A Summary of Two Practical Attacks Against Social Networks

  • Leyla BilgeEmail author
  • Marco Balduzzi
  • Davide Balzarotti
  • Engin Kirda


Social networking sites have been increasingly gaining popularity, and they have already changed the communication habits of hundred of millions of users. Unfortunately, this new technology can easily be misused to collect private information and violate the users’ privacy. In this chapter, we summarize two practical attacks we have presented in the past: an impersonation attack in which we automatically clone a user profile, and an attack that abuses the information provided by social networks to automatically correlate information extracted from different social networks. Our results show that these attacks are very successful in practice and that they can significantly impact the users’ privacy. Therefore, these attacks represent a first important step to raise awareness among users about the privacy and security risks involved in sharing information in one or more social networks.


Social networks Security attack Impersonation Correlation 


  1. 1.
    Berkowitz, S.D.: An introduction to structural analysis: The Network Approach to Social Research. Butterworth, Toronto, ISBN 0409813621 (1982)Google Scholar
  2. 2.
    Xing—Global networking for professionals. (2008)
  3. 3.
    LinkedIn. (2008)
  4. 4.
    Facebook. (2008)
  5. 5.
    MySpace. (2008)
  6. 6.
    StudiVerzeichnis—StudVZ. (2008)
  7. 7.
    MeinVerzeichnis—MeinVZ. (2008)
  8. 8.
  9. 9.
    The spamhaus project. (2008)
  10. 10.
    New myspace and facebook worm target social networks. social-networks (2008)
  11. 11.
    CERT advisory CA-2000-04 love letter worm. (2008)
  12. 12.
    Spear phishing: highly targeted phishing scams. (2006)
  13. 13.
    Modeling and preventing phishing attacks. (2005)
  14. 14.
    Karlberger, C., Bayler, G., Kruegel, C., Kirda, E.: Exploiting redundancy in natural language to penetrate Bayesian spam filters. In: First USENIX Workshop on Offensive Technologies (WOOT ’07), Boston, MA, August (2007)Google Scholar
  15. 15.
    Dwyer, C., Hiltz, S.: Trust and privacy concern within social networking sites: a comparison of facebook and myspace. In: Proceedings of the 13th Americas Conference on Information Systems (AMCIS) (2007)Google Scholar
  16. 16.
    Fogel, J., Nehmad, E.: Internet social network communities: Risk taking, trust, and privacy concerns. Comput. Hum. Behav.25(1), 153–160 (2009)CrossRefGoogle Scholar
  17. 17.
    Gross, R., Acquisti, A.: Information revelation and privacy in online social networks. In: ACM Workshop on Privacy in the Electronic Society (WPES) (2005)Google Scholar
  18. 18.
    Bilge, L., Strufe, T., Balzarotti, D., Kirda, E.: All your contacts are belong to us: automated identity theft attacks on social networks. In: 18th International Conference on World Wide Web (WWW) (2009)Google Scholar
  19. 19.
    Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., Kruegel, C.: Abusing social networks for automated user profiling. In: nternational Symposium on Recent Advances in Intrusion Detection (RAID) (2010)Google Scholar
  20. 20.
    Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
  21. 21.
    Brown, G., Howe, T., Ihbe, M., Prakash, A., Borders, K.: Social networks and context-aware spam. In: ACM Conference on Computer Supported Cooperative Work (CSCW) (2008)Google Scholar
  22. 22.
    News, H.: Spam-Bots werten soziale Netze aus–/news/meldung/145344, September 2009
  23. 23.
    Douceur, J.R.: The sybil attack. In: Electronic Proceedings for the 1st International Workshop on Peer-to-Peer Systems (IPTPS ’02), March (2002)Google Scholar
