Researchers at the University of British Columbia say they were able to cull 250GB of Facebook user data from a socialbot network they created.
The researchers describe how they did it in their paper, "The Socialbot Network: When Bots Socialize for Fame and Money." They write:
Online Social Networks (OSNs) have become an integral part of today's Web. Politicians, celebrities, revolutionists, and others use OSNs as a podium to deliver their message to millions of active web users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda.
Such campaigns usually start off by infiltrating a targeted OSN on a large scale. In this paper, we evaluate how vulnerable OSNs are to a large-scale infiltration by socialbots: computer programs that control OSN accounts and mimic real users. We adopt a traditional web-based botnet design and built a Socialbot Network (SbN): a group of adaptive socialbots that are orchestrated in a command-and-control fashion.
We operated such an SbN on Facebook—a 750 million user OSN—for about 8 weeks. We collected data related to users' behavior in response to a large-scale infiltration where socialbots were used to connect to a large number of Facebook users.Our results show that (1) OSNs, such as Facebook, can be infiltrated with a success rate of up to 80%, (2) depending on users' privacy settings, a successful infiltration can result in privacy breaches where even more users' data are exposed when compared to a purely public access, and (3) in practice, OSN security defenses, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs.
The findings have sparked plenty of reaction.
Mike Geide, senior security researcher at Zscaler ThreatLabZ, said, "These researchers have illustrated that harvesting Friends on Facebook is not only possible but can be highly automated. It’s evident that Facebook accounts and friends are a commodity and a valuable resource for those seeking to do evil -- whether it be to profit from a simple likejacking campaign or to do a more targeted spear-phishing or malware campaign."
Said Sophos senior security consultant Graham Cluley: "Facebook's security team is unlikely to look kindly on people who conduct experiments such as that done by the university researchers, and users are reminded that under Facebook's terms of service you are not allowed to create fake profiles, should use your real name, and should only collect information from other users with their consent."
He added, "The topic of whether the researchers' Socialbot Network experiment was right or not, is a topic for another day. But whatever its right or wrongs, it certainly presents an interesting illustration of just how easy it would be to automate identity theft on Facebook."
one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
CSO's Daily Dashboard gives you a
Get your morning news fix with the daily Salted Hash e-newsletter!