Socialbot Network finds it easy to harvest data from Facebook users

Filed Under: Data loss, Facebook, Privacy, Social networks

Socialbot paperResearchers have claimed that Facebook's inbuilt security systems are "not effective enough" at stopping automated identity theft, after running a large-scale infiltration of the network using Socialbots.

In their paper, "The Socialbot Network: When Bots Socialise for Fame and Money", researchers from the University of British Columbia describe how they managed to collect private data from thousands of complete strangers on Facebook, and infiltrate their friend networks, using "socialbots".

The researchers - Yazan Boshmaf, Ildar Muslukhov, Konstantin, Beznosov and Matei Ripeanu - explain that a socialbot is automated software that can control a social networking account, and can perform basic functions such as posting messages and friend requests.

Importantly, socialbots attempt to pass themselves off as being a real, living human being rather than computer code.

Hot or Not, I Love QuotesAlthough Facebook puts steps in place to try to avoid the automated creation of accounts, the researchers relate how it would be possible to use online services to break CAPTCHAs, and populated their bogus accounts' profile images with attractive photos from HotOrNot.

Fake Facebook status updates were also easy to generate, using an API provided by iheartquotes.com for random sayings.

The researchers warn that socialbots can infiltrate friend networks by connecting to users, and could even be used to spread misinformation and propaganda to influence others.

Furthermore, a socialbot can be used to harvest personal information such as email addresses and phone numbers.

Bring many socialbots together and you have a Socialbot Network (SbN), under the control of one person.

Socialbot network

The researchers built an Socialbot Network consisting of 102 Socialbots and a single botmaster, and ran the operation for eight weeks. During that time the SbN made 8,570 friend requests and recorded all of the profile information it was able to access from its newly found "friends".

And it wasn't just people who accepted the bogus friend requests who leaked personal information - the private data of other users who had not been infiltrated was also exposed.

In all, the researchers' socialbots made Facebook friends with 3,055 people and grew its extended network to a total of 1,085,785 profiles.

Interestingly, one of the researchers' findings was that the more friends someone has on Facebook, the more likely they are to accept a friend request from a socialbot.

The more friends you have, the more likely you'll accept a friend request from a socialbot

Once the socialbots had befriended one person, they would then attempt to become Facebook friends with their friend's friends, and so on.. As they became more embedded within friend networks, the acceptance rate of friend request reached 60%.

With their automated data-slurping network the researchers were able to gather 35% of all the personally identifiable information found on their direct networks, and 24% from extended networks. These bots also managed to gather 46,500 email addresses and 14,500 home addresses.

Data revealed before and after Socialbot network experiment

On average, each socialbot collected 175 new "chunks" of publicly-unaccesible users' data per day.

Clearly there's a lesson for Facebook users to learn there about the need to carefully vet who you allow to become your Facebook friend, and what information you choose to share online.

Facebook avatarThe researchers also felt that Facebook's inbuilt security systems, known as the Facebook Immune System (FIS) should be improved. They found that FIS only blocked 20% of the accounts used by the socialbots - and this was only because of feedback from suspicious users who flagged the account as spam.

Curiously, all of the blocked accounts were posing as female users.

In the researchers' opinion, Facebook's security team isn't taking the threat of automated accounts seriously enough:

"In reaction, we asked ourselves: what assumptions are made by the FIS that might be problematic? The answer came directly from the authors of the FIS: they state that 'fake accounts have limited virality because they are not central nodes in the graph and lack trusted connections. They also have no unique data or history'.

"Hence, we conjecture that the FIS does not consider fake accounts as a real threat. Fake accounts, however, are one of the main [online social network] vulnerabilities that allow a botherder to run a large-scale infitration campaign. Detecting and blocking such accounts - as early as possible - is the main challenge that [online social network] security defenses like the FIS have to overcome in order to win the battle against an SbN."

By the end of the eighth week, the researchers voluntarily dismantled their Socialbot network - not because it had caught the attention of Facebook's security team, but because of the amount of internet traffic it was generating.

"In total, the SbN generated approximately 250GB inbound and 3GB outbound traffic."

Facebook magnifyFacebook's security team is unlikely to look kindly on people who conduct experiments such as that done by the university researchers, and users are reminded that under Facebook's terms of service you are not allowed to create fake profiles, should use your real name, and should only collect information from other users with their consent.