  24. 24.
    Yu, H., Kaminsky, M., Gibbons, P.B., Flaxman, A.: SybilGuard: defending against sybil attacks via social networks. The Proceedings of ACM SIGCOMM ’06 (2006)Google Scholar
  25. 25.
    Yu, H., Kaminsky, M., Gibbons, P.B., Flaxman, A.: SybilLimit: a near-optimal social network defense against sybil attacks. In: IEEE Symposium on Security and Privacy (2008)Google Scholar
  26. 26.
    Boyd, S., Ghosh, A., Prabhakar, B., Shah, D.: Gossip algorithms: Design, analysis and applications. In: IEEE INFOCOM (2005)Google Scholar
  27. 27.
    Flaxman, A.D.: Expansion and lack thereof in randomly perturbed graphs. Internet Mathematics 4(2) (2007)Google Scholar
  28. 28.
  29. 29.
    Bonneau, J., Preibusch, S.: The privacy jungle: on the market for privacy in social networks. In: Workshop on the Economics of Information Security (WEIS) (2009)Google Scholar
  30. 30.
    Chew, M., Balfanz, D., Laurie, B.: (Under)mining privacy in social networks. In: Proceedings of Web 2.0 Security and Privacy Workshop (W2SP) (2008)Google Scholar
  31. 31.
    Jones, S., Millermaier, S., Goya-Martinez, M., Schuler, J.: Whose space is MySpace? A content analysis of MySpace profiles. First Monday, 12(9), August (2008)Google Scholar
  32. 32.
    Krishnamurthy, B., Wills, C.E.: Characterizing privacy in online social networks. In: Workshop on Online Social Networks (WOSN) (2008)Google Scholar
  33. 33.
    Bonneau, J., Anderson, J., Danezis, G.: Prying data out of a social network. In: First International Conference on Advances in Social Networks Analysis and Mining (2009)Google Scholar
  34. 34.
    Chau, D.H., Pandit, S., Wang, S., Faloutsos, C.: Parallel crawling for online social networks. In: 16th International Conference on World Wide Web (WWW) (2007)Google Scholar
  35. 35.
    Mislove, A., Marcon, M., Gummadi, K.P., Druschel, P., Bhattacharjee, B.: Measurement and analysis of online social networks. In: ACM SIGCOMM Conference on Internet Measurement (IMC) (2007)Google Scholar
  36. 36.
    Wilson, C., Boe, B., Sala, A., Puttaswamy, K.P.N., Zhao, B.Y.: User interactions in social networks and their implications. In: 4th ACM European Conference on Computer Systems (EuroSys) ACM (2009)Google Scholar
  37. 37.
    Griffith, V., Jakobsson, M.: Messin’ with texas, deriving mother’s maiden names using public records. In: Third Conference on Applied Cryptography and Network Security (ACNS), June 2005Google Scholar
  38. 38.
    Raymond Heatherly, M.K., Thuraisingham, B.: Preventing private information inference attacks on social networks. Technical Report UTDCS-03-09, University of Texas at Dallas (2009)Google Scholar
  39. 39.
    Irani, D., Webb, S., Li, K., Pu, C.: Large online social footprints–an emerging threat. In: IEEE International Conference on Computational Science and Engineering, 3, 271–276 (2009)Google Scholar
  40. 40.
    Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: IEEE Symposium on Security and Privacy (2008)Google Scholar
  41. 41.
    Narayanan, A., Shmatikov, V.: De-anonymizing social networks. In: EEE Symposium on Security and Privacy (2009)Google Scholar
  42. 42.
    Wondracek, G., Holz, T., Kirda, E., Kruegel, C.: A practical attack to de-anonymize social network users. In: EEE Symposium on Security and Privacy (2010)Google Scholar
  43. 43. Breaking the ASP Security Image Generator.
  44. 44.
    PWNtcha. PWNtcha—captcha decoder.

Copyright information

© Springer-Verlag Italia Srl 2011

Authors and Affiliations

  • Leyla Bilge
    • 1
    Email author
  • Marco Balduzzi
    • 1
  • Davide Balzarotti
    • 1
  • Engin Kirda
    • 1
  1. 1.Institute EurecomValbonneFrance

Personalised recommendations