Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Create Social Engineering IRC Bot

Posted by Soulskill on from the eliza-plus-chatroulette dept.

An anonymous reader writes "Researchers at the Vienna University of Technology developed an IRC bot that acts as a 'man in the middle' between two unsuspecting users, modifies URLs passed between them, and also is capable of steering the conversation. Not only does this work surprisingly well on IRC — they found a 76.1% click rate for potentially malicious URLs — but four out of 10 people on Facebook Chat also clicked on links after the bot introduced complete strangers to each other. This would have worked even better if the bot were to clone existing friends' profiles and submit friend requests from those, say researchers."

66 comments

  1. In other words. by dreamchaser · · Score: 4, Insightful

    In other words, over 7 out of 10 IRC users and 4 out of 10 Facebook users are utter idiots.

    1. Re:In other words. by Culture20 · · Score: 2, Informative

      7 out of 10 IRC users [...] are utter idiots.

      Somehow I don't think that's true. I think it's more likely that 7/10 IRC "users" are other bots.

    2. Re:In other words. by Anonymous Coward · · Score: 0

      7/10 IRC users in Dating 1 are idiots or other bots
      3/10 IRC users in Dating 2 or Generic are idiots or other bots.

    3. Re:In other words. by hitmark · · Score: 3, Insightful

      even if one is not, a small unsuspecting moment is enough to get caught.

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
    4. Re:In other words. by Anonymous Coward · · Score: 3, Insightful

      I'm not so certain about that. IRC users tend to be more technically competent than people that just use Facebook or e-mail. How many of these people had Firefox with NoScript, for example? Malicious links would've been virtually worthless in such a case.

      Merely clicking doesn't prove much without giving out more information, imo.

    5. Re:In other words. by Anonymous Coward · · Score: 0

      From TFS:

      This would have worked even better if the bot were to clone existing friends' profiles and submit friend requests from those, say researchers.

      Don't you have to be a moron not to realize that friend request claims to be from someone you're already friends with?

    6. Re:In other words. by dreamchaser · · Score: 1

      Good point. With regards to the IRC though that depends on the server/network. There are some gaming centric IRC servers that are filled with idiot children.

    7. Re:In other words. by skyride · · Score: 0

      Try on irc.quakenet.org. I frequent on there a lot as its used by the competitive communities for pretty much every online game in europe, I mean theres plenty of smart people (the real idiots don't even know how to use IRC) but i bet if you went into a number of channels you'd find plenty of gulible users.

    8. Re:In other words. by Kenoli · · Score: 1

      Don't you have to be a moron not to realize that friend request claims to be from someone you're already friends with?

      When you're trying to serve malicious links to morons it's okay if they're, you know, morons.

    9. Re:In other words. by Runaway1956 · · Score: 1

      Let's not forget the proliferation of java IRC clients found on many sites today. I've joined a few channels through a Java client, then shut it down so that I could use a real IRC client to return to the channel. I have little idea how many users on any server might be technically savvy enough to set up an IRC client, how many are using Java, or how many are using a preconfigured mIRC client. It's probably worth studying, if anyone with the resources cares enough to study it.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    10. Re:In other words. by imakemusic · · Score: 2, Interesting

      Not really. Unless I'm missing something you would effectively be having a conversation with a real person. The only difference is that it is being relayed through a bot which may or may not alter the text - and even if it does alter the text the general gist would still be the same. If you were having a conversation with a person would you click the links they send you? Or would you say "I can't click that link because I can't verify your identity and trustworthiness"? It's definitely devious but I don't think the results are that surprising.

      Also they are surprised that people clicked tinyurl links more than myspace links but... that just shows that people would rather look at anything than a myspace page.

      --
      Brain surgery - it's not rocket science!
    11. Re:In other words. by 0100010001010011 · · Score: 2, Funny

      I see you like utter idiots, concur. Watch this video your viewing pleasure.. Very wonderful.

    12. Re:In other words. by maxwell+demon · · Score: 2, Interesting

      Indeed, if you are having a conversation with someone you know, and at one point in conversation he says: "BTW a good covering of the subject can be found at http://tinyurl.com/foo" and the bot changes the text to "BTW a good covering of the subject can be found at http://tinyurl.com/bar" you have little chance to notice before you click on it that a bot-in-the-middle changed the link.

      Of course, I have preview enabled in tinyurl, so I'd see the real URL before I go there, and even if I couldn't recognize the real URL as obviously wrong, NoScript would likely protect me from any malware on that site (and the fact that I'm using Linux would protect me further, since the malware is most likely Windows specific anyway).

