authors created a directed bipartite graph by modeling the interactions between users and tweets in terms of retweets/quotes. They finally reported suspiciousness scores for both users and tweets in the graph based on the recurrent formulation. By incorporating prior knowledge about the collusive users, they proposed a semi-supervised version of CoReRank, called CoReRank+. Both CoReRank and CoReRank+ outperformed their respective state-of-the-art methods by a significant margin.

Dutta et al. [45] proposed DECIFE, a framework to detect collusive users involved in producing collusive following activities. The authors proposed a novel heterogeneous graph attention network to leverage the follower/followee relationships and linguistic properties of users. The authors also showed what category of tweets are submitted by collusive users to blackmarket services.

Rayana and Akoglu [104] proposed SpEagle, a framework that considers metadata of reviews (review content, rating, timestamp) along with relational data (reviewer-review-product graph) for detecting spam users, fake reviews, and the products targeted by spammers. SpEagle used metadata for extracting the spam features, which were then transformed into a spam score to decide the genuineness of users and reviews. It was also extended to a semi-supervised setting (called SpEagle+) to improve its performance. The authors also implemented a lighter version (SpLite) that leverages a small subset of review features for the detection task to achieve a boost in runtime. Wang et al. [139] proposed a bipartite graph projection based approach called GSBP to detect review spammer groups in e-commerce websites. Unlike FIM-based methods [99], their proposed approach detects loosely connected spammer groups—each group member may not review every target product of the group.

Kumar et al. [81] developed a fraudulent reviewer detection system called REV2 for rating platforms. They proposed three interdependent metrics: fairness of a user in rating an item, reliability of a specific rating, and goodness of a product. By combining network and behavioral properties of users, products, and ratings, REV2 calculates fairness, reliability, and goodness scores in both supervised and unsupervised settings. They evaluated the computed scores by using five real-world datasets: Flipkart, Bitcoin OTC, Bitcoin Alpha, Epinions, and Amazon. The current version of REV2 is deployed at Flipkart (an Indian e-commerce company).

Wang et al. [138] proposed a graph-based framework called GGSpam to detect review spammer groups. It recursively splits the entire reviewer graph into small groups. GSBC, the key component of GGSpam, finds the spammer groups by identifying all the bi-connected components within the split reviewer graphs whose spamicity score exceeds the given threshold. They proposed several group spam indicators to compute the spamicity score of a given reviewer group. They conducted experiments on two real-world datasets: Amazon and Yelp.

Dhawan et al. [43] proposed DeFrauder, an unsupervised approach to detect online fraud reviewer groups. This approach initially detects the candidate fraud groups by leveraging the underlying product review graph and incorporating several behavioral signals that model multifaceted collaboration among reviewers. It then maps the reviewers into an embedding space and assigns a spam score to each group such that groups consisting of spammers with highly similar behavioral traits attain a high spam score. They conducted experiments on four real-world datasets: Amazon, Play Store, YelpNYC [104], and YelpZip [105]. Figure 8(a) shows the schematic diagram of DeFrauder to detect online fraud reviewer groups. Figure 8(b) shows the coherent review patterns of four spammers in a fraudulent reviewer group.

Liu et al. [92] formulated a novel suspiciousness metric from graph topology and spikes to detect fraudulent users in multiple rating platforms (BookAdvocate, Amazon). The authors proposed HoloScope, an unsupervised approach that combines suspicious signals from graph topology, temporal bursts and drops, and rating deviation. The primary goal behind the approach is to obstruct the fraudsters by increasing the time they need to perform an attack. The evaluation was done on multiple semi-real (synthetic) and real datasets.

Shin et al. [120] proposed two algorithms (M-Zoom (Multi-dimensional Zoom) and M-Biz (Multidimensional Bi-directional Zoom)—to detect suspicious lockstep behavior in online review platforms. The task of detecting lockstep behavior is to discover a set of accounts that gives fake reviews to the same set of products/restaurants. The objective of M-Zoom and M-Biz is to detect dense subtensors in a greedy way until it reaches a local optimum. Although the overall structure of M-Biz and M-Zoom is the same, it differs significantly in the way they find each dense subtensor. Using the preceding algorithms, the authors detected three dense subtensors that indicated the activities of bots, which changed the same pages hundreds of thousands of times.

Mehrotra et al. [95] detected fake followers on Twitter using graph centrality measures. The authors created a graph using the follower and friend network from a set of Twitter users. Next, six centrality-based features were used for the classification experiment. Using this feature set with a Random Forest classifier gave an accuracy of \(95\%\). Zhang and Lu [151] proposed a graph-based approach using near-duplicates to detect fake followers in Weibo, a Chinese counterpart of Twitter. They were able to discover 11.90 million users in Weibo who bought followers from blackmarket services.

