Recently there has been an influx of Steam and Skype spambots requesting that you click on a link, which in turn downloads a file to your PC and - next thing you know - all your Chrome/Firefox/IE passwords are uploaded to the net for some hacker in Albania to use. Normally, they're not an issue because you're human, they're robots, and humans are pretty good at telling the two apart.Until Now
For the record, I am an ex-blackhat who turned to the light side, which is why I know what I'm about to tell you. I've worked on human-impersonation, grammar trees, systems penetration testing and flaw exploitation (in most cases, the 'flaw' is that squishy thing sat in a chair using the computer), all of which are involved in the creation of the bots. You have literally no reason to trust me other than my word that I'm genuinely trying to help. If you find this guide useful, please copy it down or save, like, upvote, favorite or share it or whatever you can do to help.
I'm not going to reveal my sources (because doing so could open me to prosecution), but recently a new AI kit came out which works along the same principles as cleverbot
, which pits users against users to create very realistic (but still very dumb) conversation chains from real people. The result is that the new generation of spambots which can in some cases actually pass the Turing Test
. This makes it very difficult for humans to tell if they're talking to human. The establishment of a rapport (which is what the current hackers are working on) to display similar interests and opinions will only make this worse as it will convince the human it has a genuine connection with the bot, thus building trust and causing them to click the link
A bias is then injected into the AI to try and work in a situation whereby you might want to click an external link: This is where it's vulnerability lies. It's not very good at working the link in without it looking forced or awkward.
How to detect a bot
They're convincing, but not infallible. Here are my top-tips for spotting them
You can't type if you don't have hands
The first indicator is that the user never appears to type.
Bots which use the Steam API don't have the ability to send the user typing UDP and so you won't receive the notification telling you they're typing. Someone who writes without typing is generally not using the official steam apps, and you should be very wary of them from that point on. Keep in mind that some bots can fake the user typing UDP and so it shouldn't be relied upon as a sole indicator
You have a friend request and accept the next morning. Almost immidiately, they're online and talking to you! What a coincidence!
Spammers want to maximize the amount of links in the minimum amount of time, and therefore programming the bots to wait is wasteful. If you accept a request a significant amount of time from when it was sent and the guy is already online and starts chatting in seconds, be wary.
It's a woman
You know the saying. "Welcome to the internet: Where the men are men, the women are men and the kids are undercover cops". I'm not debating that the internet DOES have women, but lets look at steam's gender infographic:
This is the data I collected from a gender-neutral Steam bot which redirected users to a youtube video. Note that more than 90% of the viewers (and thus clickers) were male. Making a female chatbot thus further increases clickrate and thus bot efficiency, which, remember, is what the hackers want.
We've all seen them. These bots attempt to entice the user (male or female) with lewd pictures, videos or romantic/erotic chat. This kind is particularly nasty because it's a proven fact that an aroused human's IQ drops alarmingly, thus stinting it's ability to detect a bot. This isn't helped further by the limited amount of language used in erotica and so the amount of factors which aid in detection (emotional confusion, word variance etc..) are minimal because pretty much all known responses are known (thanks to computer friendly keyword-based categorization systems on pornographic websites), thus making the bot more easily programmable to appear 'genuine'. Being asexual (and thus unable to experience the effects first hand) I can't really offer any advice here other than stop being a f**king drooling idiot.
Most bots handle about 200 conversations at once and don't have any concept of continuity between them. If you think someone's a bot, tell them something interesting, wait five seconds, then ask them what the interesting thing was. They're getting smart; don't go for the olde "What's my name.", they're programmed to remeber keywords like 'Name'. Instead, tell it your favorite animal, color or number, ask it about it's favorite animal, color, or number, then ask it what you said yours was. For example:
TheModerator: "My favorite animal is a Sheltie" (note how I avoided common words like 'dog', which it can pick up on. Sheltie is also not a common breed)
PussyDestroyer69: "Ah cool, mine's a horse" (SUSPECT - most humans, when presented with a breed, will respond with a breed, such as "shetland". This one has picked up on the word 'Animal' and responded accordingly)
TheModerator: "Nice. Not a horse fan myself... I prefer... I forgot, what did I say my favorite cat is again?" (A sheltie is not a cat. Most people will pick up on this, or ask what a sheltie is)
PussyDestroyer69: "Ahhhh I dunno. Let's talk about something else" (MOST LIKELY A BOT - I asked a simple question, and it gave up)
Unable to correctly comprehend an individual whom utilizes higher grades of linguistic intellect than the norm Lo, when I deploy language from which most struggle to derive my intent, the immediate distinctive characteristics of a non-human conversational partner become intensely apparent!
Most of you most likely understood what that sentence meant. It means that when I use uncommon words, most people will get a rough idea of what I'm saying, whereas a bot will just throw out some random sentence and from there you can just work with it.
- If it ends in .exe don't click it
- I don't care if you've known them for like a week, if it ends in .exe, don't click it.
- FFS if it asks you to enter ANY login details, DON'T DO IT.
- Even if you've known them for a month. Give it two before opening any external links.
- WHO THE ACTUAL F**K WOULD ENTER THEIR CARD DETAILS!? EVER!? I'd tell you not to, but frankly, if you do it, you deserve everything you get (which will be 'an empty bank account'), I guarantee you.
- If they're sending you a picture, make sure it ends with .jpg, .png, .bmp.
- Files that end with .rar or .zip most likely contain somekind of executable (a file ending in .exe). Feel free to open it, but don't click the .exe. It's a virus. It might not be, but 99% of the time, it IS, and no, this ISN'T the 1% where it's not, EVER.
It will insist it's not a bot
The moment you mention the word 'bot', a bot will flip out and insist it's not a bot. A human will too, unfortunately, which is why you should never ask it or even mention the word bot, because whatever it is, the answer will always go along the lines of "lol nope", "Hahaha, no", "What? No I'm not" etc...
What to do when you find one
This one is pretty simple. Report it. Both skype and Steam both have bot-reporting facilities which can be accessed via the Report or Block function. For Skype, right click on the contact name and click 'report'. For Steam, click on the users' profile and click the report button.
It's that simple guys.
I'm aware this is a painfully long wall of text, and we've not even scratched the surface. If you have any questions or want someone to be investigated, don't hesitate to hit me up in the comments
Stay safe and have fun!