The topic of whether the researchers' Socialbot Network experiment was right or not, is a topic for another day. But whatever its right or wrongs, it certainly presents an interesting illustration of just how easy it would be to automate identity theft on Facebook.

If you're on Facebook, and want to learn more about security and privacy issues on the social network, consider joining the Sophos Facebook page.

, , , , , , , , , , , ,

You might like

8 Responses to Socialbot Network finds it easy to harvest data from Facebook users

  1. James Jeffery · 898 days ago

    Graham,

    I appreciate the effort that's been taken in running this experiment but do you realise what you have done? Every Blackhat marketer reading this blog post will be drooling at the mouth right now making plans to develop such a bot.

    You've show the average Joe they should be worried, but the Blackhat marketers are getting excited about your statistics.

    We all know Facebook continue to trip up time and time again. But, Facebook is now a concrete factor in may peoples lives. It's the prime communication tool between friends and family. For many, it's a part of their life.

    The majority are not going to switch their behaviours based on this post, the same as they haven't with any previous security warnings.

    The truth is so long as Facebook remains an important part of peoples lives marketers are going to find a way to impose on their privacy to make money. The same as telephone salesmen, door to door salesmen and straight up conmen.

    Billions are generated per year by marketers using non Facebook advertising methods (PPC).

    Kudos for the research, but it's a bad idea posting the generous and exciting stats for all to see.

  2. ghb · 898 days ago

    You would think that Facebook, as the huge social network it is...would be a little more eager to protect their millions of users. That they would WANT to protect them. I am shocked at all the fake crap on facebook. All the scams and such. Facebook needs to be a lot more diligent in the things they allow posted, i.e. a spider under her skin...... what the girl did after her father read her diary, blah blah blah... and the list of stupid things goes on and on. And PEOPLE need to be more respondsible and more diligent in the crap they click on!!!!!!!

    • Nigel · 892 days ago

      Actually, I would NOT think that Facebook would be a little more eager to protect their millions of users. They've already proven that they don't give a rat's behind about their users' privacy, as evidenced by their refusal to adopt an opt-in policy for their "features", rather than continuing their aggressive implementation of ever-newer features -- which usually are opt-out.

      I absolutely agree with your assertion that people need to be more responsible and diligent about "the crap they click on", but then people need to be more responsible and diligent about nearly everything they do. The truth is that most people are NOT responsible, and that fact is one that Facebook relies upon in their efforts to commoditize such irresponsible behavior into a gold mine of personal information.

      If most Facebook users aren't going to change, and Facebook's policies aren't going to change, the only choices available for people who care about their privacy is to either stop using Facebook, or be committed to spend whatever time is necessary to defeat their incessant attempted invasions of privacy, and live with those that can't be defeated.

  3. mittfh · 898 days ago

    "You are not allowed to create fake profiles."

    Except that fake profiles are almost endemic - most of them being used purely for the purposes of social games. It's considerably easier to set up a fake profile and invite anyone and everyone to become friends to play the game, without needing to worry about them being able to access personal data, than to create multiple friend lists, set up differing security for each list, and send game requests to a list only rather than cluttering up a person's wall for genuine friends who don't play that particular game.

    Of course, some people do both - play social games both as themselves and as their fictional counterpart - because playing two accounts allows people to advance significantly quicker in many social games that depend on social interactions (sending game items to friends, requesting game items from friends).

  4. SLD · 898 days ago

    The only way to get Facebook to change their behavior is financially. Perhaps an agreed upon blackout day when no one will log on to face book. I wonder what there advertisers would say if thev site didn't deliver eyeballs to their sponsors ads.

  5. sbitha · 898 days ago

    I am extremely glad you posted this.

  6. nutherITguy · 897 days ago

    +++ to ghb's post

    Take responsibility for your actions and use your bloody head. THINK before you click.

  7. I don't think the tendency to friend those with mutual friends had escaped the notice of anyone, it just lacked scientific research, which facebook is also questioning here as well.

    All things D quotes facebook's Response:

    We use a combination of three systems here to combat attacks like this – friend request and fake account classifiers, rate-limiting techniques and anti-scraping technology. These classifiers block and disable inauthentic friend requests and fake accounts while rate-limiting truncates the damage that can be done by any one entity. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks. We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Colombia and we will be putting these concerns to them. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.
    http://allthingsd.com/20111102/researchers-infilt...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.