What could a cybercriminal do with one million Facebook friends?Written By: Mark Risher
Nov 15, 2011 • 9:39 am No Comments
If you had any last doubts about the Milky Way sized security hole in social networks, then a recent study by the University of British Columbia (UBC) should put them to rest.
A quick summary of the study is this: a team built a social botnet with 102 accounts to see how fast and how deeply it could penetrate a group of random Facebook users, and capture sensitive information. The results are astounding. The eight-week campaign achieved:
- Successful ‘friending’ of 3,055 individuals from a total of 8,570 invites sent – a 35% rate!
- Built a one-million-person extended social network.
- Collected 250GB of personal data, including 35% of all the personally identifiable information found on friend pages, and 24% from extended, friend-of-friend networks. Captured data included:
- 580,649 birth dates
- 9,000 IM account IDs
- 14,509 home mailing addresses
- 16,682 phone numbers
- 46,466 email addresses
When we compare UBC’s success on Facebook compared to what is typical of email spam, this is nothing short of shocking. A 2008 study of email spam reported the average click-through rate being .000008% and one sale occurring for every 12.5-million email messages sent.
One can only imagine how many social web spam driven clicks and sales are happening today if the social-vs.-email success rate is exponentially higher. It’s also scary to think about how much more fraud is occurring as well. It’s not just malware and bogus friend requests we are talking about here.
Because social web spam and abuse is still considered a nascent threat, the industry is just starting to measure its impact. That said, the news of significant personal losses started breaking this year, including five-figure and six-figure fraud schemes by individual consumers reported in the news.
With results like these, 2012 promises to be a very intense year for social web spam and abuse. If these results were achieved by a dozen white-hat university students doing a side project, just think what the hardened cybercriminals are working on right now. And if one of the largest, most secure social sites can be this vulnerable, it’s important to remember that a malicious infiltration of fraudulent accounts can happen to any site on any scale. It’ll be difficult to defend against such attacks – especially if your IT or security departments are stretched thin. But external, automated defense systems can help.
Mark Risher is CEO and Co-Founder of Impermium. As the former “Spam Czar” for Yahoo!, he has regularly presented worldwide to government, industry, and consumer groups about spam, abuse, and cyber security issues.