Abstract
Social networks such as Facebook, Twitter and Google+ have attracted millions of users in the last years. One of the most widely used social networks, Facebook, recently had an initial public offering (IPO) in May 2012, which was among the biggest in Internet technology. Forprofit and nonprofit organizations primarily use such platforms for target-oriented advertising and large-scale marketing campaigns. Social networks have attracted worldwide attention because of their potential to address millions of users and possible future customers. The potential of social networks is often misused by malicious users who extract sensitive private information of unaware users. One of the most common ways of performing a large-scale data harvesting attack is the use of fake profiles, where malicious users present themselves in profiles impersonating fictitious or real persons. The main goal of this research is to evaluate the implications of fake user profiles on Facebook. To do so, we established a comprehensive data harvesting attack, the social engineering experiment, and analyzed the interactions between fake profiles and regular users to eventually undermine the Facebook business model. Furthermore, privacy considerations are analyzed using focus groups. As a result of our work, we provided a set of countermeasures to increase the awareness of users.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Adolph S, Hall W., & Kruchten P (2006) Using grounded theory to study the experience of software development. In: Empirical Software Engineering 16(4):487–513. DOI 10. 1007/s10664-010-9152-6.
Agichtein E, Castillo C, Donato D, Gionis A, & Mishne G (2008) Finding high-quality content in social media. In: Proceedings of the international conference on Web search and web data mining, WSDM’ 08, ACM, New York, NY, USA:183–194. DOI 10.1145/1341531.1341557.
von Ahn L, Maurer B, McMillen C, Abraham D, & Blum M (2008) recaptcha: Human-based character recognition via web security measures. In: Science 321(5895):1465–1468.
Altman I (1975) The Environment and Social Behavior: Privacy, Personal Space, Territory, Crowding. In: Brooks/-Cole Pub. Co, Monterey, California.
Asuncion AU, Goodrich MT (2010) Turning privacy leaks into floods: Surreptitious discovery of social network friendships and other sensitive binary attribute vectors. In: Proceedings of the 9th annual ACM workshop on Privacy in the electronic society, WPES’ 10. ACM, New York, NY, USA:21–30. DOI 10.1145/1866919.1866923.
Baden R, Bender A, Spring N, Bhattacharjee B, & Starin, D (2009) Persona: An online social network with user-defined privacy. In: Proceedings of the ACM SIGCOMM’ 09 conference on Data communication, SIGCOMM’ 09. ACM, New York, NY, USA: 135–146. DOI 10.1145/1592568.1592585.
Barracuda Labs (2011) Barracuda labs social networking analysis. http://barracudalabs.com/fbinfographic/. Accessed 2012-5-5.
Besmer A, Richter LH (2010) Moving beyond untagging: Photo privacy in a tagged world. In: Proceedings of the 28th international conference on Human factors in computing systems, CHI’ 10. ACM, New York, NY, USA:1563–1572. DOI 10.1145/1753326.175 3560.
Bilge L, Strufe T, Balzarotti D, & Kirda E (2009) All your contacts are belong to us: Automated identity theft attacks on social networks. In: Proceedings of the 18th international conference on World wide web, www’ 09. ACM, New York, NY, USA: 551–560. DOI 10.1145/1526709.1526784.
Bortz J, Döring N (2006) Forschungsmethoden und Evaluation: für Human- und Sozialwissenschaftler, überarb. edn. Springer, Heidelberg 4.
Boshmaf Y, Muslukhov I, Beznosov K, & Ripeanu M (2011) The socialbot network: When bots socialize for fame and money. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC’ 11. ACM, New York, NY, USA: 93–102.
Boyd D, Ellison N (2007) Social network sites: Definition, history, and scholarship. Journal of Computer-Mediated Communication 13(1). URL http://jcmc.indiana.edu/vol13/issue1/boyd.ellison.html.
CAPTCHA (2012) http://www.captcha.net/. Accessed 5-15-2012.
