Social networking sites have been increasingly gaining popularity. Well-known sites such as Facebook have been reporting growth rates as high as 3% per week. Many social networking sites have millions of registered users who use these sites to share photographs, contact long-lost friends, establish new business contacts and to keep in touch. In this paper, we investigate how easy it would be for a potential attacker to launch automated crawling and identity theft attacks against a number of popular social networking sites in order to gain access to a large volume of personal user information. The first attack we present is the automated identity theft of existing user profiles and sending of friend requests to the contacts of the cloned victim. The hope, from the attacker's point of view, is that the contacted users simply trust and accept the friend request. By establishing a friendship relationship with the contacts of a victim, the attacker is able to access the sensitive personal information provided by them. In the second, more advanced attack we present, we show that it is effective and feasible to launch an automated, cross-site profile cloning attack. In this attack, we are able to automatically create a forged profile in a network where the victim is not registered yet and contact the victim's friends who are registered on both networks. Our experimental results with real users show that the automated attacks we present are effective and feasible in practice.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Modeling and Preventing Phishing Attacks. http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf, 2005.
	2	Spear phishing: Highly targeted phishing scams. http://www.microsoft.com/protect/yourself/phishing/spear.mspx, 2006.
	3	CERT Advisory CA-2000-04 Love Letter Worm. http://www.cert.org/advisories/CA-2000-04.html, 2008.
	4	Facebook. http://www.facebook.com, 2008.
	5	Facebook by the Numbers. http://www.fastcompany.com/magazine/115/open_features-hacker-dropout-ceo-facebook-numbers.html, 2008.
	6	LinkedIn. http://www.linkedin.com, 2008.
	7	MeinVerzeichnis -- MeinVZ. http://www.meinvz.net/,2008.
	8	MySpace. http://www.myspace.com, 2008.
	9	New MySpace and Facebook Worm Target Social Networks. http://www.darknet.org.uk/2008/08/new-myspace-and-facebook-worm-target-social-networks, 2008.
	10	Sophos Facebook ID Probe.http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html, 2008.
	11	StudiVerzeichnis -- StudVZ. http://www.studivz.net, 2008.
	12	The Spamhaus Project. http://www.spamhaus.org/, 2008.
	13	Xing -- Global Networking for Professionals. http://www.xing.com, 2008.
	14	S. D. Berkowitz. An Introduction to Structural Analysis: The Network Approach to Social Research. Butterworth, Toronto, ISBN 0409813621, 1982.
	15	S. Boyd, A. Ghosh, B. Prabhakar, and D. Shah. Gossip algorithms: Design, analysis and applications. In IEEE INFOCOM, 2005.
	16	Carnegie Mellon University. The CAPTCHA Project. http://www.captcha.net.
	17	John R. Douceur, The Sybil Attack, Revised Papers from the First International Workshop on Peer-to-Peer Systems, p.251-260, March 07-08, 2002
	18	A. D. Flaxman. Expansion and lack thereof in randomly perturbed graphs. Manuscript under submission, 2006.
	19	ImageMagick. Introduction to ImageMagick. http://www.imagemagick.org/script/index.php.
	20	Tom N. Jagatic , Nathaniel A. Johnson , Markus Jakobsson , Filippo Menczer, Social phishing, Communications of the ACM, v.50 n.10, p.94-100, October 2007  [doi>10.1145/1290958.1290968]
	21	Christoph Karlberger , Günther Bayler , Christopher Kruegel , Engin Kirda, Exploiting redundancy in natural language to penetrate Bayesian spam filters, Proceedings of the first USENIX workshop on Offensive Technologies, p.1-7, August 06-10, 2007, Boston, MA
	22	kloover.com. Breaking the ASP Security Image Generator. http://www.kloover.com/2008/02/28/breaking-the-asp-security-image-generator/.
	23	V. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Doklady Physics, 10(8):707--710, 1966.
	24	Shunji Mori , Ching Y. Suen , Kazuhiko Yamamoto, Historical review of OCR research and development, Document image analysis, IEEE Computer Society Press, Los Alamitos, CA, 1995
	25	S. Moyer and N. Hamiel. Satan is on My Friends List: Attacking Social Networks. http://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html, 2008.
	26	PWNtcha. PWNtcha -- captcha decoder. http://sam.zoy.org/pwntcha/.
	27	Tesseract. Tesseract OCR. http://sourceforge.net/projects/tesseract-ocr.
	28	L. von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum. reCAPTCHA: Human-Based Character Recognition via Web Security Measures. Science, September 2008.
	29	H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman. SybilGuard: Defending Against Sybil Attacks via Social Networks. 2006.
	30	Haifeng Yu , Phillip B. Gibbons , Michael Kaminsky , Feng Xiao, SybilLimit: A Near-Optimal Social Network Defense against Sybil Attacks, Proceedings of the 2008 IEEE Symposium on Security and Privacy, p.3-17, May 18-21, 2008  [doi>10.1109/SP.2008.13]