Shostack + Friends Blog Archive

Emerging threat: Social Botnets

We think of botnets as networks of computing devices slaved to some command & control system.  But what about human-in-the-loop botnets, where humans are either participants or prime actors?  I’m coining this label: “social botnet”.  Here’s the blog post that got me thinking: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill“ [link to http://www.liquidmatrix.org/blog/2009/12/09/health-insurers-caught-paying-facebook-gamers-to-oppose-reform-bill/ no longer works]:

From Business Insider:

Instead of asking the gamers to try a product the way Netflix would, “Get Health Reform Right” requires gamers to take a survey, which, upon completion, automatically sends the following email to their Congressional Rep:

“I am concerned a new government plan could cause me to lose the employer coverage I have today. More government bureaucracy will only create more problems, not solve the ones we have.”

When looking at the “Who we are” [link to http://www.gethealthreformright.org/site/page/who_we_are no longer works] tab on the GetHealthReformRight.org. Here is the excerpt from this page below.

Get Health Reform Right is a project of organizations whose shared mission is to ensure consumers continue to have access to employer-sponsored healthcare plans. We are concerned about federal legislation that would create new government bureaucracies that would unravel the workplace healthcare system where more than 160 million people get their coverage.

* Association of Health Insurance Advisors
* America’s Health Insurance Plans
* American Benefits Council
* BlueCross BlueShield Association
* Council of Insurance Agents & Brokers
* Healthcare Leadership Council
* Independent Insurance Agents & Brokers
* National Association of Health Underwriters
* National Association of Insurance and Financial Advisors
* National Retail Association

I call it a “botnet” because the people playing the game don’t really know what’s being done with their personal information and what actions are being taken in the world, under the illusion that the person consciously initiated the action (which they did not).  This is a form of “soft control”, where incentives, peer influence, and appearances are manipulated to get the player to do what the controller wants them to do.

I call this an emerging threat because of the proliferation of virtual worlds and virtual currency systems, where the individuals participating are highly motivated to maximize their virtual earnings.  Any virtual world+currency system is vulnerable to this sort of social botnet if a link can be made between some in-world activity (both fun, lucrative, and social) and some real world mass action (petition letters, flash mob, download, or what ever).  Your organization may be far outside this virtual world, but your organization may still be the target of the mass action.  One more thing to add to your threat model.

Originally published by Russell on 9 Dec 2009
Last modified on 9 Dec 2009
Categories:   Uncategorized