      --
      The Tao of math: The numbers you can count are not the real numbers.
    13. Re:In other words. by arth1 · · Score: 1

      IRC: Where men are bots, and girls are police officers.

      In other words, I doubt that there actually were many regular users trapped by this chatbot. 7 IRC users = 5 bots + 2 cops. You need really high figures to trap actual users.

    14. Re:In other words. by MichaelSmith · · Score: 1

      In the last day Angelina Jolie has invited me to be her friend on Facebook at least 200 times and I don't even have a facebook account.

      --
      http://michaelsmith.id.au
    15. Re:In other words. by sortius_nod · · Score: 1

      Even if you are able to set up an IRC client it doesn't mean you're tech savvy. Austnet.org is a prime example of this.

    16. Re:In other words. by LordLimecat · · Score: 1

      Malicious links would've been virtually worthless in such a case.

      Not really, since plenty of malware comes through plugins like flash, java, and adobe.

    17. Re:In other words. by mikael_j · · Score: 1

      I have a few friends who think it's "funny" to have half a dozen different profiles on Facebook, it makes no sense to me and it makes them very hard to keep track of...

      --
      Greylisting is to SMTP as NAT is to IPv4
    18. Re:In other words. by Anonymous Coward · · Score: 0

      You chose a bad subject line. This isn't your personal blog where your readers hang on your every word, just dying to know "oh my god, he's going to explain something in some other words, but we don't even know what it is until we open the message. I can't wait!!!!"

    19. Re:In other words. by GigaHurtsMyRobot · · Score: 1

      Damn, Now I don't feel special anymore.

    20. Re:In other words. by dreamchaser · · Score: 1

      Yet you still read it and commented. Hmmm.

    21. Re:In other words. by Zibri · · Score: 2, Funny

      noscript blocks all of the above (except for adobe, which is a company).

    22. Re:In other words. by YourExperiment · · Score: 1

      You don't have to be an idiot to get caught by this sort of thing. Just look at Cory Doctorow on Twitter... oh, wait.

    23. Re:In other words. by IRWolfie- · · Score: 1

      Dating channels wouldn't attract the technically competant

  2. hey bob whats new by Anonymous Coward · · Score: 2, Funny

    i think i'll let everyone know how we been doing some hacks with bots

    bots to scan for vulnerabilities
    bots to launch the exploit
    BOTS for file sharing
    bots to call home
    bots to eat my toast...HEY THAT'S MY TOAST

  3. The PSA campaign by Anonymous Coward · · Score: 0

    Friends don't let friends click shitty URLs

    1. Re:The PSA campaign by $RANDOMLUSER · · Score: 2, Informative

      But the new Microsoft ad campaign says Internet Explorer blocks all those bad places. Who am I supposed to believe?

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    2. Re:The PSA campaign by IrquiM · · Score: 1

      trust no one!

      --
      This is blinging
    3. Re:The PSA campaign by maxwell+demon · · Score: 3, Funny

      Indeed, I only trust the zeroes, not the ones.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  4. Council is leading the witness... by garyisabusyguy · · Score: 4, Interesting

    Aside from all of the fun with malicious code and all, the potential to lead people down a mental path through 'conversation' seems to have the potential to expose a LOT of people to make self-incriminating statements

    It's like a photo-radar gun for thought crime, an investigator doesn't even have to be there to do it. Just set your bots out there to lead people into talking about laundering money, seducing teens, killing their neighbor and WHAMO an adventurous district attorney is pressing charges.

    Nah, what was I thinking, we live in way to free of a society for that to ever happen. What a relief

    --
    Wherever You Go, There You Are
    1. Re:Council is leading the witness... by copponex · · Score: 1

      Nah, what was I thinking, we live in way to free of a society for that to ever happen. What a relief

      Entrapment is illegal. Our failure to make sure law enforcement obeys the law is our fault.

    2. Re:Council is leading the witness... by am+2k · · Score: 1

      Entrapment is illegal.

      No, it's only illegal for the police. They just have to outsource this task to a private company, which supplies them with the chat logs afterwards, and they're fine.

    3. Re:Council is leading the witness... by couchslug · · Score: 1

      Entrapment is practical.

      Solution:
      Trust no one and shut the fuck up. The internet is as forgiving as 4chan.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    4. Re:Council is leading the witness... by Orangeecho · · Score: 1

      Minority Report ...

    5. Re:Council is leading the witness... by imthesponge · · Score: 1

      It's not entrapment if they don't entice you into doing the crime.

