×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Create Social Engineering IRC Bot

Soulskill posted more than 3 years ago | from the eliza-plus-chatroulette dept.

Security 66

An anonymous reader writes "Researchers at the Vienna University of Technology developed an IRC bot that acts as a 'man in the middle' between two unsuspecting users, modifies URLs passed between them, and also is capable of steering the conversation. Not only does this work surprisingly well on IRC — they found a 76.1% click rate for potentially malicious URLs — but four out of 10 people on Facebook Chat also clicked on links after the bot introduced complete strangers to each other. This would have worked even better if the bot were to clone existing friends' profiles and submit friend requests from those, say researchers."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

66 comments

Fuck you (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#32551008)

Frist psto!

In other words. (4, Insightful)

dreamchaser (49529) | more than 3 years ago | (#32551030)

In other words, over 7 out of 10 IRC users and 4 out of 10 Facebook users are utter idiots.

Re:In other words. (2, Informative)

Culture20 (968837) | more than 3 years ago | (#32551146)

7 out of 10 IRC users [...] are utter idiots.

Somehow I don't think that's true. I think it's more likely that 7/10 IRC "users" are other bots.

Re:In other words. (0)

Anonymous Coward | more than 3 years ago | (#32551206)

7/10 IRC users in Dating 1 are idiots or other bots
3/10 IRC users in Dating 2 or Generic are idiots or other bots.

Re:In other words. (3, Insightful)

hitmark (640295) | more than 3 years ago | (#32551254)

even if one is not, a small unsuspecting moment is enough to get caught.

Re:In other words. (3, Insightful)

Anonymous Coward | more than 3 years ago | (#32551312)

I'm not so certain about that. IRC users tend to be more technically competent than people that just use Facebook or e-mail. How many of these people had Firefox with NoScript, for example? Malicious links would've been virtually worthless in such a case.

Merely clicking doesn't prove much without giving out more information, imo.

Re:In other words. (1)

dreamchaser (49529) | more than 3 years ago | (#32551372)

Good point. With regards to the IRC though that depends on the server/network. There are some gaming centric IRC servers that are filled with idiot children.

Re:In other words. (1)

skyride (1436439) | more than 3 years ago | (#32551548)

Try on irc.quakenet.org. I frequent on there a lot as its used by the competitive communities for pretty much every online game in europe, I mean theres plenty of smart people (the real idiots don't even know how to use IRC) but i bet if you went into a number of channels you'd find plenty of gulible users.

Re:In other words. (1)

Runaway1956 (1322357) | more than 3 years ago | (#32551658)

Let's not forget the proliferation of java IRC clients found on many sites today. I've joined a few channels through a Java client, then shut it down so that I could use a real IRC client to return to the channel. I have little idea how many users on any server might be technically savvy enough to set up an IRC client, how many are using Java, or how many are using a preconfigured mIRC client. It's probably worth studying, if anyone with the resources cares enough to study it.

Re:In other words. (1)

sortius_nod (1080919) | more than 3 years ago | (#32553662)

Even if you are able to set up an IRC client it doesn't mean you're tech savvy. Austnet.org is a prime example of this.

Re:In other words. (1)

LordLimecat (1103839) | more than 3 years ago | (#32553694)

Malicious links would've been virtually worthless in such a case.

Not really, since plenty of malware comes through plugins like flash, java, and adobe.

Re:In other words. (0)

Anonymous Coward | more than 3 years ago | (#32551368)

From TFS:

This would have worked even better if the bot were to clone existing friends' profiles and submit friend requests from those, say researchers.

Don't you have to be a moron not to realize that friend request claims to be from someone you're already friends with?

Re:In other words. (1)

Kenoli (934612) | more than 3 years ago | (#32551570)

Don't you have to be a moron not to realize that friend request claims to be from someone you're already friends with?

When you're trying to serve malicious links to morons it's okay if they're, you know, morons.

Re:In other words. (1)

mikael_j (106439) | more than 3 years ago | (#32553810)

I have a few friends who think it's "funny" to have half a dozen different profiles on Facebook, it makes no sense to me and it makes them very hard to keep track of...

