Social botnet steals Facebook data with fake profiles

Researchers have demonstrated how a type of program called a socialbot can be used to harvest vast amounts of personal data from Facebook users.

Socialbots are computer programs designed to mimic the activity of 'real' Facebook profiles, tricking users into making friends with them and mining their accounts for personal data.

An adaptation of the botnets used by criminals to send spam, but designed to work over a social network, they're an increasingly popular tool of internet criminals which can be bought online for as little as $29 (£18).

A team from the University of British Columbia in Vancouver created 102 socialbots, each taking control of a Facebook profile, posting messages and sending requests. One piece of 'botmaster' software was used to send commands to the other bots.

Over eight weeks, the bots attempted to make friends with 8,570 Facebook users. 3,055 of those users accepted the friendships.

The fake accounts were limited to sending 25 requests per day to prevent triggering Facebook's fraud detection software.

The researchers found that users with more friends on Facebook were more likely to accept the 'fake' friend.

From the profiles of those they befriended and the extended networks of those users' friends, the team claims to have 'stolen' 46,500 email addresses and 14,500 home addresses.

In their paper (PDF), which will be presented at next month's Annual Computer Security Applications Conference in Florida, the researchers explain: "As socialbots infiltrate a targeted online social network, they can further harvest private users' data such as email addresses, phone numbers, and other personal data that have monetary value.

"To an adversary, such data is valuable and can be used for online profiling and large-scale email spam and phishing campaigns."

Facebook has hit back at the research, saying that the bots' IP addresses came from a trusted university source, whereas the IP addresses used by real criminals would have raised alarm bells.

The social network also maintains it disabled more of the fake accounts than the researchers claim.

"We have numerous systems designed to detect fake accounts and prevent scraping of information. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks," said a spokesperson for the company.