  5. Not Impressed by crow_t_robot · · Score: 1

    I'm not very impressed considering a billion-dollar industry is founded mostly on sending "the general public" unsolicited links (in broken english, no less) in World of Warcraft that they willingly visit and then volunteer their login credentials.

  6. No by copponex · · Score: 1

    Can we get back to a world where a person said something after they gathered information on it?

    http://www.lectlaw.com/def/e024.htm

    A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case.

    Agents in the case being anyone they could pay. Paying someone to bring you criminals is a really bad idea, since any judge would immediately consider the conflict of interest as a cause to have reasonable doubt that the accused is guilty.

    I'm sure that paragraph could include a massive amount of legal terms if written by a lawyer.

    1. Re:No by Urza9814 · · Score: 1

      True, but this scenario wouldn't be entrapment, and it already happens.

      Let me alter your emphasis on that definition:

      A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case.

      So, it's entrapment if they say 'we're going to arrest you unless you rob that store'. It's not entrapment if they pose as a 13 year old girl and ask if you want to have sex with them. That is exactly what this kind of program would be doing. And it's also exactly what is already done by vigilante organizations like Perverted Justice, which are generally backed up by local police.

    2. Re:No by maxwell+demon · · Score: 3, Funny

      Can we get back to a world where a person said something after they gathered information on it?

      Well, he didn't write that. A bot changed it during submission. :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
    3. Re:No by sjames · · Score: 1

      Actually, if they make the offer it is SUPPOSED to be considered entrapment since they gave you the idea, but in practice, unless they actually tie you down and force you (perhaps not even then) it won't be considered entrapment.

      OTOH, if they pose as a 13 year old girl and wait for some perv to suggest something improper, then it really isn't entrapment.

  7. reminds me... by eexaa · · Score: 1

    Reminds me that "magician" who was able to win 50% simultaneous chess matches against any number of professional players.

    1. Re:reminds me... by robinvanleeuwen · · Score: 2, Informative

      Offtopic: You mean this: http://www.youtube.com/watch?v=XDuOGx2_J8U

      --
      If you don't like my sig then don't read it.
    2. Re:reminds me... by Culture20 · · Score: 1

      Reminds me that "magician" who was able to win 50% simultaneous chess matches against any number of professional players.

      Any number of opponents except one, but he would mitm copy the games verbatim between two players. I suppose that means he would lose an extra one if there was an odd numbered opponent.

  8. And what's new? by Dumnezeu · · Score: 5, Interesting

    I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.

    --
    Yes, it's sarcasm. Deal with it!
    1. Re:And what's new? by Anonymous Coward · · Score: 4, Funny

      That's not creepy AT ALL

    2. Re:And what's new? by Anonymous Coward · · Score: 1, Funny

      And as a result your programming skills have gone up considerably, why your and your friends's score with women is still 0. However, if I'm wrong and it's not 0, please entertain us with the stories about meeting those men who diguised themselves as women on IRC. Thinking about it, the score will still be 0, but we all have a good laugh.

    3. Re:And what's new? by dnaumov · · Score: 1

      I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.

      And then you woke up.

    4. Re:And what's new? by antdude · · Score: 1

      Is there a Linux source for this so I can run it too? ;)

      Any other good AI chatbots? I tried Howie, Rbot, and Alice so far but they are outdated/old. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    5. Re:And what's new? by Terrasque · · Score: 1

      And the end goal was to distribute your own malicious payload, I guess?

      --
      It's The Golden Rule: "He who has the gold makes the rules."
    6. Re:And what's new? by Anonymous Coward · · Score: 0

      Yes... deliver the payload by exploiting a known hole.

    7. Re:And what's new? by Dumnezeu · · Score: 1

      And then you woke up.

      You won't believe how dumb people are on IRC! Their dictionary is rather limited, which made tuning the question generator quite simple.

      --
      Yes, it's sarcasm. Deal with it!
    8. Re:And what's new? by noidentity · · Score: 1

      I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.

      Still at Slashdot. Sorry it didn't work.

    9. Re:And what's new? by ByteSlicer · · Score: 1

      You won't believe how dumb people are on IRC! Their dictionary is rather limited, which made tuning the question generator quite simple.

      Or maybe they're just all bots?

  9. Interesting concept by Arancaytar · · Score: 2, Interesting

    I've seen this idea used for pranks before. People hanging out on IRC watching a bot that was hooking up unsuspecting AIM users to each other. Later on, this became a website called Omegle.

