Facebook's "Immune System" might not be as robust as Zuckerberg believes. In fact, four researchers from the University of British Colombia have recently demonstrated just how easily a new breed of bot can infiltrate the FB system and harvest user data.
Socialbots, also known as "sock puppet" bots, are designed to mimic a human user. Those unsolicited Friend invites your receive from scantily-clad co-eds? Socialbots. And, once Friended, they obtain instant access to email addresses, phone numbers, and the rest of your personal details that you only share with your "Friends."
Researchers from UBC devised this eight-week test, employing a single botmaster and 102 bots, to infiltrate the Facebook network specifically because the team believed FB to have superior security measures compared to other social sites (*snicker*). Their ruse eventually garnered more than 3000 new—presumably human—friends with a network of nearly a million users. As for Facebook's "Immune System," only 20 bots were flagged and only because users reported them for spam. As the team explains in its research paper,
As socialbots infiltrate a targeted OSN [online social network], they can further harvest private users' data such as e-mail addresses, phone numbers, and other personal data that have monetary value. To an adversary, such data are valuable and can be used for online profiling and large-scale email spam and phishing campaigns. It is thus not surprising that different kinds of socialbots are being offered for sale in the Internet black-market for as much as $29 per bot.
$29 seems a steal given what the bots, well, steal. By targeting users with lax security settings, these bots gobbled an average of 175 pieces of private data every day and tallied 250 gigabytes of data by the end of the study. All of this data was encrypted during and deleted after the research concluded.
Some simply defenses against this sort of attack: first, tighten up your security profile—set as much to Only Me and Friends as you can; stop putting your goddamn phone number on the Internet; and don't accept any friends requests from girls named Jess whose profile pic is her in a bra. Unless, of course, you actually do know a girl that matches that description, in which case, carry on. [All Facebook via Sophos - Image via AP]
You can keep up with Andrew Tarantola, the author of this post, on Twitter, Facebook, or Google+.