Shin et al. [117] detected three empirical patterns of core users in real-world networks across diverse domains. The first pattern is the MIRROR PATTERN, which states that the coreness of a vertex is strongly related to its degree. The second pattern, CORE-TRIANGLE PATTERN, states that the degeneracy (non-core component) and the triangle-count obey a power-law with slope 13. The third pattern, STRUCTURED CORE PATTERN, states that the degeneracy cores are not cliques. Using these patterns, the authors analyzed the lockstep behavior for collusive followers on Twitter. It was reported that at least 78% of the vertices with high coreness values use blackmarket services to boost their followers.

Limitation. Graph-based methods are memory intensive and computationally expensive, which can restrict their ability to design real-time tools to detect collusive entities in online media platforms. This is primarily due to the nature of the graphs that expose huge amounts of parallelism. It is also seen that most graph algorithms traverse each edge and node in the network. As the network keeps on adding new edges/nodes, it keeps occupying more memory and increase latency.

The advent of techniques such as deep learning has alleviated the shortcomings of the previous models with the power to learn more complex representations that are difficult to capture by traditional machine learning models.

Arora et al. [9] proposed a multitask learning approach to detect collusive tweets. The authors collected the data from two blackmarket services—YouLikeHits and Like4Like—after creating honeypot accounts in these services. The multitask model takes two inputs—the feature representation extracted from the tweet metadata and Tweet2vec representation of the tweets—which are passed through a cross-stitch neural network to learn the optimal combination of the inputs via soft parameter sharing. Ahsan et al. [4] tackled the problem of fake reviewers using an active learning approach with the TF-IDF features of the review content.

Studies have also looked at the detection of social spammers in online media platforms. Wu et al. [141] proposed an end-to-end deep learning model based on Graph Convolution Networks (GCNs) that operates on directed social graphs to detect social spammers. The authors built a classifier by performing graph convolution on the social graph with different types of neighbors.

In a study to identify collusive entities on YouTube, Dutta et al. [50] proposed CollATe, a deep unsupervised learning method using denoising autoencoders. The CollATe architecture consists of three components—metadata feature extractor, anomaly feature extractor, and comment feature extractor—to learn video feature representations. The final representation is then fed to a collusive video detector module that returns the label (either collusive or non-collusive) for the input video.

To detect collusive followers on Twitter, Castellini et al. [24] proposed a deep learning technique using a denoising autoencoder. The denoising autoencoder is implemented as an anomaly extractor and is trained with examples only from the features generated from the real profiles. The authors built a test set with both real and fake profiles. Once they got the reconstruction error calculated using the autoencoder for a data point, it was then compared to a threshold value (computed from the training set): if the error is higher, it is marked as collusive (i.e., the autoencoder is not able to properly reconstruct the record); otherwise, it is marked as real.

Limitation. The main limitation of the advanced models is the requirement of vast amount of data. Moreover, due to the unusual behavior of collusive entities including the mixture of organic and inorganic activities, it is a tough task to find correlations between sets of features, which makes it difficult for these methods to perform well.

In contrast to the preceding approaches, which were largely focused on collusive activities in online media platforms, a series of works have been conducted on detecting collusive activities in other platforms.

Asavoae et al. [10] developed a fully automated and effective detection system to detect colluding Android apps that violate the permissions causing data leaks or distributing malware over multiple apps. The authors first proposed a rule-based approach to identify colluding apps. As defining rules requires expert knowledge and for some cases explicit rules may not exist, the authors proposed a probabilistic model to calculate two likelihood components for an app: (i) the likelihood of carrying out a threat and (ii) the likelihood of performing an inter-app communication.

Blasco and Chen [17] proposed Application Collusion Engine (ACE), a system to automatically generate colluding apps with a variety depending on the configuration of app component templates and code snippets. The ACE system has two main components: colluding set engine and application engine. The first component tells the second component how it should create apps in order to collude. The second component is responsible for creating fully working Android apps that are ready to be installed in a device. The primary aim of this work is to create substantial colluding app sets for experimentation, as representative datasets do not presently exist for colluding apps. Kalutarage et al. [75] proposed a probabilistic model toward an automated threat intelligence system for app collusion. The readers are encouraged to refer to the work of Bhandari et al. [16] for a detailed survey on the app detection techniques that focus on collusive activities by investigating inter-app communication threats.

