Researchers Create Social Engineering IRC Bot 66
An anonymous reader writes "Researchers at the Vienna University of Technology developed an IRC bot that acts as a 'man in the middle' between two unsuspecting users, modifies URLs passed between them, and also is capable of steering the conversation. Not only does this work surprisingly well on IRC — they found a 76.1% click rate for potentially malicious URLs — but four out of 10 people on Facebook Chat also clicked on links after the bot introduced complete strangers to each other. This would have worked even better if the bot were to clone existing friends' profiles and submit friend requests from those, say researchers."
In other words. (Score:5, Insightful)
In other words, over 7 out of 10 IRC users and 4 out of 10 Facebook users are utter idiots.
Re: (Score:3, Informative)
7 out of 10 IRC users [...] are utter idiots.
Somehow I don't think that's true. I think it's more likely that 7/10 IRC "users" are other bots.
Re:In other words. (Score:4, Insightful)
even if one is not, a small unsuspecting moment is enough to get caught.
Re: (Score:3, Insightful)
I'm not so certain about that. IRC users tend to be more technically competent than people that just use Facebook or e-mail. How many of these people had Firefox with NoScript, for example? Malicious links would've been virtually worthless in such a case.
Merely clicking doesn't prove much without giving out more information, imo.
Re: (Score:2)
Good point. With regards to the IRC though that depends on the server/network. There are some gaming centric IRC servers that are filled with idiot children.
Re: (Score:2)
Let's not forget the proliferation of java IRC clients found on many sites today. I've joined a few channels through a Java client, then shut it down so that I could use a real IRC client to return to the channel. I have little idea how many users on any server might be technically savvy enough to set up an IRC client, how many are using Java, or how many are using a preconfigured mIRC client. It's probably worth studying, if anyone with the resources cares enough to study it.
Re: (Score:2)
Even if you are able to set up an IRC client it doesn't mean you're tech savvy. Austnet.org is a prime example of this.
Re: (Score:2)
Malicious links would've been virtually worthless in such a case.
Not really, since plenty of malware comes through plugins like flash, java, and adobe.
Re: (Score:3, Funny)
noscript blocks all of the above (except for adobe, which is a company).
Re: (Score:1)
Re: (Score:1)
Don't you have to be a moron not to realize that friend request claims to be from someone you're already friends with?
When you're trying to serve malicious links to morons it's okay if they're, you know, morons.
Re: (Score:2)
In the last day Angelina Jolie has invited me to be her friend on Facebook at least 200 times and I don't even have a facebook account.
Re: (Score:2)
Re: (Score:2)
I have a few friends who think it's "funny" to have half a dozen different profiles on Facebook, it makes no sense to me and it makes them very hard to keep track of...
Re: (Score:3, Interesting)
Not really. Unless I'm missing something you would effectively be having a conversation with a real person. The only difference is that it is being relayed through a bot which may or may not alter the text - and even if it does alter the text the general gist would still be the same. If you were having a conversation with a person would you click the links they send you? Or would you say "I can't click that link because I can't verify your identity and trustworthiness"? It's definitely devious but I don't t
Re: (Score:2, Interesting)
Indeed, if you are having a conversation with someone you know, and at one point in conversation he says: "BTW a good covering of the subject can be found at http://tinyurl.com/foo" and the bot changes the text to "BTW a good covering of the subject can be found at http://tinyurl.com/bar" you have little chance to notice before you click on it that a bot-in-the-middle changed the link.
Of course, I have preview enabled in tinyurl, so I'd see the real URL before I go there, and even if I couldn't recognize th
Re: (Score:3, Funny)
I see you like utter idiots, concur. Watch this video your viewing pleasure.. Very wonderful.
Re: (Score:2)
IRC: Where men are bots, and girls are police officers.
In other words, I doubt that there actually were many regular users trapped by this chatbot. 7 IRC users = 5 bots + 2 cops. You need really high figures to trap actual users.
Re: (Score:2)
Yet you still read it and commented. Hmmm.
Re: (Score:2)
hey bob whats new (Score:2, Funny)
i think i'll let everyone know how we been doing some hacks with bots
bots to scan for vulnerabilities
bots to launch the exploit
BOTS for file sharing
bots to call home
bots to eat my toast...HEY THAT'S MY TOAST
Re: (Score:3, Informative)
Re: (Score:2)
trust no one!
Re: (Score:3, Funny)
Indeed, I only trust the zeroes, not the ones.
Council is leading the witness... (Score:5, Interesting)
Aside from all of the fun with malicious code and all, the potential to lead people down a mental path through 'conversation' seems to have the potential to expose a LOT of people to make self-incriminating statements
It's like a photo-radar gun for thought crime, an investigator doesn't even have to be there to do it. Just set your bots out there to lead people into talking about laundering money, seducing teens, killing their neighbor and WHAMO an adventurous district attorney is pressing charges.
Nah, what was I thinking, we live in way to free of a society for that to ever happen. What a relief
Re: (Score:2)
Nah, what was I thinking, we live in way to free of a society for that to ever happen. What a relief
Entrapment is illegal. Our failure to make sure law enforcement obeys the law is our fault.
Re: (Score:2)
Entrapment is illegal.
