October 27, 2011, 12:00 PM — New Scientist has a fascinating story today about the lengths to which Facebook goes to combat cyber scoundrels.
Called the Facebook Immune System, is it very likely the biggest, most comprehensive network security mechanism on the planet. The FIS scans up to 650,000 status updates, photos, and videos posted every second – more than 25 billion a day – using AI to identify suspicious behavior that could be signs of spammishness.
As a result, less than 4 percent of messages are spam, which means only about 1 in 200 Facebook users are affected by it every day. To put it another way, 4 million Facebookers still get spam-scammed every 24 hours – like I did last week. Such is the price of having a population bigger than all but two countries.
But buried in that story are the results of a research paper by security researchers at the University of British Columbia that details how to skip past the FIS to infiltrate user accounts.
The geeks (Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu) managed to punch a hole in Facebook’s security net using “socialbots” – pieces of software that look and act like humans online. (Serious nerds can download the entire paper here.)
The UBC crew created code that could log onto a social network and automatically create a fake user account – no human intervention required. Like human spammers they made the accounts “socially attractive” using a photo of a babe or a hunk downloaded from sites like HotorNot, and used a Web crawler to scrape from other public profiles to fill in the blanks on their fake accounts. A “botherder” then built a network of zombie profiles, using command and control software to make the zombies do his bidding.
The researchers created 102 socialbot zombies (49 male, 53 female) and operated them for 8 weeks. They sent out more than 8500 friend requests at random; more than 3000 Facebook users said yes. (The female bots generated a significantly higher rate of positive responses – no surprise there.) They then harvested personal data from these accounts – birth dates, employers, location, addresses, phone numbers, etc.
But wait, it gets worse. Those 3000+ Facebookers who got fooled by a bot had extended networks totaling more than 1 million friends. The bots harvested data from some of those people too – anyone whose Facebook privacy was set to allow access to “friends of friends.”
On average the bots were able to siphon 35 percent of personally identifiable information from their direct networks, and up to 24 percent from the extended networks.