When blonde zombies attack, Facebook responds (sort of)

What is Facebook doing to stop botnets from operating freely out in the open? Apparently not enough.

Well it’s been an exciting week here at TY4NS. So far I’ve tracked down a botnet filled with fake 20-something blondes and identified a few dozen companies that, wittingly or otherwise, used that botnet to artificially pump up their Facebook numbers.

At this moment I am hot on the trail of the social media mavens who sell these shady marketing techniques to companies that probably don’t have a clue that what they’re doing is a violation of Facebook’s policies, not to mention totally sleazy.

Here’s the funny thing: None of these activities are especially well hidden. Usually on the Internet black market, things like bot networks and fake accounts are bartered via pseudonymous identities in darknet forums that only the bad guys (and Feds pretending to be bad guys) know about. Or the deals are done via IRC or ICQ chat, with payments made in eGold.

These guys are using the open Web to advertise their wares, handing out their Skype IDs, making YouTube videos about how their bot controlling software works, and taking PayPal payments.

What is wrong with this picture? I asked Facebook spokesperson Fredrick Wolens. This is what he had to say:

Facebook has always been based on a real name culture.  This leads to greater accountability and a safer and more trusted environment for our users.  It’s a violation of our policies to use a fake name or operate under a false identity, and we encourage people to report anyone they think is doing this, either through the report links we provide on the site or through the contact forms in our Help Center.  We have a dedicated User Operations team that reviews these reports and takes action as necessary. 

We also have technical systems in place to flag and block potential fakes based on name and anomalous site activity.  Users who send lots of messages to non-friends, for example, or whose friend requests are rejected at a high rate, are marked as suspect.  We’ve built extensive grey lists that prevent users from signing up with names commonly associated with fake accounts. We are constantly iterating on these systems and developing new ones, to provide an even better experience for the people who use our service.

That’s about what I expected them to say. But I pressed on. What about folks who use botnets to promote their pages? I asked. What happens to them? Wolens responded thusly.

In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that seeks to identify those responsible for spam and works with our legal team to ensure appropriate consequences follow.

He pointed me to this Facebook Security blog post about how the network successfully sued a spammer last year for $360,500,000. (Can’t wait to see them try and collect on that.) But here’s the part of this I really love. On that page, under the People You May Know list were – yes – two of the bot accounts I had written about.

fb sock puppet bot suggestions cropped.png

Why were these bots suggested as friends? Only Facebook knows for sure. But while researching this piece I had sent a friend request to “Mandy Barnes,” another bot account that’s a “friend” of the two Jasmines listed above, as an experiment. (She/it has yet to respond.) Mandy was then suggested as a friend to two of my other pseudonymous accounts.

(Yes, I understand the irony of using sock puppet accounts to ferret out other sock puppet accounts. In my defense, I am trying to use them for good and not evil.)

And this is the problem in a nutshell: The way Facebook operates makes this kind of fraud all too easy. It is too easy to set up a fake account, too easy to thwart Facebook’s “verification” techniques, and too easy for these bots to propagate and develop lives of their own, thanks entirely to how aggressive Facebook is about urging its members to connect.

The problem with Facebook bots? They can be used for more than just bogus social media marketing. They can be used to spread malware, for example, or spam out ads pretending to be status updates, or to suck up your personal information via affiliate marketing schemes.

(Wolens also asked me to remind readers that Facebook will never ask for your credit card info, social security numbers, or any other sensitive information besides your login name and password. If you do get asked for this kind of info then you’ve probably been hacked. You may now consider yourself reminded.)

I get it -- Facebook is a big place, they've got lots of scammers to contend with, and they just bungled their IPO so everyone is a little bit jangled at the moment. But jeez guys, you really need to step up your game.

As I write this, “Jasmine Wilson” has been used to pump up the “Likes” on more than 200 additional Facebook pages since the beginning of this week. If you see her, don’t say hello and don’t click Like. Report her to Facebook’s spam police. It might do some good… eventually.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon