Attack of the ‘Socialbots’ – Facebook invaders steal 250GB of data

2 Nov 2011

A socialbot army designed by Canadian researchers succeeded in pretending to be human and made off with 250GB of personal information belonging to Facebook users.

The research offers a frightening glimpse of the kind of damage hackers may be capable of inflicting on social networking sites.

Researchers from the University of British Columbia in Vancouver were able to create programmes that resembled humans and managed to infiltrate Facebook. Over the course of an eight-week investigation, a company of 102 socialbots – lines of script, basically – were released on to the social network that is approaching 1bn users across the planet.

Each bot was able to assume a name and profile picture of a fictitious person and friend requests were sent to more than 5,000 random accounts.

Keeping a low profile – limiting their friend requests to less than 25 a day – the socialbot mercenaries were able to achieve a 19pc success rate in terms of friend approvals in the first two weeks.

A further 59pc success rate was achieved in the ensuing six weeks.

In the paper entitled The Socialbot Network: When Bots Socialize for Fame and Money, the researchers were able to evaluate how vulnerable online social network (OSN) accounts have become.

“OSNs have become an integral part of today’s web. Politicians, celebrities, revolutionists and others use OSNs as a podium to deliver their message to millions of active web users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda. Such campaigns usually start off by infiltrating a targeted OSN on a large scale.”

The paper continued: “We collected data related to users’ behaviour in response to a large-scale infiltration where socialbots were used to connect to a large number of Facebook users.

“Our results show that (1) OSNs, such as Facebook, can be infiltrated with a success rate of up to 80pc, (2) depending on users’ privacy settings, a successful infiltration can result in privacy breaches where even more users’ data are exposed when compared to a purely public access, and (3) in practice, OSN security defences, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs.”

Facebook has, however, disputed the findings saying the test was unrealistic because it used a trusted university address that real hackers woulnd’t use, and the social network claimed it disabled more of the bad accounts more quickly than the researchers claim.

“We have numerous systems designed to detect fake accounts and prevent scraping of information,” a Facebook spokesperson said.  

“We are constantly updating these systems to improve their effectiveness and address new kinds of attacks. We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Colombia and we will be putting these concerns to them.  In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.”


John Kennedy is a journalist who served as editor of Silicon Republic for 17 years