Facebook Red-Faced Over Social Bot Research

We read about a very interesting piece of research by the University of British Columbia in Vancouver, which seems to show some real holes in the defensive armour that Facebook claim to have in place to stop identity scraping.

Researchers at the university set up over 100 fake Facebook accounts, and used social bots (like the spam bots used by those kindly spammers who want to give you millions of dollars in exchange for your lowly bank account number…) to send out thousands of fake friend requests. Users accepted the requests in their thousands, and once the spam bots had access to their network, successfully scraped a host of personal information from the user accounts – like names, addresses, email addresses and more. The researchers say that out of 8570 friend requests (from the fake accounts) 3055 Facebook users accepted the requests.

It seems that the more friends you have on Facebook, the more likely you are to accept one of these disingenuous requests – according to the data recorded in this white paper.

Facebook were not pleased at the results, which are being officially announced and presented at Florida’s Annual Computer Security Applications Conference in Florida in December. They maintain that the results are not accurate because firstly, the researchers were using a strong, safe IP address to perform the scraping. Professional spammers would not have this luxury, and therefore, would get picked up by Facebook’s own systems much quicker (and stopped much quicker too). In addition to this, Facebook say that they discovered a much larger number of these fake accounts than the numbers disclosed by the university. Despite only sending out 25 requests a day, Facebook maintain that they did in fact disable a good portion of the fake accounts.

A Facebook spokesperson has commented on the paper, saying “We have numerous systems designed to detect fake accounts and prevent scraping of information. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks.”

“We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Colombia and we will be putting these concerns to them.”

“In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behaviour they observe on the site.”

The research team have commented, “Online social network’s security defences, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs.”

“We believe that large-scale infiltration in online social networks is only one of many future cyber threats, and defending against such threats is the first step towards maintaining a safer social web for millions of active web users.”