(BEING CONTINUED FROM 24/08/11)
5. SUGGESTIONS FOR IMPROVEMENTS IN SOCIAL NETWORKSITE SECURITY
Obviously, the user is the weakest link in social networking sites. Many are not security-aware and there is often
too much implicit trust. However, even advanced users can be tricked into accepting friend requests as it is not easy
to authenticate users. One solution that could improve the security of contact requests would be to provide more information
to the receiver on the authenticity of a request and the user who is sending it. For example, the social site
could send extra information on where the request was issued (e.g., country information based on the IP) and the
profile creation date. Note that sharing this type of information does not pose a privacy threat to users as they are
willing to establish a trust relationship, and are therefore willing to share their personal information.
Furthermore, there are simple strategies that can make CAPTCHAs more difficult to break. Our observation is that
not all social networking sites put enough effort into making automated crawling and access difficult.
In the CAPTCHAs used by StudiVZ,MeinVZ, and XING, the attacker’s main objective is to separate each symbol and
subsequently detect each one using OCR. The process of separating could be made more difficult by rendering the
image with at least some of the symbols overlapping each other. In fact, some of the CAPTCHAs that we encountered
at these sites are actually rendered with two overlapping symbols, and these are generally not broken. An extension
of this strategy is to render additional paths of randomly connected lines spanning over many symbols.
With respect to reCAPTCHA, similar strategies could help strengthen its security. An attacker will generally try to
partition the reCaptcha into the two parts and solve each of them separately. Creating an overlap between the two single
challenges of the reCaptcha, as discussed before, could again quite easily be done by rendering the paths of random
connected lines so as to span over both challenges. reCAPTCHA, without doubt, is a state-of-the-art CAPTCHA solution.
Our results show, however, that an attacker who has access to a distributed computing infrastructure (e.g., a
botnet consisting of thousands of computers) can distribute the CAPTCHA breaking process over many IPs and machine
and succeed in automating access to services that use reCAPTCHAs.
Although straight-forward, rate limiting could make the process of CAPTCHA breaking more difficult. Often, CAPTCHA
providers allow the user to request a new CAPTCHA over many attempts and deliver these CAPTCHAs without
delay. Hence, it is possible for the attacker to request new CAPTCHAs until the provider delivers a challenge that can
be automatically identified and broken. A simple, but effective defense technique would be to rate limit the number of
CAPTCHAs that are displayed to a user with a threshold value of a few images per minute.
Finally, social network service providers could adopt (or improve) behavior-based anomaly detection techniques in
order to promptly detect and block crawling and other suspicious activities (such as sending hundreds of friend requests
in a row). Even though it would still be possible for an attacker to mimic a real user behavior, the attack speed, and
therefore its economic viability, would be greatly reduced.
6. RELATED WORK
Social networks comprise of nodes that are connected to each other via strong trusted links. That is, they rely on
the assumption that a significant fraction of the users in the system are honest. The most well-known attack to compromise
the trust relationship in a social network that employs a reputation system is the sybil attack . In this attack,
the attacker creates multiple fake identities and pretends to be distinct users in the network, using them to gain a disproportionately large influence on the reputation system.
To date, in order to defend social networks against sybil attacks, two systems were proposed: SybilGuard  and
Sybil Limit . The key insight used in both approaches is that real-world social networks are fast mixing [15, 18]
that aids to distinguish the sybil nodes from normal nodes.
Fast mixing means that subsets of honest nodes have good connectivity to the rest of the social network.
Sybil Guard defines a social network as a graph whose vertices represent users, and whose edges represent the humanestablished
trust relations in the real world. The idea is that if an attacker creates too many sybil nodes and connects
them to the network by attack edges, the graph will have a small set of edges whose removal will disconnect a
large fraction of the sybil nodes in the network.
Similarly, SybilLimit also assumes and shows that social networks are fast mixing. In comparison to SybilGuard, it ensures more optimal and acceptable limits for the number of sybil nodes in the network.
Both SybilGuard and SybilLimit are good solutions for detecting Sybil nodes. However, in our attacks the established
friendship connections are legitimate and the system is establishing contact to a high number of existing “honest”
nodes. Therefore, our fake accounts would not be detected by the previous approaches.
A study that is very related to the experiments we present in this paper was conducted by Sophos in 2007 . The
authors created a profile on Facebook  and manually sent friend requests to 200 random users. The study reports that
41% of the users accepted the request. Furthermore, most of the users did not restrict the access to the personal information
in their profile. Note that the results of our experiments are consistent with the study conducted by Sophos
and demonstrate that many users are not cautious in social networks. However, one of the main differences between our
work and the experiment performed by Sophos is that we are able to automatically identify target users and send friend
requests and we show how the attack success rate can be greatly improved by cloning real user accounts.
In , the authors present experiments that they have performed on “social phishing”. They have crawled a number
of social networking sites and have downloaded publicly available information on users. Then, they manually constructed
phishing e-mails that contained some personal information on the victims that they were able to retrieve from
the social networking sites. The results of the study show that victims are more likely to fall for phishing attempts if
some information about their friends or about themselves is included in the phishing mail. Our results, without relying
on email messages, confirm that there is a high degree of trust in social networks. However, our focus is different as
we aim at accessing the personal information of users that have not necessarily made their profile public.
One of the prerequisites for being able to launch the attacks we present in this paper is the ability to break CAPTCHAs
used by a site. Several projects in the area of computer vision exist that provide libraries to break real-world
CAPTCHAs (e.g., [22, 26]). Note that our main focus is this paper is not to advance the field of CAPTCHA breaking,
but to be able to break the CAPTCHAs efficiently enough to be able to automate the attacks that we describe in the
paper. Obviously, some CAPTCHAs are easier to break than others (e.g., StudiVZ and XING are simpler than the
reCAPTCHAs employed by Facebook).
