GeoPal: Friend Spam Detection in Social Networks Using Private Location Proofs Bogdan Carbunar FIU Miami, FL Email: carbunar@gmail.com Mizanur Rahman FIU Miami, FL Email: mrahm031@fiu.edu Mozhgan Azimpourkivi FIU Miami, FL Email: mojganaz@cs.fiu.edu Debra Davis FIU Miami, FL Email: dledavis@cs.fiu.com Abstract—Friend spam, adversarial invitations sent to social network users, exposes victims to a suite of privacy, spear phishing and malware vulnerabilities. In this paper, we use the location history of users to detect friend spam. We posit that the user trust in friends is associated with their co-location frequency. We exploit this hypothesis to introduce GeoPal, a framework that carefully accesses the potentially sensitive location history of users to privately prove their past location claims, and to privately compute and update fuzzy co-location affinities with other users. We build GeoPal on PLP, a protocol we develop to privately collect proofs of user past locations. We confirm our hypothesis through a user study with 68 participants: 57% and 70% of the friends never met in person are not remembered and are not talked to, respectively, by the participants. In contrast, 86% of the friends met daily or weekly are either family, close or regular friends. We highlight the relevance of friend spam: 75% of the participants have at least one friend whom they do not recall. We show that GeoPal is practical: a Nexus 5 can process more thank 20K location proofs per second. I. I NTRODUCTION Friend spam attacks [1]–[3] are friend invitations sent by attackers to the social network accounts of victims. Once accepted, the invitations enable the attackers to collect private information from the accounts of victims (including profiles, locations visited, friend lists), and perform subsequent attacks such as spear phishing [2] and malware dissemination [4], [5]. Friend spam is effective. In a user study with 68 participants, we observed that 75%(51) of the participants have declared not to remember at least one of their 20 randomly selected friends (see § V). While this percentage is likely to be larger when considering all the friends, it is consistent with previous work that showed that 47 to 77% of social network users accept invitations from strangers [6]–[8]. Our user study also reveals that victim naivety plays a part in the success of friend spam: only 38% and 37% of the participants are uncomfortable or very uncomfortable with accepting invitations from “anyone who is attractive” and from “anyone who is my age”, respectively (see § V). Social net- work profile information (e.g., age, photos, name) is however easy to fabricate. In addition, social network mechanisms that encourage users to accept as friends, people with whom they share friends, can be exploited by adversaries to tailor their accounts and improve the success rate of their friend spam [7]. Fig. 1. Distribution of types of friends for (a) friends never met in person and (b) friends met daily or weekly, and of the topics of discussion for (c) friends never met in person and (d) friends met daily or weekly. In this paper, we posit the existence of a relationship between social network trust and the frequency of physical co-location. Specifically, we conjecture that users tend to trust more the friends whom they have met or are meeting more frequently in person. To evaluate this hypothesis, we have developed GP.Quest, a mobile app questionnaire where users need to classify Facebook friends according to co-location and trust dimensions. Our study (with 68 participants) shows that 93.2% of the Facebook friends that were never met in person are either not remembered, considered to be acquaintances or non-friends (see Figure 1(a)). In contrast, 85.7% of the Facebook friends met daily or weekly are either family, close or regular friends (see Figure 1(b)). Furthermore, participants do not talk or only chit-chat with 88.1% of the friends they never met (see Figure 1(c)). However, the topics of discussion with 80% of the friends met daily or weekly involve family, personal, job and social matters (see Figure 1(d)). We exploit this result, and the observation that physical co- location with victims is hard to engineer by online adversaries, to introduce GeoPal, a user transparent, location based, friend spam detection framework. The mobile devices of GeoPal users record locations visited throughout the day. GeoPal leverages this “location history” to detect co-location events and infer trust in social network friends.