  10. Oh how clever..... not... but then again by 3seas · · Score: 1

    Don't we already have enough biological artificial intelligence on the internet?
    Do we really need silicon based artificial intelligence to make the bottomless pit of abstraction consume even more of the internet?

    Just because you can blow up an atomic bomb, does it mean you have to?

    This is not social networking to use such a bot. its very anti-social and deceptive.

    Excuse me but real social networking works on real humans, otherwise its artificial networking.

    But here is a thought that might just prove valuable.

    Create such bots but program them for this and that philosophy, you know, waring mindset philosophy, Jewish Philosophy, Islamic, Catholic, etc... and let them run on the worlds fastest computers so we can uncover the bullshit of all this in virtual reality before we do it in reall life.

    1. Re:Oh how clever..... not... but then again by Anonymous Coward · · Score: 0

      You're not very smart, are you?

    2. Re:Oh how clever..... not... but then again by Anonymous Coward · · Score: 0

      I think he makes a good point. Social networking occurs between real people, people with emotions, hopes and dreams. More and more friendships and relations start on the internet.
      One big problem is though that you need to trust people to some degree at some point to get anywhere, like trust that you are always talking to the person you think you are talking, trust that the person doesn't pretend to be someone, he/she is not, trust that they don't fool you.
      I highly disagree with abusing someones trust and think it's unethical to play with people that way and deceive them. Someone might cold-heartly say 'If someone falls for it, darwinism.' ... well, then the same logic applies, if someone, who's trust got abused, finally freaks out and kills the person, who did it to them. 'Bad luck. Darwinism.'

      Don't forget that social networking is between real people with emotions, hopes, dreams, expectations, dignity and think about the consequences. Do you really want a climate, where everyone is / must be suspicious of anything ? It completely ruins the fun, if you need to be constantly aware that any little bit of trust can backfire.

  11. Potential revenue or not...... by Anonymous Coward · · Score: 0

    Potential revenue or not...... I would feel like such a lowlife doing this for a living. I don't understand how some people can live with themselves.

  12. I did something more interesting... by goruka · · Score: 5, Funny

    For the lulz, about 10 years ago, I created an IRC bot that connected to #sex and #cybersex in dalnet, and pretended to be a young girl awaiting for cyber..
    Then it would interconnect pairs of two who would talk to her and forward the message, but this didn't work for long because they'd soon figure out the opposite partner was of the same sex. So i added a functionality that would flip words, example penis vagina, boobs balls, and would intercept some messages (like if a peer requested a picture, or ASL request) and send a fake ASL or URL of a hot chick. After a few attempts, most of the pairs ended up having cyber anyway!
    Even though bizarre phrases happened (like "I want to insert my 8 inch vagina into your deep wet penis") most people amazingly didn't even find it strange, and even though it was probably left running all night and created more probably a hundred "encounters", no one even suspected a tiny little about what was going on, no one!

    1. Re:I did something more interesting... by Anonymous Coward · · Score: 0

      Interesting yeah, but dude, after publishing the source code you should really see a doctor :)

    2. Re:I did something more interesting... by noidentity · · Score: 3, Funny

      Even though bizarre phrases happened (like "I want to insert my 8 inch vagina into your deep wet penis") most people amazingly didn't even find it strange, and even though it was probably left running all night and created more probably a hundred "encounters", no one even suspected a tiny little about what was going on, no one!

      So you're the one who made me gay!!!!!!!

  13. A.I Evolution by MyFirstNameIsPaul · · Score: 1

    I believe the first artificial intelligence will awaken in botnet.

    --

    I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

  14. You think that's creepy? by Philip_the_physicist · · Score: 1

    Some friends of mine from uni wrote a shell script to use finger to get a list of users, remove their name from the list, then look up each logged in user's classes (from LDAP, then from the university calendar to convert codes to English), what year they are in, whether domestic or international, and a whole load of other details from LDAP, and present them in an easy to read report. More recent versions try to scrape facebook for mutual friends, interests and so on (and a photo, to prevent name collisions causing embarrassment). When they saw a pretty girl in the labs, they'd ssh into her computer and use the details to provide a conversation starter.

    It started out as about 100 characters of bash, and got a little out of hand, but it did work. Personally, I suspect most of the benefit came from the effect of an epic kludge on a CS student than the intended conversation, since it was usually fairly obvious that the suer had a load of her personal information, and explaining that you'd written a script to look them up is a lot better than seeming like a stalker.

    1. Re:You think that's creepy? by Anonymous Coward · · Score: 0

      i was about to say
      "I do the same thing, except I never end up talking to them......."
      but then I had the thought that you are a bot attempting to extract information from me