To the best of our knowledge, this paper is the first that presents automated cloning attacks against real-world social
networking sites and experimentally shows that these attacks are feasible in practice.
Social networking sites have been increasingly gaining popularity.
Many social networking sites have millions of registered users now. Unfortunately, when a new technology
starts to attract a large number of Internet users, criminals are attracted as well. Today, it is not uncommon for Internet
users to be participants in more than one social networking site (e.g., LinkedIn for business, and Facebook for private
In this paper, we investigate how easy it would be for a potential attacker to launch automated crawling and identity theft (i.e., cloning) attacks against five popular social networking sites. We present and experimentally evaluate
two identity theft attacks. When the attacks succeed, the attacker can establish a friendship connection with the victim’s
contacts and hence, access their personal information.
The simplest attack we present consists of the cloning of existing user accounts and the automated sending of friend
requests to the contacts of the cloned victim. In the second,more advanced attack, we show that it is feasible to
launch an automated, cross-site profile cloning attack where the victim’s contacts are stolen and reestablished in a social
network where she is not registered yet.
We analyzed and experimented with five social networking sites: XING, StudiVZ, MeinVZ, Facebook and LinkedIn.
The first three social networking sites are popular in Austria,Germany and Switzerland and have millions of registered
users. Facebook and LinkedIn are internationally well-known and also have millions of users world-wide. Our
results show that not all social networking sites are well protected against automated crawling and access. Furthermore,
our experimental results demonstrate that most users in social networking sites are not cautious when accepting
friend requests or clicking on links that are sent to them.
Although social networking sites are useful, we believe it is important to raise awareness among users about the privacy
and security risks that are involved.
Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda
Sophia Antipolis, France
This work has been supported in parts by the EU SOCIALNETS project under grant agreement number 217141,
the Austrian Science Foundation (FWF) under grant P-18764, the Secure Business Austria (SBA), and the WOMBAT
and FORWARD projects funded by the European Commission in the 7th Framework. We thank Michael Roßberg
(TU Ilmenau) for fruitful discussions and contributions to the CAPTCHA breaking process and all persons who willing
to participate in the experiment.
 Modeling and Preventing Phishing Attacks.
http://www.informatics.indiana.edu/markus/ papers/phishing_jakobsson.pdf, 2005.
 Spear phishing: Highly targeted phishing scams. http://www.microsoft.com/protect/yourself/
 CERT Advisory CA-2000-04 Love Letter Worm.
 Facebook. http://www.facebook.com, 2008.
 Facebook by the Numbers.http://www.fastcompany.com/magazine/115/open_
 LinkedIn. http://www.linkedin.com, 2008.
 MeinVerzeichnis – MeinVZ. http://www.meinvz.net/,2008.
 MySpace. http://www.myspace.com, 2008.
 New MySpace and Facebook Worm Target Social Networks. http://www.darknet.org.uk/2008/08/
 Sophos Facebook ID Probe.http://www.sophos.com/pressoffice/news/ articles/2007/08/facebook.html, 2008.
 StudiVerzeichnis – StudVZ. http://www.studivz.net,2008.
 The Spamhaus Project. http://www.spamhaus.org/,2008.
 Xing – Global Networking for Professionals.http://www.xing.com, 2008.
 S. D. Berkowitz. An Introduction to Structural Analysis: The Network Approach to Social Research.
Butterworth, Toronto, ISBN 0409813621, 1982.
 S. Boyd, A. Ghosh, B. Prabhakar, and D. Shah.Gossip algorithms: Design, analysis and applications.
In IEEE INFOCOM, 2005.
 Carnegie Mellon University. The CAPTCHA Project.http://www.captcha.net.
 J. R. Douceur. The Sybil Attack. In Electronic Proceedings for the 1st International Workshop on
Peer-to-Peer Systems (IPTPS ’02), March 2002.
 A. D. Flaxman. Expansion and lack thereof in randomly perturbed graphs. Manuscript under
 ImageMagick. Introduction to ImageMagick.
 T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Commun. ACM,
 C. Karlberger, G. Bayler, C. Kruegel, and E. Kirda. Exploiting Redundancy in Natural Language to
Penetrate Bayesian Spam Filters. In First USENIX Workshop on Offensive Technologies (WOOT ’07),
Boston, MA, August 2007.
 kloover.com. Breaking the ASP Security Image Generator. http://www.kloover.com/2008/02/28/
 V. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Doklady Physics,
 S. Mori, C. Y. Suen, and K. Yamamoto. Historical review of OCR research and development. Document
image analysis, pages 244–273, 1995.
 S. Moyer and N. Hamiel. Satan is on My Friends List:Attacking Social Networks. http://www.blackhat.
 PWNtcha. PWNtcha – captcha decoder.http://sam.zoy.org/pwntcha/.
 Tesseract. Tesseract OCR.http://sourceforge.net/projects/tesseract-ocr.
 L. von Ahn, B. Maurer, C. McMillen, D. Abraham,and M. Blum. reCAPTCHA: Human-Based Character
Recognition via Web Security Measures. Science,September 2008.
 H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman.SybilGuard: Defending Against Sybil Attacks via
Social Networks. 2006.
 H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman.SybilLimit: A Near-Optimal Social Network Defense
against Sybil Attacks. In IEEE Symposium on Security and Privacy, 2008.