A result of an eight week study found that Facebook‘s fake account detection mechanisms can be easily overcome by 80 percent of the time with the special help of automated tools. The study conducted by researchers from the University of British Columbia (UBC).
Yazan Boshmaf together with some of the of programmers such as Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu created a network of 102 bots designed to pose as real humans on social networks. The researchers then released the bots on Facebook with the intention of befriending as many users as possible so that it could collect private information about the unsuspecting users.
To create a user account on an OSN [online social network] the bots must perform three tasks: providing an active email addresses, creating a user profile, and a little bit of solving a CAPTCHA. [...] They are arguing whether an adversary can fully computerize the account creation process.
The trick that the researchers did is not new since its been used before by Koobface have long used automatically created accounts in spamming malicious links. This persuaded Facebook in developing specialized detection mechanisms over the years.
According to UBC researchers, such defenses are not that effective in fighting those malwares. The social bots the researchers let lose onto Facebook targeted 5,053 arbitrarily selected users to whom they sent friend requests.
The rate at which the embattled individuals accepted these requests were 20 percent on average. The researchers found out that by using female profiles, the bots have a higher success than those bots that have male profiles. However, the rate tripled when the bots started targeting friends of those who had accepted requests.
Following the time that the bots has become a friend with new users the automated programs scraped their profiles, news feeds and wall posts so that it could gather all the pertinent information. The collected data included things like gender, birth date, place of employment, names of attended schools, home city, current city, mail address, email address, phone number, IM account IDs and marital status.
The researcher got forced to stop the test after their servers can not handle the traffic that it is getting from the said test.
During the time of the trial, Facebook’s real-time protection system only manages to block 20 of the 100 fake profiles. However, when they investigate it thoroughly, they discovered that the profiles got flagged as spam by other users.
Malware experts acknowledge Facebook’s efforts in blocking automated account creation efforts on its social network. According to antivirus vendor BitDefender, the number of threats, using the same techniques has decreased considerably in the course of the past two years.
The researchers said that the best way to protect a person’s account is by not accepting any friend invitation from unidentified users. Also, it would be better if users would not click on any links that that users sent on them, even if it comes from someone you know.