No, it's only illegal for the police. They just have to outsource this task to a private company, which supplies them with the chat logs afterwards, and they're fine.
No (Score:2)
Can we get back to a world where a person said something after they gathered information on it?
http://www.lectlaw.com/def/e024.htm [lectlaw.com]
A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case.
Agents in the case being anyone they could pay. Paying someone to bring you criminals is a really bad idea, since any judge would immediately consider the
Re: (Score:2)
True, but this scenario wouldn't be entrapment, and it already happens.
Let me alter your emphasis on that definition:
A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case.
So, it's entrapment if they say 'we're going to arrest you unless you rob that store'. It's not entrapment if they pose as a 13 year old girl and ask if you want to have sex with them. That is exactly what this kind of program would be doing. And it's also exactly what is already done by vigilante organizations like Perverted Justice, which are generally backed up by local police.
Re: (Score:2)
Actually, if they make the offer it is SUPPOSED to be considered entrapment since they gave you the idea, but in practice, unless they actually tie you down and force you (perhaps not even then) it won't be considered entrapment.
OTOH, if they pose as a 13 year old girl and wait for some perv to suggest something improper, then it really isn't entrapment.
Re: (Score:3, Funny)
Well, he didn't write that. A bot changed it during submission. :-)
Re: (Score:2)
Entrapment is practical.
Solution:
Trust no one and shut the fuck up. The internet is as forgiving as 4chan.
Re: (Score:1)
Re: (Score:1)
It's not entrapment if they don't entice you into doing the crime.
Not Impressed (Score:1)
reminds me... (Score:2)
Reminds me that "magician" who was able to win 50% simultaneous chess matches against any number of professional players.
Re: (Score:2, Informative)
Offtopic: You mean this: http://www.youtube.com/watch?v=XDuOGx2_J8U [youtube.com]
Re: (Score:2)
Reminds me that "magician" who was able to win 50% simultaneous chess matches against any number of professional players.
Any number of opponents except one, but he would mitm copy the games verbatim between two players. I suppose that means he would lose an extra one if there was an odd numbered opponent.
And what's new? (Score:5, Interesting)
I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.
Re:And what's new? (Score:4, Funny)
That's not creepy AT ALL
You think that's creepy? (Score:2)
Some friends of mine from uni wrote a shell script to use finger to get a list of users, remove their name from the list, then look up each logged in user's classes (from LDAP, then from the university calendar to convert codes to English), what year they are in, whether domestic or international, and a whole load of other details from LDAP, and present them in an easy to read report. More recent versions try to scrape facebook for mutual friends, interests and so on (and a photo, to prevent name collision
Re: (Score:1, Funny)
And as a result your programming skills have gone up considerably, why your and your friends's score with women is still 0. However, if I'm wrong and it's not 0, please entertain us with the stories about meeting those men who diguised themselves as women on IRC. Thinking about it, the score will still be 0, but we all have a good laugh.
Re: (Score:2)
I did something similar for a friend, helping him pick up women on IRC. The bot learned his usual questions and if they answered about 10 questions, it meant they were interested in him and the bot would forward the conversation to him and he continued it. Another time, I wrote an IRC bot for myself; it would act as a man-in-the-middle to pick up women by getting female nicknames and then forwarding the messages it got to other female-like nicknames it detected. If the conversation went long enough, it forwarded everything to me and I would pick up the chat from there.
And then you woke up.
Re: (Score:1)
And then you woke up.
You won't believe how dumb people are on IRC! Their dictionary is rather limited, which made tuning the question generator quite simple.
Re: (Score:1)
Or maybe they're just all bots?
Re: (Score:2)
Is there a Linux source for this so I can run it too? ;)
Any other good AI chatbots? I tried Howie, Rbot, and Alice so far but they are outdated/old. :(
Re: (Score:2)
And the end goal was to distribute your own malicious payload, I guess?
Re: (Score:1)
Interesting concept (Score:3, Interesting)
I've seen this idea used for pranks before. People hanging out on IRC watching a bot that was hooking up unsuspecting AIM users to each other. Later on, this became a website called Omegle.
Oh how clever..... not... but then again (Score:2)
Don't we already have enough biological artificial intelligence on the internet?
Do we really need silicon based artificial intelligence to make the bottomless pit of abstraction consume even more of the internet?
Just because you can blow up an atomic bomb, does it mean you have to?
This is not social networking to use such a bot. its very anti-social and deceptive.
Excuse me but real social networking works on real humans, otherwise its artificial networking.
But here is a thought that might just prove valuabl
I did something more interesting... (Score:5, Funny)
Then it would interconnect pairs of two who would talk to her and forward the message, but this didn't work for long because they'd soon figure out the opposite partner was of the same sex. So i added a functionality that would flip words, example penis vagina, boobs balls, and would intercept some messages (like if a peer requested a picture, or ASL request) and send a fake ASL or URL of a hot chick. After a few attempts, most of the pairs ended up having cyber anyway!
Even though bizarre phrases happened (like "I want to insert my 8 inch vagina into your deep wet penis") most people amazingly didn't even find it strange, and even though it was probably left running all night and created more probably a hundred "encounters", no one even suspected a tiny little about what was going on, no one!
Re: (Score:3, Funny)
So you're the one who made me gay!!!!!!!
A.I Evolution (Score:2)