Researchers at a Canadian university have designed programmes they say are capable of infiltrating social networks such as Facebook for the purpose of stealing private user data.
In a paper entitled The Socialbot Network: When bots socialize for fame and money, the researchers outlined how they were able to access thousands of Facebook accounts and glean some 250GB of user data.
The researchers at the University of British Columbia in Vancouver created 'socialbots' or computer programs that mimic real users, and then used them to access real Facebook user accounts.
The socialbots were able to access user data with a success rate of up to 80 per cent depending how many mutual friends the socialbots had previously infiltrated.
The researchers were able to harvest a vast quantity of user data from thousands of real Facebook accounts including data on news feeds, users’ profile information, and “wall” messages. In total, the experiment gleaned approximately 250GB of user data.
Over one hundred socialbots were deployed in the eight-week experiment. They were deployed into so-called socialbot networks where they were controlled by a single program called a masterbot. The socialbots, which resembled real user accounts, were capable of sending friend requests to real user accounts.
The researchers issued 25 friendship requests from a single computer per day in order to avoid security software measures deployed by Facebook.
Socialbots were designed to be socially attractive and researchers found the use of photographs of good looking individuals had the greatest impact.
A total of 49 ‘male’ socialbots and 53 ‘female’ socialbots were created. Of the requests that were accepted by real Facebook users, 15.9 per cent originated from ‘male’ socialbots while ‘female’ socialbots had a 22.3 per cent acceptance rate.
The researchers found it was possible to automate the collection of profile information through scavenging the web.
Socialbots were able to automatically embeded random quotes taken from third-party websites into status updates thereby giving the impression that they were valid accounts being regularly updated by real Facebook users.
Already-rated profile photographs could be selected, the researchers said, from sites such as hotornot.com where users post images of themselves to be rated publically.
During the first “bootstrapping” phase of the project, 976 or about 19 per cent of 5,053 friend requests were accepted.
The more friends the socialbots had the higher the acceptance rate. In the second phase, which lasted six weeks, friend requests were sent to 3,517 Facebook friends of users who had accepted requests in the first phase. Of these, 2,079 or 59 per cent were accepted.
The researchers said the socialbots were designed to exploit what is called the ‘triadic closure principle’.
According to the principle, which originates from real life social networks, the likelihood of users accepting a connection request is about three times higher given the existence of some number of mutual connections.
Researchers found that anti-hacking measures such as the Facebook Immune System were only capable of blocking some 20 per cent of the socialbots and these were as a result of users flagging the socialbots as spam.
Online criminals use socialbots to collect data and are being offered for sale on the Internet from $29.
Facebook said the company had serious concerns about the methodology used by the researchers.
“We have serious concerns about the methodology of the research by the University of British Columbia and we will be putting these concerns to them. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.”
The research paper, written by Yazan Boshmaf, Ildar Muslukhov, Konstantin, Beznosov and Matei Ripeanu will be presented at the Annual Computer Security Applications Conference in December.
