Social engineering attacks on the knowledge worker

Social engineering has become an emerging threat in virtual communities and is an effective means to attack information systems. Today's knowledge workers make use of a number of services that leverage sophisticated social engineering attacks. Moreover, there is a trend towards BYOD (bring your own device) policies and the usage of online communication and collaboration tools in private and business environments. In globally acting companies, teams are no longer geographically co-located but staffed just-in-time. The decrease in personal interaction combined with the plethora of tools used (E-Mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social engineering attacks. Recent attacks on companies such as the New York Times, RSA, or Apple have shown that targeted spear-phishing attacks are an effective evolution of social engineering attacks. When combined with zero-day-exploits they become a dangerous weapon, often used by advanced persistent threats. This paper provides a taxonomy of well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the knowledge worker.

[1]  Jeffrey M. Voas,et al.  BYOD: Security and Privacy Considerations , 2012, IT Professional.

[2]  Edgar R. Weippl,et al.  Social snapshots: digital forensics for online social networks , 2011, ACSAC '11.

[3]  Edgar R. Weippl,et al.  Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[4]  Edgar R. Weippl,et al.  Fake identities in social media: A case study on the sustainability of the Facebook business model , 2012, J. Serv. Sci. Res..

[5]  A Min Tjoa,et al.  Privacy Aspects of Mashup Architecture , 2010, 2010 IEEE Second International Conference on Social Computing.

[6]  Sarah Granger,et al.  Social Engineering Fundamentals, Part I: Hacker Tactics , 2003 .

[7]  Kent Marett,et al.  Self-efficacy, Training Effectiveness, and Deception Detection: A Longitudinal Study of Lie Detection Training , 2004, ISI.

[8]  Silvio Lattanzi,et al.  SoK: The Evolution of Sybil Defense via Social Networks , 2013, 2013 IEEE Symposium on Security and Privacy.

[9]  Stewart Kowalski,et al.  Towards Automating Social Engineering Using Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.

[10]  Edgar R. Weippl,et al.  Cheap and automated socio-technical attacks based on social networking sites , 2010, AISec '10.

[11]  Kevin Borders,et al.  Social networks and context-aware spam , 2008, CSCW.

[12]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[13]  Edgar R. Weippl,et al.  Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam , 2011, IEEE Internet Computing.

[14]  R. Cialdini Influence: Science and Practice , 1984 .

[15]  Judee K. Burgoon,et al.  An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering , 2007, 2007 IEEE Intelligence and Security Informatics.

[16]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[17]  Peter F. Drucker,et al.  Landmarks of Tomorrow: A Report on the New "Post-Modern" World , 1996 .

[18]  Michael Rohs,et al.  BYOD: bring your own device , 2004 .

[19]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[20]  Cormac Herley,et al.  Phishing as a Tragedy of the Commons , 2008 .

[21]  Christopher Krügel,et al.  Abusing Social Networks for Automated User Profiling , 2010, RAID.

[22]  Wasim A. Al-Hamdani,et al.  Who can you trust in the cloud?: a review of security issues within cloud computing , 2011, InfoSecCD.

[23]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[24]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[25]  Hugh Thompson The Human Element of Information Security , 2013, IEEE Security & Privacy.

[26]  Xiangyu Zhang,et al.  Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques , 2012, ESSoS.

[27]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[28]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[29]  Carsten Kleiner,et al.  BYOD — Bring Your Own Device , 2013, HMD Praxis der Wirtschaftsinformatik.

[30]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[31]  Tiantian Qi,et al.  An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering , 2007 .

[32]  Edgar R. Weippl,et al.  Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space , 2011, USENIX Security Symposium.

[33]  Malcolm Robert Pattinson,et al.  Phishing for the Truth: A Scenario-Based Experiment of Users' Behavioural Response to Emails , 2013, SEC.