The Socialbot Network: When Bots Socialize for Fame and Money

1. The Socialbot Network: When Bots Socialize for Fame and Money Authors: Yazan Boshmaf, Lldar Muslukhov, Konstantin Beznosov, Matei Ripeanu University of British Columbia Annual Computer Security Applications Conference (ACSAC) 2011 Presented By: Gavin Grant

2. Acknowledgement • http://en.wikipedia.org/wiki/CAPTCHA • http://developers.facebook.com/docs/reference/api/

3. Overview • Abstract • OSN Vulnerabilities • Socialbot Network • The Attack • Findings • FIS effectiveness

4. Abstract • Social Networks have millions of users • Illustrate that Online Social Networks (OSN) are vulnerable to infiltrations by socialbots • In particular Facebook • 80% success rate • Socialbots – computer programs that control OSN accounts and mimic real users

5. OSN Vulnerabilities • Ineffective CAPTCHAs • Hiring cheap labor ($1 per 1,000 broken) • Reusing session IDs of known CAPTCHAs • Fake User Accounts and Profiles • Email and profile • Crawlable Social Graphs • Traversing linked profiles • Exploitable Platforms and APIs • Use APIs to automate the execution of activities

6. Socialbot Network • Set of socialbots owned and maintained by human controller called the botherder • Made up of socialbots, botmaster, and command and control channel • Socialbot controls a profile • Data collected called botcargo • Capable of executing commands • Botmaster is software botherder uses to send commands through C & C channel • C & C facilitates transfer of botcargo and commands

8. Socialbots • Read, write, connect, disconnect • Set of commands used to mimic a real user • Native commands • Master commands

9. Botmaster • Botworker builds and maintains profiles • Botupdater pushes new software updates • C & C engine maintains a repository of master commands • Master commands needed • Cluster • Rand_connect(k) • Decluster • Crawl_extneighborhood • Mutual_connect • Harvest-data

10. C & C Channel • Communication model • Works with socialbot-OSN Channel • Only OSN-specific API calls and HTTP traffic • Helps in non detection

11. Effective SbN • Socialbot has to hide its real identity • Botmaster should be able to perform large-scale infiltration • C & C channel traffic has to look benign

12. The Attack • Facebook Immune System (FIS) • 8 week process • Exploited Facebook’s Graph API to carry out social-interaction operations • Used HTTP request to send friendship request • Iheartquotes.com, decaptcher.com, hotornot.com, mail.ru

14. Facebook SbN • 102 socialbots created and 1 botmaster • Users were created manually • 49 males • 53 females • 5053 valid profile IDs • 25 request per day per socialbot • Harvested data

15. Findings • First 2 weeks • 2 days t send 5043 request (2,391 male , 2.662 female) • 976 accepted (381 M, 595 F) • Next 6 weeks • 3,517 more users added • 2,079 infiltrated successfully • Generated 250 GB inbound and 3 GB outbound traffic • Acceptance rate increase to 80% as mutual friends increased

16. Data Harvested • News feeds • Profile info • Wall messages • 3,055 direct neighborhoods • 1,085,785 extended neighborhoods

17. Facebook Immune System • Real time learning system used to protect its users • Only 20 bots were flagged by system • Doesn’t consider fake accounts a real threat

18. Contribution • OSN vulnerability to a large-scale socialbot network infiltration • Defense social networks have against social bots that mimic human behavior • Prayed on common user behavior

19. Weaknesses • Only Facebook was attacked • Didn’t provide any prevention techniques

20. Improvement • Try on other social networking sites • Not create socialbots manually

21. Questions