- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Socialbot culls 250GB of Facebook user data, report says
The researchers describe how they did it in their paper, "The Socialbot Network: When Bots Socialize for Fame and Money." They write:
Online Social Networks (OSNs) have become an integral part of today's Web. Politicians, celebrities, revolutionists, and others use OSNs as a podium to deliver their message to millions of active web users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda.
Such campaigns usually start off by infiltrating a targeted OSN on a large scale. In this paper, we evaluate how vulnerable OSNs are to a large-scale infiltration by socialbots: computer programs that control OSN accounts and mimic real users. We adopt a traditional web-based botnet design and built a Socialbot Network (SbN): a group of adaptive socialbots that are orchestrated in a command-and-control fashion.
We operated such an SbN on Facebook—a 750 million user OSN—for about 8 weeks. We collected data related to users' behavior in response to a large-scale infiltration where socialbots were used to connect to a large number of Facebook users.
Our results show that (1) OSNs, such as Facebook, can be infiltrated with a success rate of up to 80%, (2) depending on users' privacy settings, a successful infiltration can result in privacy breaches where even more users' data are exposed when compared to a purely public access, and (3) in practice, OSN security defenses, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs.
The findings have sparked plenty of reaction.
Mike Geide, senior security researcher at Zscaler ThreatLabZ, said, "These researchers have illustrated that harvesting Friends on Facebook is not only possible but can be highly automated. It’s evident that Facebook accounts and friends are a commodity and a valuable resource for those seeking to do evil -- whether it be to profit from a simple likejacking campaign or to do a more targeted spear-phishing or malware campaign."
Said Sophos senior security consultant Graham Cluley: "Facebook's security team is unlikely to look kindly on people who conduct experiments such as that done by the university researchers, and users are reminded that under Facebook's terms of service you are not allowed to create fake profiles, should use your real name, and should only collect information from other users with their consent."
He added, "The topic of whether the researchers' Socialbot Network experiment was right or not, is a topic for another day. But whatever its right or wrongs, it certainly presents an interesting illustration of just how easy it would be to automate identity theft on Facebook."
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Get your morning news fix with the daily Salted Hash e-newsletter!
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.