Facebook Easily Infiltrated By Data-Harvesting Bots, Researchers Find
Researchers build network of social bots to test how many Facebook users befriend them
By Lucian Constantin
November 02, 2011 — IDG News Service — Facebook's fake account detection mechanisms can be defeated 80 percent of the time with the help of automated tools, researchers from the University of British Columbia (UBC) have found after an eight-week test.
The research team, composed of Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu, created a network of 102 bots designed to mimic humans on social networks, and released them on Facebook with the intent of befriending as many users as possible and collecting private information.
"Creating a user account on an OSN [online social network] involves three tasks: providing an active email address, creating a user profile, and sometimes solving a CAPTCHA. [...] We argue that an adversary can fully automate the account creation process," the researchers wrote in a research paper which they plan to present at the 27th Annual Computer Security Applications Conference next month.
This is not a new type of attack: malware threats like Koobface have long used automatically created accounts to spam malicious links. This pushed Facebook to develop specialized detection mechanisms over the years.
Unfortunately, these defense systems are not effective enough, according to UBC researchers. The social bots they unleashed onto Facebook targeted 5,053 randomly selected users to whom they sent friend requests.
The rate at which the targeted individuals accepted these requests was 20 percent on average, with bots using female profiles having better success. However, the rate tripled when the bots started targeting friends of those who had accepted requests.
After befriending new users, the automated programs scraped their profiles, news feeds and wall posts for personal information. The collected data included things like gender, birth date, place of employment, names of attended schools, home city, current city, mail address, email address, phone number, IM account IDs and marital status.
The researchers stopped their test when the Internet traffic it generated became too heavy. The social bot network sent 3GB of data and received approximately 250GB over the course of eight weeks.
During this time, Facebook's real-time protection system only blocked 20 of the 100 fake profiles. However, on closer investigation, it was determined that those profiles were actually flagged as spam by other users.
"Our results show that (1) OSNs, such as Facebook, can be infiltrated with a success rate of up to 80%, (2) depending on users' privacy settings, a successful infiltration can result in privacy breaches where even more users' data are exposed when compared to a purely public access, and (3) in practice, OSN security defenses, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs," the researchers said.
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Advanced evasion techniques emerge
Organized cybercrime revealed
Inside the global hacker service economy
Anatomy of a DDoS extortion attack
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- FireEye Advanced Threat Protection KnowledgeVault
- Solving Cloud Complexity with Service Brokers with Cloud Security Alliance & NIST
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- #FFSec: Security pros to follow on Twitter, May 25
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - Step right up and listen to the security barker
- Is the title 'security evangelist' really that bad?
More Salted Hash with Bill Brenner
