Five Dollars Can Buy You 4,000 Facebook Friends

A recent article featured in the New York Times^[1] sheds light on the emerging trend of purchasing friends, followers, and influence on social media. For just five dollars, the article’s author purchased 4,000 Facebook friends and for five more, 4,000 Twitter followers. A couple of extra bucks bought him 2,000 “likes” on one of his shared photos. For a more exorbitant sum ($3700) he could have purchased one million Instagram followers.

This trend is leading to an increase in “social engineering attacks” perpetuated by “bots.” Social engineering attacks rely on psychological manipulation of people through confidence tricks for the purposes of information gathering, fraud, or system access. Bots are software applications that run automated tasks over the Internet. They are used to perform repetitive tasks that would be mind-numbing and slow for humans, in a fraction of the time.^[2]

The “friends” the author purchased are actually bots. These bots set up profiles and act like real people: they become your friend and can “like” posts, share content, increase page views, or become followers. These social media bots are becoming more sophisticated and difficult to identify. They have seemingly realistic names, say things that real people would say, post during times of the day when people would normally be awake, and even can have conversations with each other.

The implications of this trend are huge for cyber security and social media. Malicious actors purchase these bots and use them to launch attacks. The bots post malware and phishing attempts behind hyperlinks. These hyperlinks are usually in a condensed form that is difficult to read or identify as “bad.” In addition to the link, the bot will usually post text designed to persuade friends or followers to click the link (e.g., “Take a look at this shocking photo!”).

With one click of that link, the infection is underway and the entire network compromised. The bots, which can be bought and set up in minutes, vanish immediately after the attack succeeds, leaving no evidence and little for a corporate security team to go on to prevent a similar, future attack. This quick approach renders both traditional blacklists useless because they cannot be updated in time, and current solutions impractical because they aren’t designed to protect against social media based threats.

Malicious attackers can also use bots to create thousands of impersonator profiles of celebrities, business leaders, or politicians, intending to exploit a person’s notoriety to entice real people to connect with the bot. The bot then distributes malware or phishing links, which real people unknowingly click, infecting their machines and the entire network.

The trend of purchasing friends, followers, and influence on social media is a troubling issue in the unregulated realm of social media. Tracking these legions of bots and preventing social engineering attacks presents a massive challenge for organizations worldwide.

To learn more, check out the New York Times article.

^[1] Bilton, N. (2014, April 20). Friends, and Influence, for Sale Online. Bits Friends and Influence for Sale Online Comments. Retrieved April 23, 2014, from http://bits.blogs.nytimes.com/2014/04/20/friends-and-influence-for-sale-online/

^[2] Internet bot. (2014, April 18). Wikipedia. Retrieved April 24, 2014, from http://en.wikipedia.org/wiki/Internet_bot