A team of student researchers at the University of British Columbia Vancouver released 102 socialbots – software that mimics real users – into Facebook to test the social network’s ability to combat against such menace.
The so-called “socialbot network,” or SbN, sent out a total of 8,570 connection requests, during a period of 8 weeks. The requests went to a total of about 5,000 randomly selected Facebook users, according to the group’s research paper (pdf), which will be presented at the Annual Computer Security Applications Conference in Orlando, Florida, next month.
The bots were able to automatically gather 250GB of personal user data from 3,055 Facebook members who mistakenly accepted friend requests from the fake user profiles. The fake profiles included a fake photograph, as well as status updates pulled directly from iheartquotes.com. Most of the data obtained by the SbN was intended to be seen only by users’ friends, and included 46,500 email addresses and more than 14,500 home addresses.
About 20 percent of the SbN socialbots were detected by the Facebook Immune System, which is designed to automatically detect fake profiles, though most of the detection was due to users reporting the fake accounts as spam, the report says.
Facebook, of course, is not happy about the experiment, and says it is concerned about the methodology used by the researchers.
“We have numerous systems designed to detect fake accounts and prevent scraping of information. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks,” a Facebook spokesperson said in a statement to media outlets.
“We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Colombia and we will be putting these concerns to them.
“In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.”
The research team addresses the ethical concerns of the experiment, but concluded that they were justified in their actions.
“Online social network’s security defences, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs,” the team wrote in the report.
“We believe that large-scale infiltration in online social networks is only one of many future cyber threats, and defending against such threats is the first step towards maintaining a safer social web for millions of active web users.”
Unlike traditional botnets, which are controlled by people who then steal data from users’ computers, the SbN was controlled automatically by a ‘botmaster’ program. A single socialbot can be purchased for about $29.