Facebook hoaxes, botnets and data mining

Creating a fake Facebook account has always been a violation of Facebook’s terms and conditions so, on the face of it, researchers from the University of British Columbia (UBC) have just racked up a bunch of violations. How? As reported by TechCrunch and PC World, they created a network of about 100 bots that acted like humans, then the researchers pointed the botnet at Facebook and told it to make friends with human users and collect personal data, as described in this paper: The Socialbot Network: When Bots Socialize for Fame and Money.

Before anyone panics, all the fake accounts and harvested data have been destroyed, according to the researchers. What remains frightening is the ease with which the attack was carried out, the degree to which it succeeded, and the vast amount of data (250 gigabytes) that it harvested in a very short period of time, using relatively few resources.

The techniques used in the attack are detailed in the research paper (PDF), which will be presented in December at the 27th Annual Computer Security Applications Conference in Orlando, Florida. But you don’t have to be an academic security researcher to imagine what might happen if you substituted “well-funded criminals” for “ethical researchers in academia”. Yet it is not clear what is stopping that from happening. The UBC research was, in effect, a test of the Facebook Immune System, which is intended to prevent fake account creation. The researchers found that only 1 in 5 fake profiles were blocked by Facebook. If you have criminal intentions, this is good news. The chances of getting funding for your illegal Facebook scam based on fake accounts just improved. (I can see the UBC study being part of the investor package at VC briefings, where VC = Vice Capital.)

None of which is good news for Facebook, which is currently dealing with an audit in Europe that is intended “to determine whether Facebook has violated Ireland’s data protection laws.” That doesn’t sound like a big deal until you realize that Ireland is where Facebook chose to base its European operations, and Ireland’s laws cover a lot of Facebook’s non-US members, oh, and the Europeans take their privacy very seriously.

European countries have Data Protection Commissioners and, as the Huffington Post reported last month, the Irish Data Protection Commissioner is looking into Facebook because, when Max Schrems, a 24-year-old law student in Austria, asked Facebook for a copy of all the data pertaining to him that Facebook had collected, he was sent a CD containing more than 1,200 pages (including wall posts, messages, removed friends, pokes, and more). Much of this data was a surprise to Schrems because he thought he had deleted most of that activity. The report from the Data Protection Commissioner should be published by the end of the year.

And just to round out the current privacy and security threat-scape for Facebook, one of the few Internet companies that is larger than Facebook, namely Google, just entered a new phase of scrutiny from the Federal Trade Commission, known as a Consent Order. The first phase comes in two parts. Google must establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to: address privacy risks related to the development and management of new and existing products and services for consumers; and protect the privacy and confidentiality of covered information. And it can’t be any old privacy program: “Such program, the content and implementation of which must be documented in writing, shall contain privacy controls and procedures appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered information, including (5 key points follow…all of which are spelled out in the Consent Order listed here).

The second phase of the FTC Consent Order requires Google to obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional…right now and every two years thereafter, for twenty years. Yep, that’s 20 years. I’m thinking an order like that would not sit well with Facebook, but the FTC has been asked to look into how Facebook handles privacy and security. (For more on the FTC v. Google matter, check out Andrew Serwin’s post on the original announcement.)

Let us know what you think about Facebook security. Do you think Facebook is doing a good job protecting your personal data, or do you stay away from Facebook because of security concerns? And what do think of research like this which violates terrms and conditions in order to prove a point.

Stephen Cobb
Security Expert for ESET

Facebook Sympathy Hoax: No Surprises

No, Craig Shergold doesn’t need a heart transplant. Others do, but Facebook sharing isn’t the best way to accomplish that. “Craig who?” you may be asking…

Back in 1989, the most successful sympathy (semi-)hoax of all time set out on its weary trek towards the Guinness Book of Records. The bare facts (as I understand them):  the story grew that an appeal had been made on behalf of Craig Shergold, then aged nine and diagnosed  with a terminal brain tumour, to send him greetings cards so that he could make the Guinness Book of Records. There is some disagreement on the detail of how the appeal was initiated – compare the Wikipedia account to the alt.folklore.urban FAQ now hosted here. However, that’s minor compared to the confusion generated by hoaxers later (hold that thought).

