New Scientist has a fascinating story today about the lengths to which Facebook goes to combat cyber scoundrels.
Called the Facebook Immune System, is it very likely the biggest, most comprehensive network security mechanism on the planet. The FIS scans up to 650,000 status updates, photos, and videos posted every second – more than 25 billion a day – using AI to identify suspicious behavior that could be signs of spammishness.
As a result, less than 4 percent of messages are spam, which means only about 1 in 200 Facebook users are affected by it every day. To put it another way, 4 million Facebookers still get spam-scammed every 24 hours – like I did last week. Such is the price of having a population bigger than all but two countries.
But buried in that story are the results of a research paper by security researchers at the University of British Columbia that details how to skip past the FIS to infiltrate user accounts.
The geeks (Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu) managed to punch a hole in Facebook’s security net using “socialbots” – pieces of software that look and act like humans online. (Serious nerds can download the entire paper here.)
The UBC crew created code that could log onto a social network and automatically create a fake user account – no human intervention required. Like human spammers they made the accounts “socially attractive” using a photo of a babe or a hunk downloaded from sites like HotorNot, and used a Web crawler to scrape from other public profiles to fill in the blanks on their fake accounts. A “botherder” then built a network of zombie profiles, using command and control software to make the zombies do his bidding.
The researchers created 102 socialbot zombies (49 male, 53 female) and operated them for 8 weeks. They sent out more than 8500 friend requests at random; more than 3000 Facebook users said yes. (The female bots generated a significantly higher rate of positive responses – no surprise there.) They then harvested personal data from these accounts – birth dates, employers, location, addresses, phone numbers, etc.
But wait, it gets worse. Those 3000+ Facebookers who got fooled by a bot had extended networks totaling more than 1 million friends. The bots harvested data from some of those people too – anyone whose Facebook privacy was set to allow access to “friends of friends.”
On average the bots were able to siphon 35 percent of personally identifiable information from their direct networks, and up to 24 percent from the extended networks.
How did the FIS do against the socialbots? Not well. Only 20 of the socialbot zombies got blocked – all of them female, and all because other Facebook users flagged them as spam. Essentially the FIS did nothing to stop them.
What kinds of mayhem could this cause? Aside from harvesting your information for social engineering purposes (ie, scamming you), such bots could be used to manipulate public opinion on a large scale, creating astroturf campaigns and spreading propaganda.
Look at the impact of Twitter and Facebook on the uprisings in Tunisia, Egypt, and Iran for starters. Now imagine what the secret police in another country could do with that tool. Or a corporation or politician, for that matter.
Actual human scammers have been doing this sort of thing for a while (see “Facebook’s fake friends epidemic”). And so far this is just a research exercise – socialbots have yet to be spotted in the wild. But once some scammer figures out how to automate this on a wide scale, watch out. There will be no stuffing the toothpaste back into the tube.
Remember that, the next time a hot looking stranger with a vaguely generic profile description tries to friend you. Just call him Mr. Bot (No relation to Ed.)
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.