"Socialbots", computer programs resembling humans, have penetrated Facebook and harvested 250 gigabytes of personal information belonging to thousands of users on the social networking site, according to researchers from the University of British Columbia.
In an academic paper released Wednesday, researchers said social networks were "highly vulnerable" to large-scale infiltration attacks, having achieved an 80 percent infiltration rate during a test they conducted. The eight-week study was designed to gauge how vulnerable online social networks were to large-scale infiltrations by programs designed to mimic real users.
Researchers released 102 "socialbots" targeting Facebook, including a name and profile picture of a fictitious Facebook user, which were capable of posting messages and sending friend requests. These bots were then used to send requests to 5,053 randomly selected Facebook users and each account was limited to sending 25 requests per day to prevent triggering anti-fraud measures.
In the first two-week "bootstrapping" phase, of the 976 requests sent, about 19 percent were accepted.
Over the next six weeks, the bots sent connection requests to 3,517 Facebook friends of users who accepted requests during the first phase. Of these, 2,079 users or about 59 percent, accepted the second round of requests. Researchers termed the increase, the "triadic closure principle", which predicted that if two users had a mutual friend in common, they were three times more likely to accept the connection.
"From the OSN (online social network) side, we show that it is not difficult to fully automate the overall operation of an SbN (socialbot network), including accounts creation," researchers wrote in the paper. "From the users' side, we show that most OSN users are not careful enough when accepting connection requests sent by strangers, especially when they have mutual connections."
They further found that networks' defense mechanisms, such as Facebook Immune System (FIS), were ineffective in identifying and eliminating fake profiles. Only 20 percent of socialbots were blocked by FIS and that was only because users flagged the account as spam.
The researchers cautioned that the data available to the bots could potentially be used for identity theft. "As socialbots infiltrate a targeted OSN, they can further harvest private users' data such as e-mail addresses, phone numbers and other personal data that have monetary value. To an adversary, such data are valuable and can be used for online profiling and large-scale e-mail spam and phishing campaigns," they said.
Sophos' senior technology consultant Graham Cluley wrote in his blog post that the research findings were "interesting". "Clearly, there's a lesson for Facebook users to learn about the need to carefully vet who you allow to become your Facebook friend, and what information you choose to share online," he said.
However, Cluley questioned whether the research was ethical.
"Facebook's security team is unlikely to look kindly on people who conduct experiments such as that done by the university researchers, and users are reminded that under Facebook's terms of services, you are not allowed to create fake profiles, should use your real name and should only collect information from other users with their consent," he said.
In response to the research, Facebook said in a statement that it had disabled more of the fake accounts than the researchers claimed.
A company spokesperson said: "We have numerous systems designed to detect fake accounts and prevent scraping of information. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks. We use credible research as part of that process."
"We have serious concerns about the methodology of the research by the University of British Columbia, and we will be putting these concerns to them. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behaviour they observe on the site," the Facebook executive said.