Dorfman R (1943) The detection of defective members of large populations. In: Annals of Mathematical Statistics 14:436–440, Lee J, Lee J, & Feick L (2001) The impact of switching costs on the customer satisfaction-loyalty link: Mobile phone service in France. Journal of Services Marketing 15(1):35–48.
Facebook (2012) https://www.facebook.com/legal/terms. Accessed 7-19-2012.
Facebook Developers (2012) https://developers.facebook.com/docs/reference/api/. Accessed 6-25-2012.
Facebook Press (2012) http://www.facebook.com/press. Accessed 4-15-2012.
Facebook Timeline (2012) https://www.facebook.com/about/timeline. Accessed 6-6-2012.
Fruchterman TMJ, Reingold EM (1991) Graph drawing by force-directed placement. In: Software: Practice and Experience 21(11):1129–1164. DOI 10.1002/spe.4380211102.
Gao H, Hu J, Wilson C, Li Z, Chen Y, & Zhao B Y (2010) Detecting and characterizing social spam campaigns. In: Proceedings of the 17th ACMConference on Computer and Communications Security, CCS’ 10. ACM, New York, NY, USA:681–683. DOI 10.1145/1866307.1866396.
Gephi: (2012) http://gephi.org/. Accessed 10-6-2012.
Gross R, Acquisti A (2005) Information revelation and privacy in online social networks. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, WPES’ 05. ACM, New York, NY, USA:71–80. DOI 10.1145/1102199.1102214.
Huber M, Mulazzani M, Leithner M, Schrittwieser S, Wondracek G, & Weippl E (2011) Social snapshots: Digital forensics for online social networks. In: Proceedings of 27th Annual Computer Security Applications Conference (ACSAC):113–122.
JSON.org: (2012) http://json.org. Accessed 26-6-2012.
King J, Lampinen A, & Smolen A (2011) Privacy: Is there an app for that? In: Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS’ 11. ACM, New York, NY, USA:12.1–12.20. DOI 10.1145/2078827.2078843.
Krasnova H, Günther OSS, & Koroleva K (2009) Privacy concerns and identity in online social networks. In: Identity in the Information Society 2(1):39–63.
Lipford H R, Besmer A, Watson J (2008) Understanding privacy settings in facebook with an audience view. In: Proceedings of the 1st Conference on Usability, Psychology, and Security, UPSEC ′08. USENIX Association, Berkeley, CA, USA:2.1–2.8.
Liu Y, Gummadi K, Krishnamurthy B, & Mislove A (2011) Analyzing facebook privacy settings: User expectations vs. reality. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC’ 11. ACM, New York, NY, USA:61–70. DOI 10.1145/2068816.2068823.
Mao H, Shuai X, & Kapadia A (2011) Loose tweets: an analysis of privacy leaks on twitter. In: Proceedings of the 10th annual ACM Workshop on Privacy in the Electronic Society, WPES’ 11. ACM, New York, NY, USA:1–12. DOI 10.1145/2046556.2046558.
Matavire R, Brown I (2008) Investigating the use of’ grounded theory’ in information systems research. In: Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries: Riding the Wave of Technology, SAICSIT’ 08. ACM, New York, NY, USA:139–147. DOI 10.1145/1456659.1456676.
Narayanan A, Shmatikov V (2009) De-anonymizing social networks. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP’ 09. IEEE Computer Society, Washington, DC, USA:173–187. DOI 10.1109/SP.2009.22.
NetworkX (2012) http://networkx.lanl.gov/. Accessed 10-6-2012.
pleaserobme.com (2012) http://pleaserobme.com/, Accessed 10-5-2012.
Puttaswamy KPN, Sala A, & Zhao BY (2009) Starclique: Guaranteeing user privacy in social networks against intersection attacks. In: Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies, CoNEXT’ 09. ACM, New York, NY, USA:157–168. DOI 10.1145/1658939.1658958.
Python (2012) http://www.python.org/. Accessed 10-6-2012.
Smith A, O’Hara K, & Lewis P (2011) Visualising the past: Annotating a life with linked open data. In: Web Science Conference’ 11. URL http://eprints.ecs.soton.ac.uk/22324/.
