Beware: The socialbots are coming. These fake profiles mimic real people on Facebook but are actually computer programs that try to harvest private data from users, and expose them to other security risks.
University of British Columbia researchers created a social network of a single botmaster and 102 socialbots, and then let it loose on Facebook for eight weeks. The results were a little scary.
- During the eight-week period, the socialbots were able to send out 8,570 friend requests on Facebook, of which 3,055 were accepted. However, the “extended neighborhood” — friends of friends — numbered approximately 1,085,785. The socialbots averaged around 20 friends, with some ensnaring as many as 80 or 90.
- The socialbots had far more success getting friend requests accepted from friends of Facebook users who had already accepted its initial friend requests, due largely to common friends being included in friend requests on the social network. On first pass, only 20 percent of friend requests were accepted, but once the bogus accounts were passed off as friends of friends, that number jumped to 60 percent.
- By accessing the profiles of friends with less stringent security settings, the socialbots were able to average 175 pieces of data from publicly inaccessible profiles per day, and ended up with a total of roughly 250 gigabytes of data (all of which was encrypted during the study and deleted after its conclusion).
- The Facebook Immune System was only able to block 20 percent of the bogus accounts used by the socialbots. And the reason why those 20 were blocked: Some alert Facebook users flagged them as spam.
- Those bogus profiles were created to be “socially attractive.” The researchers actually used photos lifted from sites like Hot or Not , where users rate the attractiveness of the subject, believing that better-looking subjects bring better results.
A Facebook spokesperson on how the social network combats bots:
We use a combination of three systems here to combat attacks like this — friend request and fake account classifiers, rate-limiting techniques, and anti-scraping technology. These classifiers block and disable inauthentic friend requests and fake accounts, while rate-limiting truncates the damage that can be done by any one entity. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks. We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Columbia and we will be putting these concerns to them. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.
The university’s report, “The Socialbot Network: When Bots Socialize for Fame and Money,” concludes:
We have evaluated how vulnerable online social networks are to a large-scale infiltration by a socialbot network. We used Facebook as a representative online social network, and found that using bots that mimic real users is effective in infiltrating Facebook on a large scale, especially when the users and the bots share mutual connections.
Moreover, such socialbots make it difficult for online social network security defenses, such as the Facebook Immune System, to detect or stop a socialbot network as it operates. Unfortunately, this has resulted in alarming privacy breaches and serious implications on other socially-informed software systems. We believe that large-scale infiltration in online social networks is only one of many future cyber threats, and defending against such threats is the first step towards maintaining a safer social web for millions of active web users.
Readers: How sure are you that all of your Facebook friends are human and not bots?