Sure enough, the record was broken in 1989: considerable pushing from the media might have had something to with that. And in 1991, an American businessman paid for an operation that resulted in the successful removal of the tumour. And also, no doubt, legitimized the idea that chain-letters can be used to promote a good cause, but I can’t bring myself to gripe about that happy ending for Craig Shergold, who apparently remains alive and well.

Unfortunately, so are the chain-letters, even though, according to the FAQ, the Shergold family asked very publicly for people to stop sending cards in March 1991 (and on several occasions subsequently). Even though the Guinness Book of Records made it clear that it would not be caught again endorsing further attempts on that record. Even though the Make-a-Wish Foundation, which never had anything to do with the appeal in the first place, had to point out on its web site that it has no connection with the many chain-messages that feature sick children and claim to be associated with the Foundation. It even gives a list of some of the names of children mentioned in such messages. And sure enough, several of them are variations on the name of Craig Shergold that we associate with full-hoax variations on the original chain-letter, many of which decided that he wanted business cards or compliments slips rather than get-well cards.

It’s thought that the number of cards sent to the house in the UK where the Shergold family once lived runs well into the hundreds of millions (not counting business cards and compliments slips, or the stuff sent under the same umbrella to other addresses run by charitable organizations.  (Let alone the Craig Shergold clones, some of whom are apparently still aged seven and living in parts of the world very far removed from Carshalton.)

Nowadays, most of this material is simply pulped. If the Shergold family was still receiving it, I guess they would have had to have moved to the British library by now, though even that august institution probably doesn’t have that much storage space…

What does this have to do with Facebook? Well, I haven’t come across the Shergold hoax on Facebook, though it wouldn’t surprise me to learn that it has been spread that way: other email hoaxes have made that transition very successfully. But I’ve mentioned before that I believe Facebook to be the natural home of the hoax nowadays, rather than email. And the ever-reliable urban-legend tracking site snopes.com has spotted a Facebook hoax which, though not a variant of the Shergold hoax, has one or two interesting (and discomforting) similarities.

  • Obviously, it’s a sympathy hoax concerns sick children (allegedly, in Bangalore, India).
  • Less obviously, the sick child in the photograph has nothing to do with the story.
  • While the hoax isn’t (directly) email-related, it does try to convince the reader that forwarding the message via Facebook shares will result in lifesaving operations: to that extent, it resembles later email hoaxes that claimed that (for instance) cancer research would benefit from the forwarding of messages.
  • The phone number included in the hoax message is actually the real phone number of an organization that does provide similar healthcare. I daresay they’d be pleased to hear from people taking up Barbara Mikkelson’s suggestion to pledge money and/or time rather than Facebook shares (or tweets, another  21st century hoax vector), but they probably don’t want to hear from people simply checking that their FB shares had achieved something for them to feel good about.

You may have encountered the term slacktivism: it refers to the understandable preference for good deeds that don’t involve any actual expense in time or money to the person who does the deed. It’s one of the secret weapons of the dedicated hoaxer: while most hoaxes are based on the “hook” that “if you forward this message, you will get something out of it”, it does seem from the success of some similar hoaxes that if “something” is the warm glow of knowing that you’ve helped save someone’s life without any personal inconvenience or expense, that may be a more successful incentive than free trainers, a free cellphone, or even a cheque from Bill Gates.

Scepticism in the face of promise of “something for nothing” (irrespective of the “beneficiary”) may be less rewarding in terms of warm fuzzies, but if more people did have that degree of scepticism, there would be a dramatic impact on out-and-out cybercrime, let alone on hoax dissemination.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s