Re:In other words. (2, Interesting)

imakemusic (1164993) | more than 3 years ago | (#32551686)

Not really. Unless I'm missing something you would effectively be having a conversation with a real person. The only difference is that it is being relayed through a bot which may or may not alter the text - and even if it does alter the text the general gist would still be the same. If you were having a conversation with a person would you click the links they send you? Or would you say "I can't click that link because I can't verify your identity and trustworthiness"? It's definitely devious but I don't think the results are that surprising.

Also they are surprised that people clicked tinyurl links more than myspace links but... that just shows that people would rather look at anything than a myspace page.

Re:In other words. (2, Interesting)

maxwell demon (590494) | more than 3 years ago | (#32551958)

Indeed, if you are having a conversation with someone you know, and at one point in conversation he says: "BTW a good covering of the subject can be found at http://tinyurl.com/foo" and the bot changes the text to "BTW a good covering of the subject can be found at http://tinyurl.com/bar" you have little chance to notice before you click on it that a bot-in-the-middle changed the link.

Of course, I have preview enabled in tinyurl, so I'd see the real URL before I go there, and even if I couldn't recognize the real URL as obviously wrong, NoScript would likely protect me from any malware on that site (and the fact that I'm using Linux would protect me further, since the malware is most likely Windows specific anyway).

Re:In other words. (1)

arth1 (260657) | more than 3 years ago | (#32552052)

IRC: Where men are bots, and girls are police officers.

In other words, I doubt that there actually were many regular users trapped by this chatbot. 7 IRC users = 5 bots + 2 cops. You need really high figures to trap actual users.

Re:In other words. (0)

Anonymous Coward | more than 3 years ago | (#32554512)

You chose a bad subject line. This isn't your personal blog where your readers hang on your every word, just dying to know "oh my god, he's going to explain something in some other words, but we don't even know what it is until we open the message. I can't wait!!!!"

Re:In other words. (1)

YourExperiment (1081089) | more than 3 years ago | (#32556398)

You don't have to be an idiot to get caught by this sort of thing. Just look at Cory Doctorow on Twitter... oh, wait.

hey bob whats new (2, Funny)

Anonymous Coward | more than 3 years ago | (#32551046)

i think i'll let everyone know how we been doing some hacks with bots

bots to scan for vulnerabilities
bots to launch the exploit
BOTS for file sharing
bots to call home
bots to eat my toast...HEY THAT'S MY TOAST

The PSA campaign (0)

Anonymous Coward | more than 3 years ago | (#32551060)

Friends don't let friends click shitty URLs

Council is leading the witness... (4, Interesting)

garyisabusyguy (732330) | more than 3 years ago | (#32551082)

Aside from all of the fun with malicious code and all, the potential to lead people down a mental path through 'conversation' seems to have the potential to expose a LOT of people to make self-incriminating statements

It's like a photo-radar gun for thought crime, an investigator doesn't even have to be there to do it. Just set your bots out there to lead people into talking about laundering money, seducing teens, killing their neighbor and WHAMO an adventurous district attorney is pressing charges.

Nah, what was I thinking, we live in way to free of a society for that to ever happen. What a relief

Re:Council is leading the witness... (1)

copponex (13876) | more than 3 years ago | (#32551280)

Nah, what was I thinking, we live in way to free of a society for that to ever happen. What a relief

Entrapment is illegal. Our failure to make sure law enforcement obeys the law is our fault.

Re:Council is leading the witness... (1)

am 2k (217885) | more than 3 years ago | (#32551406)

Entrapment is illegal.

No, it's only illegal for the police. They just have to outsource this task to a private company, which supplies them with the chat logs afterwards, and they're fine.

No (1)

copponex (13876) | more than 3 years ago | (#32551542)

Can we get back to a world where a person said something after they gathered information on it?

http://www.lectlaw.com/def/e024.htm [lectlaw.com]

A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case.

Agents in the case being anyone they could pay. Paying someone to bring you criminals is a really bad idea, since any judge would immediately consider the conflict of interest as a cause to have reasonable doubt that the accused is guilty.

I'm sure that paragraph could include a massive amount of legal terms if written by a lawyer.

Re:No (1)

Urza9814 (883915) | more than 3 years ago | (#32551732)

True, but this scenario wouldn't be entrapment, and it already happens.

Let me alter your emphasis on that definition:

A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case.

So, it's entrapment if they say 'we're going to arrest you unless you rob that store'. It's not entrapment if they pose as a 13 year old girl and ask if you want to have sex with them. That is exactly what this kind of program would be doing. And it's also exactly what is already done by vigilante organizations like Perverted Justice, which are generally backed up by local police.

