If you’re like countless other Facebook users, you’ve accepted a few friend requests from people you may not remember. It turns out those mysterious friends could be botnets, a.k.a. “zombie computers,” designed to harvest you and your friend’s personal information.
Botnets have been used to shut down websites and conduct other malfeasance. Now “Social botnets” have emerged as new threats to users of Facebook, Twitter and other social networking sites, according to a paper that will be presented soon at the Annual Computer Security Applications Conference (ACSAC).
The paper’s authors, four computer security researchers at the University of British Columbia in Vancouver, operated their own social botnet — a network of 102 bots controlled — on Facebook for eight weeks. Their bots sent 8,570 friend requests; 80 percent were accepted. After that, it was easy for the botnets to pull down e-mail addresses, phone numbers and other personal data. The controlling social “botherder” could continue to gather data undetected and collect an average of 175 new pieces of publicly-inaccessible user data per bot, per day.
What’s more worrisome is that it’s a simple thing to do. Hackers create phony e-mail addresses, pick attractive photos for user profiles and pay cheap labor or use optical character recognition to the thwart the CAPTCHA codes that users input to “prove” they’re human. On the Internet black market, social botnets go for a mere $29 each at the high end.
Facebook’s defenses were able to block only 20 percent of the accounts used by the bots. But their success was due almost entirely as a to users flagging the accounts as spam.
It may be high time to defriend those unknown friends.