It's not easy to stop the social bots
The complexity of social botnets makes it difficult to craft an effective security policy against them, the UBC researchers say. Widespread access to online services, including features such as crawling social networks and ease of participation, introduces conflicts between security and usability.
Security online relies on several assumptions. One key assumption is that fake accounts have a hard time making friends -- in other words, you can easily tell apart a real or fake account, by looking at its friendship circle. The UBC experiment proves social bots can be human enough to trump this assumption.
When the fakes ingrain themselves so well in the network that they are indistinguishable from the authentic accounts, you face a more fundamental concern: How do you rely on data in your social network? After all, many technological, economical, social, and political activities depend on that info.
For example, Facebook lets users interact automatically with the site, so outside service providers can integrate their offerings. This makes it as easy for social bots to use Facebook as it is for people. Facebook also lets users browse through extensive data sets, to make the site more convenient and useful. Social bots can take advantage of this laxity to harvest massive amounts of private data.
The UBC researchers divide the available defensive strategies into prevention and limitation. Prevention requires changing the prospects facing a potential social botnet operator. In other words, that means putting up more barriers for automated access, because such automation favors computer-driven invaders. That of course risks turning away human users who don't want to jump through the hurdles either.
Limitation means accepting that infiltrations will occur and focuses on capping the damage. Today, social networks rely on limitation to respond to adversaries: They observe differences in the structure and actions of social botnets compared to human networks, then use that detection to close down artificial accounts. But as social botnets gradually extend their tentacles into human networks, acquiring in the process a similar social structure, this limitation defense becomes less effective.
The social botnet business model
The economics also favor the botnet operators. Many cyber thieves use "zombie" PCs, systems infected with malware that turns them into free processors for the botnets; key loggers and data stealers are common uses of such "zombie" PCs today. Botnet operators could use them for powering the social bots and the botmasters, so the only significant costs are in creating the social bots in the first place.
Of course, botnet operators need enough reach to pay back their investments and make the efforts worth their while. And the cost of massively scaling the botnet -- the programming is much more sophisticated, and the costs of avoiding detection grow as well -- means there's a natural limit to how wide such infiltrations may go. The UBC researchers calculate a social botnet needs just 1,000 or so human friends to be profitable, if data theft is the business model.
That limit could be extended if botnet operators could get each social bot to befriend far more people than ordinarily possible, such as by cycling through friends as it harvests private data, maintaining an ideal-size roster of the average number of friends at any one point but changing the group over time (unlike human networks, which tend to keep the same people for years). Think of it as social climbing for social bots.
Selling Facebook friends would pull in a heftier take than data theft, the researchers found, offering another revenue stream -- or even business model.
Facebook has acknowledged that its service has tens of millions of fake accounts. Other services such as Twitter and comment sections of websites also have hefty numbers of fake accounts used by spammers and phishers. Just imagine how those numbers could grow once social bots become more than a university experiment -- and how much more effective they could be at fooling us all.
This story, "Your Facebook friends may be evil bots," was originally published at InfoWorld.com. Follow the latest developments in computer security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.