Social Engineering Attacks: Why Some of Your Friends are Non-Human

And I don’t mean the guy in your office who never laughs at your jokes. I’m talking about your Facebook friends because, if you have a lot of them, it is almost guaranteed that some of them are not who they say they are. Oh, sure, they look like real people. They have a photo and likes and they even post interesting messages. Unfortunately, they are dead, or, more correctly, were never alive. They are bots and they are your friends for a number of reasons, most of which have nothing to do with how charming you are. The more popular you think you are, the more likely your friends are using you for their own ends. Narcissists beware.

At any one time, about 61.5 million bots are masquerading as people on Facebook. Many are caught and booted off, but you can be sure that they will be back. It’s an ongoing war which Facebook valiantly fights and sadly loses everyday. Bots are just too easy to create and they rapidly procreate by using friends like you. To a bot, you are nothing more than an opportunity to procreate. Come to think of it, such behavior might not be confined only to bots.

Facebook is the most extensive Online Social Network (OSN). When you develop a network of friends, you develop an individual social network or profile. Some researchers at the University of British Columbia wondered if well-designed bots could be used to organize their own individual networks, which the researchers referred to as a Socialbot Network (SbN). They define such a network as “a set of socialbots that are owned and maintained by a human controller called the botherder”. Each bot is capable of performing a number of tasks on its own or taking commands from the botmaster.


The botherder can be considered the organization or individual that designed the SbN for a particular purpose and decides what to do with any gathered information. The botmaster  is software that performs the actual C&C (command and control) of the bots under the direction of the botherder.

In the final analysis, the bots behave as normal users. They update their profiles, post messages, and send and receive friend requests. Bot profiles can be created using a variety of techniques, however, such bots must also appear to be attractive as potential friends. To this end, it was found that “using a profile picture of a good looking woman or man has had the greatest impact.” (see my post on Phishing with Naked Women and Romantic Lures ) Where did they get such pictures? From what is probably the most narcissistic website on the planet, Here, people, who obviously believe they are God’s gift to humanity, post their pictures to be assured of how “hot” they are. Since these pictures are all for public use, or at least for those who join the network, they can be easily used to set up fake Facebook accounts. Such accounts are powerful in creating large networks of friends.

In order to get from zero friends to many friends, the researchers learned that two key factors can be exploited. The first is the number of friends a person has, and the second is the factor of having common friends. On Facebook, it was determined that anyone with over 130 friends was easy to compromise. In other words, they have a drive to be popular and popularity is equated with having large numbers of friends. Friend requests based on a mutual friend have a 3 times better chance to be accepted than if no common friend existed. If the two share over 10 mutual friends, the acceptance rate is over 80%. Such connections are easily discovered and exploited using basic search algorithms.

With all of the above in place, the researchers, over an 8 week period, had 102 socialbots send out 8,570 friend requests of which 3,055 were accepted. Interestingly, the socialbots received 331 friend requests from others within their neighborhood, in my opinion, likely based on their physical attractiveness. (After making this assumption, I learned that attractive female socialbots received 20-30 times the friend requests of male socialbots. Make of that what you will). Facebook does have a program in place that is designed to block suspicious activity. It is called FIS (Facebook Immune System). However, during the time this research was conducted, it was largely ineffective, blocking just 20 profiles, not on its own, but because users reported suspicions about some of the bots.

What do these bots want anyway? Why do bots need friends? Well, for a couple of reasons. First of all, they can be used to spam ads or political viewpoints. As such, they are mainly a marketing/political tool. More and more, however, they are used to gather information that can be used by marketers, spammers, scammers, or those in the business of selling this information to them. But there is a far more sinister use for these bots; a use that should make all Facebook users a little more wary. These bots can gather information to use in social engineering attacks.

In a recent webinar I attended offered by McAfee/Intel, presenter Raj Samani stated that the initial infection vector of almost all major breaches (95%) is through coercion of an employee through social engineering. Social engineering tries to get an employee to do something by manipulating him or her psychologically. This is often done through using an email that contains a link or an attachment that contains the malware necessary to begin the attack. The email, or more precisely, the phishing or spear phishing email, is designed to look like it came from some authoritative source or from some trusted individual, like a Facebook friend. Most people naively believe they can recognize a phishing email when they see it, however, Samani pointed out that anyone can be fooled. He told us how they managed to fool one of their top security experts by crafting a spear phishing email using information they gleaned from his Facebook page.

McAfee suggests that businesspeople take their McAfee Phishing Quiz to see if they can recognize which of 10 emails are legitimate or not. It was with some trepidation that I took the test; after all, IT professionals only scored 70%, which was slightly above the average of 65%. However, I figured if I did miserably, I could take the angle that this was proof that anyone could be fooled. As it turned out, the test was difficult but, (pause here as I pat myself on the back) I managed to get a perfect score, which only 6% of over 30,000 test takers managed to do. Yeah, I was probably lucky on a couple of them. For me, the test proved that these emails are far more sophisticated than they used to be.

Remember, I’ve only talked about Facebook here. All other social media is also open to exploitation. As I’ve noted in other posts, you can buy friends, followers, likes, and shares for any social media site. As one of these “social media services” sites notes, the 1,000 bot friends you buy for $30 are better than real friends because they will never unfriend you. Besides, if they are blocked by the network, they will be replaced for free. If people are willing to buy robot friends, they certainly would not balk at accepting friend requests. Therein lies the weakness in the corporate network. Maybe companies should not hire anyone with too many Facebook friends? Maybe new employees should be pen tested with false Facebook friend requests? Or maybe companies should use security architecture that prevents irresponsible employee behavior from exposing sensitive information on the corporate network.

Educating employees on how to identify a spear phishing attempt can help, but is no failsafe. Shortly after receiving such education, West Point cadets were sent a fake email from a nonexistent colonel. The email told them to go to a page where they should enter personal information. 80% of the 500 cadets that received the email fell for the scam.

All spear phishing attempts begin with research. Information is gathered about the target that enables an attacker to craft an email that bypasses normal suspicion and gains the victim’s trust. Social networks supply an attacker with a wealth of information. As long as there are people who believe the world is vitally interested in what they had for breakfast, social engineering attacks will continue to thrive. Maybe companies looking for new employees should forego the ubiquitous ‘must be a team player’ for the more effective, ‘narcissists need not apply’.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s