SnapshotSurvey (2012) http://is.gd/snapshotsurvey. Accessed 22-5-2012.
Stanton JM (2003) Socio-technical and human cognition elements of information systems. In: S Clarke, E Coakes, GM Hunter, A Wenn (eds.) Information Technology and Privacy, chap. Information technology and privacy: a boundary management perspective. IGI Publishing, Hershey, PA, USA:79–103.
Stein T, Chen E, & Mangla K (2011) Facebook immune system. In: Proceedings of the 4th Workshop on Social Network Systems, SNS’ 11. ACM, New York, NY, USA:8.1–8.8. DOI 10.1145/1989656.1989664.
Strater K, Lipford HR (2008) Strategies and struggles with privacy in an online social networking community. In: Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction, BCS-HCI’ 08. British Computer Society, Swinton, UK, UK 1:111–119.
Stutzman F, Capra R, & Thompson J (2011) Factors mediating disclosure in social network sites. Computers in Human Behavior 27(1):590–598. DOI 10.1016/j.chb.2010.10.017.
Stutzman F, Kramer-Duffield J (2010) Friends only: Examining a privacy-enhancing behavior in Facebook. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI’ 10, ACM, New York, NY, USA:1553–1562. DOI 10.1145/1753326.1753559.
Sun X, Sun L, & Wang H (2011) Extended k-anonymity models against sensitive attribute disclosure. In: Computer Communications 34(4):526–535. DOI 10.1016/j.comcom.2010. 03.020.
TechCrunch (2012) http://techcrunch.com/2012/02/15/facebook-verifiedaccounts-alternatenames/. Accessed 7-30-2012.
TechCrunch (2012) http://techcrunch.com/2012/07/30/startup-claims-80-of-itsfacebook-adclicks-are-coming-from-bots/. Accessed 7-30-2012.
Thomas JC (2001) Qualitative vs. quantitative: Myths of the culture and practical experience. In: Proceedings of the 34th Annual Hawaii International Conference on System Sciences: 10.
Wang N, Xu H, & Grossklags J (2011) Third-party apps on Facebook: Privacy and the illusion of control. In: Proceedings of the 5th ACM Symposium on Computer Human Interaction for Management of Information Technology, CHIMIT’ 11. ACM, New York, NY, USA:4.1–4.10. DOI 10.1145/2076444.2076448.
Wang Y, Norcie G, Komanduri S, Acquisti A, Leon PG, & Cranor L (2011) I regretted the minute I pressed share: a qualitative study of regrets on Facebook. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS’ 11. ACM, New York, NY, USA:10.1–10.16. DOI 10.1145/2078827.2078841.
Zheleva E, Getoor L (2009) To join or not to join: The illusion of privacy in social networks with mixed public and private user profiles. In: Proceedings of the 18th International Conference on World Wide Web, www’ 09. ACM, New York, NY, USA:531–540. DOI 10.1145/1526709.1526781.
Author information
Authors and Affiliations
Corresponding author
Additional information
Katharina Krombholz is researcher and Ph.D. student at SBA Research in Vienna, Austria. She received a master degree in Media Informatics from the Vienna University of Technology. Her research interests include security, privacy, social networks, human-computer interaction and interaction design.
Dieter Merkl is Associate Professor of Applied Computer Science at the Institute of Software Technology and Interactive Systems at the Vienna University of Technology (Austria). His main research interests are in the areas of information retrieval, data mining, and interaction design. He has published more than 140 scientific papers in these areas.
Edgar Weippl is research director of SBA Research and Associate Professor at the Institute of Software Technology and Interactive Systems at the Vienna University of Technology (Austria). His research focuses on applied concepts of IT-security and e-learning.
Rights and permissions
About this article
Cite this article
Krombholz, K., Merkl, D. & Weippl, E. Fake identities in social media: A case study on the sustainability of the Facebook business model. J Serv Sci Res 4, 175–212 (2012). https://doi.org/10.1007/s12927-012-0008-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12927-012-0008-z