Having more friends on Facebook might not mean you’re popular, but it does make you more likely to accept an invitation from a fake friend, according to research from the University of British Columbia.
In a paper to be presented in December at the Annual Computer Security Application Conference in Florida, the researchers will discuss an eight week study of the use of “socialbots” – fake, computer automated Facebook profiles –against real Facebook users. The research showed that phony, computer generated Facebook users were able to build large networks of real Facebook users, allowing them to harvest personal information from those user profiles.
The researchers, Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov and Matei Ripeanu of the University of British Columbia, set up 102 socialbots – both male and female – controlled by a single botmaster account. Those socialbots sent 25 invitations each day to one of 5,000 legitimate Facebook users and got 976 accepted Facebook friend requests in return – a 19.3% acceptance rate. Over a six week period, the bots grew that initial network to include more than 3,500 profiles and gathered personal data from 2,079 of those, according to a copy of the paper, published online.
No surprise: the researchers found that Facebook users with lots of friends were far more likely to accept an invitation from a socialbot account than those with fewer friends. In fact, users with more than 4,000 Facebook friends were three times more likely to accept an invite from a socialbot than those with just over 100 friends.
The initial success became self reinforcing. And, over the conclusion of the study, the job of building up larger friend networks got easier. The acceptance rate overall jumped to 59% after the initial bootstrapping period of two weeks, while researchers found that the more mutual friends the bot and its victims had in common, the more likely an invite was to be accepted. Facebook users who had more than 11 friends in common with the bot accepted the friend invite 80% of the time, the research showed. In fact, the bots received more than 300 friend invites from their extended network of real Facebook users.
The implications of the research are concerning. The researchers point out that creating fake profiles on networks like Facebook is a trivial matter (an active e-mail account and solving a CAPTCHA are the only real requirements), while the networks expose a treasure trove of personal information about an individual, as well as his or her social graph – an incredibly valuable resource in its own right. API and modular, expandable platforms like Facebook’s make an attacker or malware author’s job all the easier.
Efforts by Facebook to stop malicious activity and phony profiles proved ineffective. Only 20 of the thousands of Facebook profiles group’s 102 socialbot profiles ran afoul of the Facebook Immune System and were banned, even after 8 weeks of operations