Limitation. As these methods are mostly targeted toward detecting colluding apps in the Android operating system, there is a possibility of bottleneck to detect covert channels in inter-app communications for real-life apps. This is mainly due to the rapid growth of the mobile app ecosystem and third-party marketplaces.

Table 2 provides a summary of the approaches for collusive entity identification in the area of individual and group collusion.

Annotation guidelines are usually seen in studies that create a labeled set of entities for various experiments, as mentioned in the following.

The dataset of Dutta et al. [48] is one of the most widely used datasets [8, 47] on collusive retweeter detection. The dataset is created from the blackmarket services, and the annotators were asked to label each retweeter by one of the three classes: bots, promotional customers, and normal customers. For instance, bots can be selected if the account is controlled by software. The promotional customers can be identified if the accounts are involved in promoting brands using keywords such as “win,” “ad,” and “Giveaway.” The normal customers class can be selected if the account does not fall under any of the preceding categories. The annotators were also given complete freedom to search for any information related to collusive entities on the web and apply their own intuition.

In the work of Wu et al. [142], a corpus of collusive spammers in a Chinese review website is described. The task of the annotator is to label each reviewer in a reviewer group as either colluder or non-colluder. The annotators in this work were computer science major graduate students who had extensive online shopping experiences. The annotators were given a set of three instructions about the colluder class and how they should reason to arrive at the colluder class when the data are not straightforward: (i) if the reviewer has too many reviews giving opposite opinions than other reviews about the same stores; (ii) if the reviewer has too many reviews giving opposite opinions about the same stores as compared to the ratings from the Better Business Bureau,¹⁵ an organization that focuses on advancing marketplace trust; and (iii) if the reviewer has too many reviews giving opposite opinions about the same stores as compared to evidence by general web search results.

In the work of Mukherjee et al. [98], a corpus of collusive spammers in an e-commerce website is described. Three annotators were given the task of examining the e-commerce users and provide a label as spammer or non-spammer based on three opinion spam signals. Note that each of the annotators was a domain expert an employee of e-commerce platforms such as Rediff Shopping, eBay.in, etc.). As the annotators were domain experts, they were also given access to detailed information, such as the entire profile history and demographic information.

Li et al. [88] built a review spam corpus. They crawled data from a consumer review site named Epinions.¹⁶ The task of the annotator was to annotate the review spam dataset and label each review as spam or non-spam. The annotators used the rules specified in a platform named Consumerist,¹⁷ an independent source of consumer news and information published by Consumer Reports, to label the reviews. The platform suggests a set of 30 rules that are helpful for annotators to spot fake online reviews. The authors employed 10 college students to annotate their reviews. Each review was annotated by two students, and conflict was resolved by another student.

In most of the preceding studies, the Fleiss/Cohen kappa value was reported to show the reliability of agreement between the annotators.

In this section, we present a list of publicly available datasets used for the detection of collusive activities in online media.

The Fame4Sale dataset [34] is a corpus of fake followers collected from various blackmarket services: InterTwitter (INT), FastFollowerz (FSF), and TwitterTechnology (TWT). The dataset also contains the relationships between the user accounts (followers/friends). The ScoRe dataset [47, 48] is a medium-sized corpus of collusive users, collected from four freemium blackmarket retweeting services: YouLikeHits, Like4Like, Traffup, and JustRetweet. It contains an anonymized version of 1,941 users who were manually annotated into four categories (bots, promotional customers, normal customers, and genuine users). The authors also reported the values of 64 features for each user, which were used in their approach to distinguish between collusive users and genuine users. The CoReRank dataset [29] is another corpus of retweeters collected from two blackmarket services: YouLikeHits and Like4Like. It contains the details of 4,732 collusive users and 2,719 genuine users. Liu et al. [93] released the DetectVC dataset of voluntary followers containing 3,250 volower IDs and their following relations. The MalReg dataset [62] contains annotated groups of users that collude to retweet together maliciously. It consists of 1,017 malicious retweeter groups collected from three political events: UK General Election 2017, Indian banknote demonetization 2016, and Delhi legislative assembly election 2013. The FakeLikers dataset contains 13,147 likers, 4.66M pages, 0.99M posts, and 5.47M friend relations from Facebook. There is only one available dataset for recruitment frauds (EMSCAD) [132]. The dataset consists of 17,880 annotated job ads (17,014 legitimate and 866 fraudulent) published between 2012 and 2014 and annotated by people having domain expertise. Each job ad is described by a set of fields, and a label indicates whether the entry is fraudulent or not. There are a few publicly available datasets for rating platforms. Dhawan et al. [43] released a large-scale dataset of reviews from different applications available on Google Play Store. The dataset contains 325,424 reviews made by 321,436 reviews on 192 apps. YelpNYC [104] and YelpZip [105] are the datasets collected from Yelp and used for detecting collusive users/groups. The YelpNYC dataset consists of review data related to 923 restaurants in New York City. It includes 359k reviews and 160k reviewers. YelpZip is relatively large compared to the other two datasets. It consists of 608k reviews and 260k reviewers, for 5k restaurants located in multiple states of the United States. Dutta et al. [46] released ABOME, a dataset of collusive Twitter and YouTube entities collected from two blackmaket services: YouLikeHits and Like4Like. ABOME consists of 23,522 collusive retweets and 18,368 collusive follower requests for Twitter, and 58,091 collusive likes, 25,106 comments, and 7,847 subscriptions requests for YouTube. ABOME also consists of a time-series data dataset of 2,350 Twitter collusive users and 4,989 collusive tweets.

