Last week I read a fascinating yet terrifying paper on the natural evolution of bots. The paper is called â€œThe Socialbot Network: When Bots Socialize for Fame and Money” by Boshmaf et al. Bots in the email security world have been around for a while and are used primarily for spamming. Socialbots are programs that mimic humans and infiltrate social networks to farm for personal data.
The paper is a great read on how the authors engineered a Socialbot network and released it on Facebook. They then studied its infiltration and propagation patterns.
First, the authors created 102 Socialbots with attractive profiles with images obtained from top-ranked hotornot.com users. Studies show that we are suckers for looks. The Socialbots would post messages and update their statuses to seem more human by using random quotes from iheartquotes.com.
The Socialbots then generated 5053 random Facebook profile IDs (these IDs correspond to actual human Facebook users) and sent out friendship requests to them. They respected the 25 requests a day Facebook-imposed limit (to avoid solving CAPTCHAs). Around 86% of the infiltrated profiles accepted the requests within the first three days of the request being sent! Keep in mind that Facebook is supposed to have a live security system in place called the Facebook Immune System to prevent such bot intrusions.
The experiment ran for 8 weeks where the Socialbots further propagated themselves by adding more user profiles based on friends of those initially infiltrated. At the end of the 8 weeks, the Socialbots had harvested gigabytes of data from the news feeds, profile information and wall messages. The bots paid special interest to Personally Identifiable Information (PII) as that has monetary value on the black market. Of course all this data was deleted at the end of the experiment, but this just goes to show how important privacy settings are. Even if you do not accept the Socialbot as a friend, your friend might have. Most people share a lot with their friends. Furthermore, you are more likely to accept the Socialbot if you have friends in common. The authors studies even confirm that.
If this doesn’t scare you, picture the following scenario. Your company has a Facebook profile. You want to increase exposure and hence accidentally accept a friendship request which happens to be a Socialbot as you aren’t diligently scrutinizing all requests. In your company profile, some of the accepted friends are employees who happen to be the IT manager/CEO/CTO. A few weeks after accepting the Socialbot as a fan of your site, an email makes it to the Marketing department from the â€œIT manager, asking them to apply an important security patch. The odds are that someone will fall for this phishing attempt, and suddenly you have a trojan harvesting information from within your company. Scared yet?