Re:No (1)

sjames (1099) | more than 3 years ago | (#32552228)

Actually, if they make the offer it is SUPPOSED to be considered entrapment since they gave you the idea, but in practice, unless they actually tie you down and force you (perhaps not even then) it won't be considered entrapment.

OTOH, if they pose as a 13 year old girl and wait for some perv to suggest something improper, then it really isn't entrapment.

Re:No (3, Funny)

maxwell demon (590494) | more than 3 years ago | (#32551982)

Can we get back to a world where a person said something after they gathered information on it?

Well, he didn't write that. A bot changed it during submission. :-)

Re:Council is leading the witness... (1)

couchslug (175151) | more than 3 years ago | (#32551480)

Entrapment is practical.

Solution:
Trust no one and shut the fuck up. The internet is as forgiving as 4chan.

Not Impressed (1)

crow_t_robot (528562) | more than 3 years ago | (#32551200)

I'm not very impressed considering a billion-dollar industry is founded mostly on sending "the general public" unsolicited links (in broken english, no less) in World of Warcraft that they willingly visit and then volunteer their login credentials.

reminds me... (1)

eexaa (1252378) | more than 3 years ago | (#32551630)

Reminds me that "magician" who was able to win 50% simultaneous chess matches against any number of professional players.

Re:reminds me... (1)

Culture20 (968837) | more than 3 years ago | (#32552338)

Reminds me that "magician" who was able to win 50% simultaneous chess matches against any number of professional players.

Any number of opponents except one, but he would mitm copy the games verbatim between two players. I suppose that means he would lose an extra one if there was an odd numbered opponent.

And what's new? (5, Interesting)

Dumnezeu (1673634) | more than 3 years ago | (#32551646)

I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.

Re:And what's new? (4, Funny)

Anonymous Coward | more than 3 years ago | (#32552180)

That's not creepy AT ALL

You think that's creepy? (1)

Philip_the_physicist (1536015) | more than 3 years ago | (#32555336)

Some friends of mine from uni wrote a shell script to use finger to get a list of users, remove their name from the list, then look up each logged in user's classes (from LDAP, then from the university calendar to convert codes to English), what year they are in, whether domestic or international, and a whole load of other details from LDAP, and present them in an easy to read report. More recent versions try to scrape facebook for mutual friends, interests and so on (and a photo, to prevent name collisions causing embarrassment). When they saw a pretty girl in the labs, they'd ssh into her computer and use the details to provide a conversation starter.

It started out as about 100 characters of bash, and got a little out of hand, but it did work. Personally, I suspect most of the benefit came from the effect of an epic kludge on a CS student than the intended conversation, since it was usually fairly obvious that the suer had a load of her personal information, and explaining that you'd written a script to look them up is a lot better than seeming like a stalker.

Re:You think that's creepy? (0)

Anonymous Coward | more than 3 years ago | (#32559738)

i was about to say
"I do the same thing, except I never end up talking to them......."
but then I had the thought that you are a bot attempting to extract information from me

Re:And what's new? (1, Funny)

Anonymous Coward | more than 3 years ago | (#32552254)

And as a result your programming skills have gone up considerably, why your and your friends's score with women is still 0. However, if I'm wrong and it's not 0, please entertain us with the stories about meeting those men who diguised themselves as women on IRC. Thinking about it, the score will still be 0, but we all have a good laugh.

Re:And what's new? (1)

dnaumov (453672) | more than 3 years ago | (#32552370)

I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.

And then you woke up.

Re:And what's new? (1)

Dumnezeu (1673634) | more than 3 years ago | (#32553642)

And then you woke up.

You won't believe how dumb people are on IRC! Their dictionary is rather limited, which made tuning the question generator quite simple.

Re:And what's new? (1)

ByteSlicer (735276) | more than 3 years ago | (#32555540)

You won't believe how dumb people are on IRC! Their dictionary is rather limited, which made tuning the question generator quite simple.

Or maybe they're just all bots?

Re:And what's new? (1)

antdude (79039) | more than 3 years ago | (#32552976)

Is there a Linux source for this so I can run it too? ;)

Any other good AI chatbots? I tried Howie, Rbot, and Alice so far but they are outdated/old. :(

Re:And what's new? (1)

Terrasque (796014) | more than 3 years ago | (#32553134)

And the end goal was to distribute your own malicious payload, I guess?