Issues regarding datasets. An issue with most of the online media datasets for anomaly detection is that such datasets are shared with only the details of the entities present and not the identifiers (Tweet id, YouTube video id, etc.). Thus, for any new study to be carried out on such datasets, no reference is available to get any new information for those entities. Another related issue is the need of large annotated datasets to carry out studies that represent a substantial size of the entire population for an online media platform.

In this section, we discuss the tools and interfaces developed to detect collusion in online media. A list of interfaces and applications is provided in the following with references to the corresponding studies; in addition, Figure 9 shows the working of two such applications:

Cresci et al. [38] conducted a survey on three (“fakers,” “Fake Follower Check,” “Twitter Audit”) Twitter analytics that aim to detect fake followers and showed the lack of reliability of these tools. The authors proved that the tools fail to meet the basic assumptions of unbiased sampling and are unable to generate the same label over the same set of target accounts. It would be interesting to see a series of comparative experiments that summarize the limitations of the new tools that are mentioned in this work. Finally, some of the previous works have publicly released their resources and codes. Interested readers can refer to studies found elsewhere [8, 9, 43, 47, 48, 62], where public links to the resources and codes for collusive entity detection and analysis are available. We believe that such studies are worthy of attention, as they encourage the reproducibility of the experiments and enable the follow-up studies to use the models as baselines to improve collusive entity detection.

For any classification task, metrics such as precision, recall, and F-score are commonly used. However, in most of the studies, we observe the F-score to be more popular, as it is a combined metric that conveys the balance between the precision and recall. In general, the F-score is calculated as the weighted harmonic mean of precision and recall, with a beta parameter (\(\beta\)) that determines the weight of recall. In collusive entity detection, the most widely used version of the F-score is calculated as the macro-average of the F-scores for collusive (col) and genuine (gen) classifications as follows:where \(Correct_{col}\) and \(Correct_{gen}\) indicate correctly classified collusive and genuine users, respectively. Similarly, \(Spurious_{col}\) (respectively, \(Missing_{col}\)) and \(Spurious_{gen}\) (respectively, \(Missing_{gen}\)) indicate false positive (respectively, false negative) for collusive and genuine classes, respectively.

Precision@k and Recall@k are other metrics used for collusive entity detection [29] and are calculated as follows:

Dutta et al. [50] also reported the true positive rate. The reason behind choosing the true positive rate as the evaluation metric is because all of their models are trained on one class, and the authors are only interested in the proportion of actual positives (data in the collusive class) that are correctly identified by the models. The evaluation strategy can be considered when the objective is to measure the effectiveness of a single class.

Recently, collusive entity detection has gained a lot of attention in the literature. It is often seen that the anomalous phenomena happens in groups with a set of accounts targeted toward performing the fraudulent activities. The primary aim of the collusive group detection task is to find a set of users who jointly exhibit anomalous behavior. Detecting anomalous groups is more difficult as compared to the individual detection task due to the inter-group dynamics. We request that the reader review Section 5 for details of previous studies in individual and group collusive entity detection. We believe that the advent of new datasets (see Section 7 for more details) will foster fraudulent user/entity detection (on both individual and group levels) with the advantage of adding the topical dimension as well as the temporal dimension.

Understanding connectivity patterns of an underlying network is a well-studied problem in the literature. It includes tasks such as inferring lockstep behavior [15], dense block detection [119], detecting core users [117, 118], identifying the most relevant actors in a network [18], sudden appearance/disappearance of links [54], and so forth. One potential research direction is to create various networks among the entities to investigate the network’s structural patterns. Recently, several studies have modeled information diffusion for collusive entities from a topological point of view. It includes tasks such as influence maximization (selecting a seed set to maximize the influence spread) [72, 96], predicting information cascade [64, 103], measuring message propagation and social influence [19, 146], and so on.

