Social network rate whoring (called after the 'karma whoring' in slashdot) 0) Disclaimer All this started with a conversation with a friend about social networks that have direct monetary meaning of the rating. This idea came to prove that if your rating isn't limited and grows artificially (e.g. comes out of 'nowhere' :) ), then it can and will be exploited. I then wrote this to show it to some people and see if this has some fatal flaws. In the following text, I assume that I have orkut-like social network, with a rating that has direct monetary meaning. In fact, orkut has some indirect such meaning now, but it's too far fetched, and not really worth explaining. 1) Introduction This is a fictional (e.g. not tested) attack on social networks as orkut (www.orkut.com), with the purpose of modifying someone's rating (number of fans, good/bad testimonials, etc) artificially. 2) Prerequisites for the attack The attack basically needs an implementation of a virtual simulated social network, which connects to the real one, and translates between the simulated members and the 'real' ones in the real social network. For hiding purposes there have to be a lot of email addresses and anonymous proxies (which aren't hard to find, in this age of free webmail providers and DDoS drones). And finally, there has to be a person to control and supervise all this, because there are some parts that require human intervention. Also, the most important part is to get some statistics about the average behavior in the social network - average rating per count of friends, average invited friends, average good/really good friends count, etc. There also should be a stat. on the profiles of the users (distribution of the different possible answers, etc) 3) Short explanation It all boils down to a bot network, that interacts, keeps a 'low profile', masquerades as real persons, and rates the target. 4) Plan for the attack 4.0) Initialization The botnet has to initialize itself, and create a real network, to define the relations inside it. This will need a lot of supervision, because the botnet has to look really legitimate, has to be diverse enough within certain borders, mustn't have any stupid mistakes, like a heavily drinking Islamic person. This includes a definition of allowed proxied for each 'person', relation between persons, geographical location, and connection with the target. (the main reason for the failure of all attacks of this kind is some stupid mistake) There will be a need for pictures/photos, that could be generated by any software that's used to recognize people, or by using some photos of big conventions/crowds and using them. (it's really doable :) ) 4.1) Beginning The first thing is to get some bots (called 'Level_1') in the network. Some of them ( in the range of the average such) could be invited by the botnet owner, and some can be invited through other channels, like invites sold on ebay, or through strategically spamming members of the social network. There also are the so-called 'friendwhores' that will add anyone, and there are a lot of people that can be easily tricked to invite someone, or to add him/her as a friend, through very little social engineering. The signup will (probably) require manual intervention, the bots will have to use human help to parse the images with text, that are used to stop automatic signups. There is a probability that this could be implemented with some kind of OCR algorithm, but IMO it will complicate the implementation needlessly, 4.2) Botnet initialization This step is simply applying the generated relations net in 4.0 in the real social network. It has to be done slowly, abiding with the normal working hours for the 'persons' in the botnet. 4.3) The attack itself This is a pretty simple step, some of the bots begin to rate the target slowly, using some events as a reason (such as postings in communities, etc). All the posting has to be done by the operator of the botnet (because there still isn't a text synthesizing engine that good (yet) ). 4.4) Covering the traces This happens through ratings inside the botnet, and making friends with people outside of it. That can be done manually, and with some effort will make it indistinguishable from any normal social subnetwork. 5) Defenses that won't work 5.1) Using the images with text on them (like those in the signup) to stop the bots from doing anything rating-related This will just make the usage harder, but won't be such a big obstacle, it's surmountable in the same way as the signup. 5.2) Using a Turing test This won't help, just because 1) you don't have a way for a real-time conversation, and 2) this isn't fully automated, and the operator can instruct the bot (or just plain communicate through him). 5.3) Traceability through friendwhores or the people who have invited the Level_1 bots That could work, but only if the operator is consistent with the invitations, and he can just use a lot of different friendwhores or bought invitations on ebay. And if the social network itself starts to police the friendships inside it, that will be a much bigger problem...