Re:And what's new? (0)

Anonymous Coward | more than 3 years ago | (#32553304)

Yes... deliver the payload by exploiting a known hole.

Re:And what's new? (1)

noidentity (188756) | more than 3 years ago | (#32554400)

I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.

Still at Slashdot. Sorry it didn't work.

Interesting concept (2, Interesting)

Arancaytar (966377) | more than 3 years ago | (#32551680)

I've seen this idea used for pranks before. People hanging out on IRC watching a bot that was hooking up unsuspecting AIM users to each other. Later on, this became a website called Omegle.

mod 0p (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32551758)

*BSD is dying It is Is 3ying and its

Oh how clever..... not... but then again (1)

3seas (184403) | more than 3 years ago | (#32552012)

Don't we already have enough biological artificial intelligence on the internet?
Do we really need silicon based artificial intelligence to make the bottomless pit of abstraction consume even more of the internet?

Just because you can blow up an atomic bomb, does it mean you have to?

This is not social networking to use such a bot. its very anti-social and deceptive.

Excuse me but real social networking works on real humans, otherwise its artificial networking.

But here is a thought that might just prove valuable.

Create such bots but program them for this and that philosophy, you know, waring mindset philosophy, Jewish Philosophy, Islamic, Catholic, etc... and let them run on the worlds fastest computers so we can uncover the bullshit of all this in virtual reality before we do it in reall life.

Re:Oh how clever..... not... but then again (0)

Anonymous Coward | more than 3 years ago | (#32552646)

You're not very smart, are you?

Re:Oh how clever..... not... but then again (0)

Anonymous Coward | more than 3 years ago | (#32556004)

I think he makes a good point. Social networking occurs between real people, people with emotions, hopes and dreams. More and more friendships and relations start on the internet.
One big problem is though that you need to trust people to some degree at some point to get anywhere, like trust that you are always talking to the person you think you are talking, trust that the person doesn't pretend to be someone, he/she is not, trust that they don't fool you.
I highly disagree with abusing someones trust and think it's unethical to play with people that way and deceive them. Someone might cold-heartly say 'If someone falls for it, darwinism.' ... well, then the same logic applies, if someone, who's trust got abused, finally freaks out and kills the person, who did it to them. 'Bad luck. Darwinism.'

Don't forget that social networking is between real people with emotions, hopes, dreams, expectations, dignity and think about the consequences. Do you really want a climate, where everyone is / must be suspicious of anything ? It completely ruins the fun, if you need to be constantly aware that any little bit of trust can backfire.

Potential revenue or not...... (0)

Anonymous Coward | more than 3 years ago | (#32552120)

Potential revenue or not...... I would feel like such a lowlife doing this for a living. I don't understand how some people can live with themselves.

I did something more interesting... (5, Funny)

goruka (1721094) | more than 3 years ago | (#32552132)

For the lulz, about 10 years ago, I created an IRC bot that connected to #sex and #cybersex in dalnet, and pretended to be a young girl awaiting for cyber..
Then it would interconnect pairs of two who would talk to her and forward the message, but this didn't work for long because they'd soon figure out the opposite partner was of the same sex. So i added a functionality that would flip words, example penis vagina, boobs balls, and would intercept some messages (like if a peer requested a picture, or ASL request) and send a fake ASL or URL of a hot chick. After a few attempts, most of the pairs ended up having cyber anyway!
Even though bizarre phrases happened (like "I want to insert my 8 inch vagina into your deep wet penis") most people amazingly didn't even find it strange, and even though it was probably left running all night and created more probably a hundred "encounters", no one even suspected a tiny little about what was going on, no one!

Re:I did something more interesting... (0)

Anonymous Coward | more than 3 years ago | (#32554226)

Interesting yeah, but dude, after publishing the source code you should really see a doctor :)

Re:I did something more interesting... (3, Funny)

noidentity (188756) | more than 3 years ago | (#32554458)

Even though bizarre phrases happened (like "I want to insert my 8 inch vagina into your deep wet penis") most people amazingly didn't even find it strange, and even though it was probably left running all night and created more probably a hundred "encounters", no one even suspected a tiny little about what was going on, no one!

So you're the one who made me gay!!!!!!!

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...