Facebook 'Robots' Fool Users, Steal Private Data

UPDATE: This story has been updated with a response from Facebook.


UPDATE: This story has been updated with a response from Facebook.

You've undoubtedly received Facebook friend requests from people you don't know or don't recognize, and if you chose to ignore them, it turns out you may have unknowingly prevented an automated bot posing as a real person from stealing loads of your personal data.

Using an army of "socialbots," computer scripts designed to pass themselves off as real people on social networks, researchers from the University of British Columbia were able to successfully harvest private data, including phone numbers, email and home addresses and birth dates from thousands of strangers on Facebook by infiltrating their friend networks in a proof-of-concept exploit.

Sending friend requests from a social bot — each of the 102 bots was connected to a botmaster and each included a name, picture and a status update generated by iheartquotes.com — the research team stole 250 gigabytes worth of personal data in an eight-week span, the group wrote in its paper, "The Socialbot Network: When Bots Socialize for Fame and Money."

"Most OSN (online social network) users are not careful enough when accepting connection requests sent by strangers, especially when they have mutual connections," the team wrote. "This behavior can be exploited to achieve a large-scale infiltration with a success rate of up to 80 percent."

To back up this assertion, the researchers explained that their 102-"person"-strong socialbot network sent out 8,750 friend requests, made Facebook friends with 3,055 people, and developed an extended network of 1,085,785 profiles, all within the two month span.

The Facebook Immune System, designed to flag fake profiles, only succeeded in blocking about 20 percent of the socialbots.

Along with providing concrete evidence that Facebook users can be easily tricked into befriending a potentially harmful piece of code made to look like a human, the researchers pointed out the skimmed data can lead to some serious problems.

"As socialbots infiltrate a targeted OSN, they can further harvest private users' data such as email addresses, phone numbers, and other personal data that may have monetary value. To an adversary, such data are valuable and can be used for online profiling and large-scale email spam and phishing campaigns."

The power to pass a computer off as a real person could also have devastating impacts if the socialbot operator has a political agenda. The paper mentioned the recent Arab Spring, and the effect both Twitter and Facebook had in giving a voice to oppressed citizens and providing a platform for organizing demonstrations.

Infiltrating a network on Facebook or Twitter could grant a socialbot the ability "to spread misinformation and propaganda in order to bias the public opinion," the researchers said.

UPDATE: In an email to SecurityNewsDaily, Facebook made clear it employs technologies to combat socialbots like the ones the researchers deployed.

"We use a combination of three systems here to combat attacks like this – friend request and fake account classifiers, rate-limiting techniques and anti-scraping technology," a Facebook spokesperson told SecurityNewsDaily. "These classifiers block and disable inauthentic friend requests and fake accounts while rate-limiting truncates the damage that can be done by any one entity."

"We are constantly updating these systems to improve their effectiveness and address new kinds of attacks. We use credible research as part of that process," Facebook added. "We have serious concerns about the methodology of the research by the University of British Colombia and we will be putting these concerns to them.  In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site."