With a horde of 102 bogus Facebook friends, the University of British Columbia researchers showed that they could harvest personal information on members not publically available on the social network and that its defenses were inadequate to cope with a large scale infiltration.

During the course of an eight week campaign on Facebook, the researchers gathered 250GB of information from thousands of the social network's members. Their "sockpuppet" bots were "friended" by more than 3000 members and the network reached more than a million profiles.

To launch their mischief on Facebook, the quartet--Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu--used a new breed of botnet called a socialbot. What distinguishes a socialbot from other kinds of bots is that it's designed to pass itself off as a human being. That allows it to obtain a privileged position in an online social network (OSN). In the case of Facebook, that position would be "friend."

"As socialbots infiltrate a targeted OSN, they can further harvest private users' data such as e-mail addresses, phone numbers, and other personal data that have monetary value," the researchers explained in a paper they plan to present next week month at the [PDF] in Orlando, Fla.

"To an adversary, such data are valuable and can be used for online profiling and large-scale email spam and phishing campaigns," they continued. "It is thus not surprising that different kinds of socialbots are being offered for sale in the Internet black-market for as much as $29 per bot."