Katharina Krombholz
Markus Huber
Edgar Weippl
ABSTRACT
Social engineering has become an emerging threat in virtual communities and is an effective means to attack information systems. Today's knowledge workers make use of a number of services that leverage sophisticated social engineering attacks. Moreover, there is a trend towards BYOD (bring your own device) policies and the usage of online communication and collaboration tools in private and business environments. In globally acting companies, teams are no longer geographically co-located but staffed just-in-time. The decrease in personal interaction combined with the plethora of tools used (E-Mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social engineering attacks. Recent attacks on companies such as the New York Times, RSA, or Apple have shown that targeted spear-phishing attacks are an effective evolution of social engineering attacks. When combined with zero-day-exploits they become a dangerous weapon, often used by advanced persistent threats. This paper provides a taxonomy of well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the knowledge worker.
- Anatomy of an attack. available online: http://httpblogs.rsa.com/anatomy-of-an-attack/, last accessed on 2013-07-17.Google Scholar
- Google hack attack was ultra sophisticated. available online: http://www.wired.com/threatlevel/2010/01/operation-aurora/, last accessed on 2013-07-17.Google Scholar
- Microsoft hacked: Joins apple, facebook, twitter -- InformationWeek. available online: http://www.informationweek.com/security/Attackacks/microsoft-hacked-joins-apple-facebook-tw/240149323, last accessed on 2013-07-10.Google Scholar
- The robin sage experiment: Fake profile fools security pros. available at http://www.networkworld.com/news/2010/070810-the-robin-sage-experiment-fake.html?t51hb, last accessed on: 2013-07-14.Google Scholar
- Whatsapp. available online: http://www.whatsapp.com/, last accessed on 2013-07-18.Google Scholar
- L. Alvisi, A. Clement, A. Epasto, S. Lattanzi, and A. Panconesi. Sok: The evolution of sybil defense via social networks. IEEE Symposium on Security and Privacy, 2013. Google ScholarDigital Library
- G. Bader, A. Anjomshoaa, and A. Tjoa. Privacy aspects of mashup architecture. In Social Computing (SocialCom), 2010 IEEE Second International Conference on, pages 1141--1146, 2010. Google ScholarDigital Library
- M. Balduzzi, C. Platzer, T. Holz, E. Kirda, D. Balzarotti, and C. Kruegel. Abusing social networks for automated user profiling. In Recent Advances in Intrusion Detection, pages 422--441. Springer, 2010. Google ScholarDigital Library
- R. Ballagas, M. Rohs, J. G. Sheridan, and J. Borchers. Byod: Bring your own device. In In Proceedings of the Workshop on Ubiquitous Display Environments, Ubicomp, 2004.Google Scholar
- L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your contacts are belong to us: automated identity theft attacks on social networks. In Proceedings of the 18th international conference on World wide web, pages 551--560. ACM, 2009. Google ScholarDigital Library
- Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu. The socialbot network: when bots socialize for fame and money. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 93--102. ACM, 2011. Google ScholarDigital Library
- G. Brown, T. Howe, M. Ihbe, A. Prakash, and K. Borders. Social networks and context-aware spam. In Proceedings of the 2008 ACM conference on Computer supported cooperative work, CSCW '08, pages 403--412, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- R. Cialdini. Influence: science and practice. Allyn and Bacon, 2001.Google Scholar
- P. F. Drucker. Landmarks of tomorrow: a report on the new "post-modern" world. Harper, New York, 1st edition, 1959.Google Scholar
- S. Granger. Social Engineering Fundamentals, Part I: Hacker Tactics. SecurityFocus, 2001.Google Scholar
- N. Gruschka and M. Jensen. Attack surfaces: A taxonomy for attacks on cloud services. In IEEE CLOUD, pages 276--279, 2010. Google ScholarDigital Library
- C. Herley and D. Florencio. Phishing as a Tragedy of the Commons. NSPW 2008, Lake Tahoe, CA, 2008. Google ScholarDigital Library
- M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa. Towards automating social engineering using social networking sites. In Computational Science and Engineering, 2009. CSE'09. International Conference on, volume 3, pages 117--124. IEEE, 2009. Google ScholarDigital Library
- M. Huber, M. Mulazzani, M. Leithner, S. Schrittwieser, G. Wondracek, and E. Weippl. Social snapshots: digital forensics for online social networks. In Proceedings of the 27th Annual Computer Security Applications Conference, 2011. Google ScholarDigital Library
- M. Huber, M. Mulazzani, S. Schrittwieser, and E. Weippl. Cheap and automated socio-technical attacks based on social networking sites. In 3rd Workshop on Artificial Intelligence and Security (AISec'10), 10 2010. Google ScholarDigital Library
- M. Huber, M. Mulazzani, E. Weippl, G. Kitzler, and S. Goluch. Friend-in-the-middle attacks: Exploiting social networking sites for spam. IEEE Internet Computing: Special Issue on Security and Privacy in Social Networks, 5 2011. Google ScholarDigital Library
