Socialbot Network Steals Facebook Personal Data

Facebook’s in-built security systems are not effective enough to prevent the theft of personal data, according to researchers from the University of British Columbia, who built a socialbot network that collected 250GB of personal data from Facebook users.

The researchers’ network contained 102 socialbots, which collected 46,500 email addresses and 14,500 home addresses during an eight week period, after which it was dismantled due to the high volume of traffic.

The Socialbot Network

A socialbot is a piece of automated software which creates a fake social networking profile which can post messages and send friend requests, complete with profile pictures harvested from sites such as HotOrNot, and quotes generated from the likes of iheartquotes.com.

Once a friend request has been accepted by a user, the socialbot attempts to befriend that users’ friends, harvesting personal information such as home addresses, emails and phone numbers, and anyone within that user’s network is vulnerable to having their details stolen.

The network made 8,750 friend requests, of which 3,055 were accepted, causing the network to grow exponentially to 1,085,785 profiles. The study revealed that the higher a person’s friend total, the more likely they were to accept and, as the socialbot connected with more people in a network, acceptance rate increased to 60 percent.

The researchers were critical of Facebook’s in-built security systems, which blocked just 20 percent of accounts used by social bots and only because they were flagged by suspicious users.

“We conjecture that the FIS does not consider fake accounts as a real threat. Fake accounts, however, are one of the main vulnerabilities that allow a bot herder to run a large-scale infiltration campaign”, said the researchers, “Detecting and blocking such accounts, as early as possible, is the main challenge that security defenses like the FIS have to overcome in order to win the battle against a Socialbot Network.”

Security Threats

Graham Cluley, senior technology consultant at Sophos, commented: “Clearly there’s a lesson for Facebook users to learn there about the need to carefully vet who you allow to become your Facebook friend and what information you choose to share online.

“The topic of whether the researchers’ Socialbot Network experiment was right or not, is a topic for another day. But whatever its right or wrongs, it certainly presents an interesting illustration of just how easy it would be to automate identity theft on Facebook,” he added.

This is the latest in a series of security threats that have plagued Facebook, which currently employs 300 full-time staff focusing on security and safety.

The social network currently blocks 600,000 compromised logins and 200 million attempts to click on malicious links a day. Facebook has also employed a number of tools such as login approvals and notifications in an effort to improve security, and recently teamed up with Websense to protect users from malicious links.

Update: Facebook has responded to the University’s claims, saying it has “serious concerns” with the University’s results, and wil be raising them with the research group.