Event-specific studies can be employed by deeply investigating large-scale datasets. Some of the publicly available datasets mentioned in Section 7 are obtained from multiple sources and span over a long period of time. Therefore, it may consist of information from many major events [11], which can be easily extracted for event-centric studies. Researchers can also check how these users/entities were involved in manipulating the popularity of events by artificially inflating/deflating the social reputation of entities in online media [152].

A topic closely related to the previous topic is the temporal modeling of the collusive entities. The tasks in temporal modeling include detecting time periods containing unusual activity [57], identifying repetitive patterns in time-evolving graphs [148], and so on. Recently, detecting anomalies in streams [53, 54] has gained a lot of attraction in the research community due to the time-evolving (or dynamic) property where consecutive snapshots of activity in a time window are monitored. Related studies for temporal modeling can be found elsewhere [52, 140, 147].

The datasets in collusive entity detection are collected from various online media platforms where the entities usually have texts written in several languages. Although we observe the lack of annotated datasets in languages other than English, cross-lingual studies can be done by converting the English texts into the target language using automated translation tools. The converted texts can then be used to create the training and test datasets. For multilingual studies, we can consider it as a future research topic that can be performed only when sufficient content is available in multiple languages.

The underlying blackmarket collusive network includes two types of users: (i) core users, fake accounts or sockpuppets, which are fully controlled by the blackmarkets (puppet masters), and compromised accounts that are temporarily hired to support the core users. These two types of users are together called collusive users. Core users are the spine of any collusive blackmarket; they monitor and intelligently control all fraudulent activities in such a way that none of their hired compromised accounts are being suspended. Therefore, detecting and removing core blackmarket users is of utmost importance to decentralize the collusive network and keep the YouTube ecosystem healthy and trustworthy.

According to the literature [68], detecting core nodes in a network is to find the influential nodes. However, in the case of collusion, core nodes might not be influential, as these are the accounts that are fully controlled by the blackmarket authorities. The work by Shin et al. [117] is the only study that explores empirical patterns of core users in real-world networks. The work of Huang et al. [68] and Zhang and Zhang [153] are some of the studies on influential node detection in a network. However, none of the existing studies attempted to detect core collusive users. One reason may be the lack of ground truth for training the model and evaluation. We believe that core blackmarket user detection is highly important to understand how these services operate and flag their behavior.

Another future work could be to investigate the cross-platform spread of collusive entities and study its impact. Online media platforms differ from each other in multiple ways: (i) different platforms have significantly different language characteristics, (ii) some platforms have restrictions on the length of posts allowing users to express themselves within less space, (iii) some platforms only allow images/videos as posts, and (iv) different platforms have different types of appraisals. Very few studies considered analyzing cross-platform data [70, 108] in online media platforms. Moreover, no work to date examined the cross-platform study of collusive entities. An important related issue to conduct the cross-platform study is the need for ground-truth datasets collected from different online media platforms.

A recent trend in social computing research is to conduct a multimodal analysis of online media entities. The multimodal investigation of collusive entities is important for the following reasons: (i) different modalities may exhibit different but important information about an entity (e.g., may help in detecting the authenticity of the information), and (ii) different modalities can be manipulated differently by the blackmarket services. Note that it is expected that multimodal analysis will introduce a computational cost due to the operation on image and video data. Singhal et al. [122] proposed a multimodal framework called SpotFake for fake news detection by leveraging the textual and image modalities. Hence, new models can be designed to incorporate different modalities for collusive entity detection.

Online social networks are a popular way of dissemination and consumption of information. However, due to their decentralized nature, they also come with limited liability for disinformation and collusive persuasion. It is often the experience that online users are subjected to a barrage of misinformation within a short span of time, all of which are targeted at persuading the user to develop a particular sentiment against a person, a political party, a system of medicine, or the cause of an event. This “echo chamber” effect influences users’ thoughts in a manner that is unfavorable to the spirit of free speech and debate. This direction may undertake research into the detection of fake news within online social networks, with a specific focus on understanding the nature of collusive orchestration of misinformation. In particular, one may consider (i) collusion in fake news (i.e., identifying telltale patterns of collusion within the context of fake news) and (ii) collusive fake news detection (i.e., leveraging such collusive patterns to enhance fake news detection). In addition to improving fake news detection, this project will make fundamental advances toward a novel direction of research in fake news analytics—that of characterizing and exploiting collusive behavior toward improving fake news detection. We also encourage the reader to review the work of Kumar and Shah [82] for detailed information of diverse aspects of false information on the web.