- D. Irani, M. Balduzzi, D. Balzarotti, E. Kirda, and C. Pu. Reverse social engineering attacks in online social networks. Detection of Intrusions and Malware, and Vulnerability Assessment, pages 55--74, 2011. Google ScholarDigital Library
- T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 50(10): 94--100, 2007. Google ScholarDigital Library
- K. Krombholz, D. Merkl, and E. Weippl. Fake identities in social media: A case study on the sustainability of the facebook business model. JoSSR, 4(2): 175--212, 2012.Google Scholar
- K. Marett, D. Biros, and M. Knode. Self-efficacy, Training Effectiveness, and Deception Detection: A Longitudinal Study of Lie Detection Training. lecture notes in computer science, 3073: 187--200, 2004.Google Scholar
- K. Miller, J. Voas, and G. Hurlburt. Byod: Security and privacy considerations. IT Professional, 14(5): 53--55, 2012. Google ScholarDigital Library
- K. Mitnick and W. Simon. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002. Google ScholarDigital Library
- M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E. Weippl. Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 5--5, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
- R. Nelson. Methods of Hacking: Social Engineering. online, 2008. available at: http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html, last accessed on 2013-07-04.Google Scholar
- K. Parsons, A. McCormac, M. Pattinson, M. Butavicius, and C. Jerram. Phishing for the truth: A scenario-based experiment of users' behavioural response to emails. In L. Janczewski, H. Wolfe, and S. Shenoi, editors, Security and Privacy Protection in Information Processing Systems, volume 405 of IFIP Advances in Information and Communication Technology, pages 366--378. Springer Berlin Heidelberg, 2013.Google Scholar
- N. Perlroth. Chinese hackers infiltrate new york times computers, Jan. 2013. available at https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html, last accessed on: 2013-07-01.Google Scholar
- R. Potharaju, A. Newell, C. Nita-Rotaru, and X. Zhang. Plagiarizing smartphone applications: attack strategies and defense techniques. In Proceedings of the 4th international conference on Engineering Secure Software and Systems, ESSoS'12, pages 106--120, Berlin, Heidelberg, 2012. Springer-Verlag. Google ScholarDigital Library
- T. Qin and J. Burgoon. An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering. Intelligence and Security Informatics, 2007 IEEE, pages 152--159, 2007.Google ScholarCross Ref
- J. C. Roberts, II and W. Al-Hamdani. Who can you trust in the cloud? a review of security issues within cloud computing. In Proceedings of the 2011 Information Security Curriculum Development Conference, InfoSecCD '11, pages 15--19, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- S. Schrittwieser, P. Fruehwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, and E. Weippl. Guess Who Is Texting You? Evaluating the Security of Smartphone Messaging Applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.Google Scholar
- SocialEngineer. What is phishing -- paypal phishing examples. available online: http://www.social-engineer.org/wiki/archives/Phishing/Phishing-PayPal.html, last accessed on 2013-07-04.Google Scholar
- Sophos. Sophos facebook id probe shows 41% of users happy to reveal all to potential identity thieves, 2007. available online: http://www.sophos.com/en-us/press-office/press-releases/2007/08/facebook.aspx, last accessed on 2013-07-13.Google Scholar
- S. Stasiukonis. Social Engineering, the USB Way. 2006. available at http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634, last accessed on: 2013-07-02.Google Scholar
- L. Tam, M. Glassman, and M. Vandenwauver. The psychology of password management: a tradeoff between security and convenience. Behav. Inf. Technol., 29(3): 233--244, May 2010. Google ScholarDigital Library
- H. Thompson. The human element of information security. Security Privacy, IEEE, 11(1): 32--35, 2013. Google ScholarDigital Library
Index Terms
- Social engineering attacks on the knowledge worker
Recommendations
Social Engineering for Security Attacks
MISNC, SI, DS 2016: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016Social Engineering is a kind of advance persistent threat (APT) that gains private and sensitive information through social networks or other types of communication. The attackers can use social engineering to obtain access into social network accounts ...
Advanced social engineering attacks
Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems. The services used by today's knowledge workers prepare the ground for sophisticated social engineering attacks. The ...
Reverse social engineering attacks in online social networks
DIMVA'11: Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessmentSocial networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site on the Internet, and has been reporting growth rates as high as 3% per week. One of the key ...
Comments