This Article 
 Bibliographic References 
 Add to: 
Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam
May/June 2011 (vol. 15 no. 3)
pp. 28-34
Markus Huber, SBA Research
Martin Mulazzani, SBA Research
Gerhard Kitzler, SBA Research
Sigrun Goluch, SBA Research
Edgar Weippl, SBA Research

Friend-in-the-middle attacks on social networking sites can be used to harvest social data in an automated fashion. Attackers can then exploit this data for large-scale attacks using context-aware spam and social phishing. The authors prove the feasibility of such an attack and simulate the impact on Facebook. Alarmingly, all major social networking sites are vulnerable to this attack because they fail to appropriately secure the network layer.

1. R. Gross and A. Acquisti, "Information Revelation and Privacy in Online Social Networks," Proc. 2005 ACM Workshop on Privacy in the Electronic Society, ACM Press, 2005, pp. 71–80.
2. H. Jones and J. Soltren, "Facebook: Threats to Privacy," Dec. 2005; .
3. J. Bonneau et al., "Eight Friends Are Enough: Social Graph Approximation via Public Listings," Proc. 2nd ACM EuroSys Workshop on Social Network Systems, ACM Press, 2009, pp. 13–18.
4. L. Bilge et al., "All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks," Proc. 18th Int'l World Wide Web Conf., ACM Press, 2009, pp. 551–560.
5. G. Brown et al., "Social Networks and Context-Aware Spam," Proc. ACM 2008 Conf. Computer Supported Cooperative Work, ACM Press, 2008, pp. 403–412.
6. T. Jagatic et al., "Social Phishing," Comm. ACM, vol. 50, no. 10, 2007, pp. 94–100.
7. P. Heymann, G. Koutrika, and H. Garcia-Molina, "Fighting Spam on Social Web Sites: A Survey of Approaches and Future Challenges," IEEE Internet Computing, vol. 11, no. 6, 2007, pp. 36–45.
8. M. Newman, "Power Laws, Pareto Distributions, and Zipf's Law," Contemporary Physics, vol. 46, no. 5, 2005, pp. 323–351.
9. M. Gjoka et al., "Walking in Facebook: A Case Study of Unbiased Sampling of OSNs," Proc. IEEE Conf. Computer Communications (Infocom 10), IEEE Press, 2010, pp. 1–9.
10. M. Huber et al., Friend-in-the-Middle Attacks, tech. report TR-SBA-Research-0710-01, SBA Research, 2010; publicationsFITM_TR-SBA-Research-0710-01.pdf .
11. R. Dingledine, N. Mathewson, and P. Syverson, "Tor: The Second-Generation Onion Router," Proc. 13th Usenix Security Symp., Usenix Assoc., 2004, pp. 21–38.
12. C. Wilson et al., "User Interactions in Social Networks and their Implications," Proc. 4th ACM European Conf. Computer Systems, ACM Press, 2009, pp. 205–218.
13. M. Lucas and N. Borisov, "FlyByNight: Mitigating the Privacy Risks of Social Networking," Proc. 7th ACM Workshop on Privacy in the Electronic Society, ACM Press, 2008, pp. 1–8.
14. W. Luo, Q. Xie, and U. Hengartner, "FaceCloak: An Architecture for User Privacy on Social Networking Sites," Computational Science and Eng. (CSE 09), vol. 3, IEEE Press, 2009, pp. 26–33.

Index Terms:
Social networking sites, spam, phishing, Internet computing
Markus Huber, Martin Mulazzani, Gerhard Kitzler, Sigrun Goluch, Edgar Weippl, "Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam," IEEE Internet Computing, vol. 15, no. 3, pp. 28-34, May-June 2011, doi:10.1109/MIC.2011.24
Usage of this product signifies your acceptance of the Terms of Use.