Facebook botnets have gone wild

Is your new Facebook BFF really a fake account being used in a botnet? Look closely and it seems obvious -- but it's apparently not obvious to Facebook.

By  

According to their Facebook profiles, Mandy Barnes, Jasmine Wilson, May Price and Mindy Bennett have a lot in common. So do Meredith Gonzales, Sonja Watson, Lucia Long and Meredith Baker.

They are all around the same age (early 20s) and attractive, but not in a supermodel kind of way. They are all Facebook friends, despite living in different areas of the country and attending different schools. Their favorite sport is, somewhat inexplicably, cricket. Their favorite movie is the even more obscure Arab Spring Wedding. They have all posted exactly three Facebook photos, and they all have the same favorite quotation.

But the biggest thing they have in common is that they’re all fake accounts, created by the same bot-scammer to commit fraud.

Look at any of these profiles by themselves and you probably wouldn’t stop to think twice about them. (Unless you noticed that bit about 20-something American gals liking cricket – really, does anyone outside the UK and its former colonies enjoy cricket?) Look at more than a couple in a row, though, or two of them side by side, and the ruse becomes obvious.

 

Last year I wrote about a experiment conducted by researchers at the University of British Columbia in which they created a network of about 100 Facebook bots to see how many real people they could get to friend them.  The researchers easily evaded Facebook’s defenses and convinced thousands of Facebook users to friend their lifeless creations. Using photos of pretty women increased the success rate significantly. 

It appears the zombie social networks have escaped from the lab and are now staggering around in the wild. There is a thriving black market in fake Facebook accounts, as well as in software that lets you create your own.

Want a generic account that Facebook hasn’t verified? They run from 6 to 20 cents apiece. If you want a PVA – a phone verified account for which Facebook has sent a code via text message to a phone, requiring a human to log into Facebook and enter that code -- the prices start at $1.50 per account. And it’s not just Facebook; Twitter, G+, AOL, iTunes, Craigslist all have their own markets for faux personae.

 

I can’t decide what’s more shocking: how lazy the scammers are, or how inept Facebook is in ferretting them out. Really, these guys are hardly rocket scientists.  The scammers take a generic profile, change a handful of details, and post it to Facebook. Often times they don’t even bother changing the names. Sometimes they reuse the same photographs for different profiles. Sometimes they use a man’s name and a woman’s picture, or vice versa. And that favorite “quotation” that keeps popping up everywhere? It’s either “Hi” or “Hello” followed by a series of ellipses.

These guys aren’t even trying. And yet it doesn’t matter. They create these profiles all around the same time, using 95 percent of the same data, and Facebook doesn’t blink. So much for that vaunted Immune System Facebook likes to boast about.

Mindy, Mandy, May, et al have only been live on Facebook for about a week. But I found a second nest of bots that have been operating since March. Collectively this last group has Liked the same list of nearly 1000 pages. I have no idea how many bots are operating in this particular nest, but I wouldn’t be surprised if it numbered in the thousands.

It’s a form of blackhat SEO called “Like fraud.” And while this may not be a huge concern for the average user, it is seriously bad news for Facebook and its dreams of creating a new advertising system based on what people “Like.” If the the world’s biggest social network can be gamed this easily using fake profiles, then nothing on it can be trusted. If a scammer can sell “Likes” for less than a penny apiece, then they are essentially worthless – both to users like you and me, and to the advertisers Facebook is banking on.

There is more to this story. Stay tuned for news on the ways these bots operate in a future post. 

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

Facebook's 'man in the middle' attack on our data

Making Facebook private won't protect you

Google’s personalized search results are way too personal

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question