Advanced social engineering attacks

Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems. The services used by today's knowledge workers prepare the ground for sophisticated social engineering attacks. The growing trend towards BYOD (bring your own device) policies and the use of online communication and collaboration tools in private and business environments aggravate the problem. In globally acting companies, teams are no longer geographically co-located, but staffed just-in-time. The decrease in personal interaction combined with a plethora of tools used for communication (e-mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social engineering attacks. Recent attacks on companies such as the New York Times and RSA have shown that targeted spear-phishing attacks are an effective, evolutionary step of social engineering attacks. Combined with zero-day-exploits, they become a dangerous weapon that is often used by advanced persistent threats. This paper provides a taxonomy of well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the knowledge worker.

[1]  Cormac Herley,et al.  Phishing as a Tragedy of the Commons , 2008 .

[2]  Judee K. Burgoon,et al.  An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering , 2007, 2007 IEEE Intelligence and Security Informatics.

[3]  Hugh Thompson The Human Element of Information Security , 2013, IEEE Security & Privacy.

[4]  Erdong Chen,et al.  Facebook immune system , 2011, SNS '11.

[5]  Xiangyu Zhang,et al.  Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques , 2012, ESSoS.

[6]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[7]  Peter F. Drucker,et al.  Landmarks of Tomorrow: A Report on the New "Post-Modern" World , 1996 .

[8]  Malcolm Robert Pattinson,et al.  Phishing for the Truth: A Scenario-Based Experiment of Users' Behavioural Response to Emails , 2013, SEC.

[9]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[10]  Engin Kirda,et al.  A Look at Targeted Attacks Through the Lense of an NGO , 2014, USENIX Security Symposium.

[11]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[12]  Lech J. Janczewski,et al.  A Taxonomy for Social Engineering attacks , 2011 .

[13]  Michael Rohs,et al.  BYOD: bring your own device , 2004 .

[14]  D. Gragg A Multi-Level Defense Against Social Engineering , 2003 .

[15]  Edgar R. Weippl,et al.  Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam , 2011, IEEE Internet Computing.

[16]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[17]  R. Cialdini Influence: Science and Practice , 1984 .

[18]  Christopher Krügel,et al.  Abusing Social Networks for Automated User Profiling , 2010, RAID.

[19]  Wasim A. Al-Hamdani,et al.  Who can you trust in the cloud?: a review of security issues within cloud computing , 2011, InfoSecCD.

[20]  Mohd Faizal Abdollah,et al.  Generic Taxonomy of Social Engineering Attack , 2011 .

[21]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[22]  Ricardo J. Rodríguez,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2016, Lecture Notes in Computer Science.

[23]  Carsten Kleiner,et al.  BYOD — Bring Your Own Device , 2013, HMD Praxis der Wirtschaftsinformatik.

[24]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[25]  Walter I. Wardwell CHRISTIAN SCIENCE HEALING , 1965 .

[26]  Silvio Lattanzi,et al.  SoK: The Evolution of Sybil Defense via Social Networks , 2013, 2013 IEEE Symposium on Security and Privacy.

[27]  Sarah Granger,et al.  Social Engineering Fundamentals, Part I: Hacker Tactics , 2003 .

[28]  Kent Marett,et al.  Self-efficacy, Training Effectiveness, and Deception Detection: A Longitudinal Study of Lie Detection Training , 2004, ISI.

[29]  Stewart Kowalski,et al.  Towards Automating Social Engineering Using Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.

[30]  Edgar R. Weippl,et al.  Fake identities in social media: A case study on the sustainability of the Facebook business model , 2012, J. Serv. Sci. Res..

[31]  Edgar R. Weippl,et al.  Cheap and automated socio-technical attacks based on social networking sites , 2010, AISec '10.

[32]  A Min Tjoa,et al.  Privacy Aspects of Mashup Architecture , 2010, 2010 IEEE Second International Conference on Social Computing.

[33]  Kevin Borders,et al.  Social networks and context-aware spam , 2008, CSCW.

[34]  Tiantian Qi,et al.  An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering , 2007 .

[35]  Edgar R. Weippl,et al.  Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space , 2011, USENIX Security Symposium.

[36]  Edgar R. Weippl,et al.  Social engineering attacks on the knowledge worker , 2013, SIN.

[37]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[38]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[39]  Edgar R. Weippl,et al.  Social snapshots: digital forensics for online social networks , 2011, ACSAC '11.

[40]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[41]  Jeffrey M. Voas,et al.  BYOD: Security and Privacy Considerations , 2012, IT Professional.

[42]  Edgar R. Weippl,et al.  Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.