Social Engineering in Social Networking sites: How Good becomes evil

Social Engineering (ES) is now considered the great security threat to people and organizations. Ever since the existence of human beings, fraudulent and deceptive people have used social engineering tricks and tactics to trick victims into obeying them. There are a number of social engineering techniques that are used in information technology to compromise security defences and attack people or organizations such as phishing, identity theft, spamming, impersonation, and spaying. Recently, researchers have suggested that social networking sites (SNSs) are the most common source and best breeding grounds for exploiting the vulnerabilities of people and launching a variety of social engineering based attacks. However, the literature shows a lack of information about what types of social engineering threats exist on SNSs. This study is part of a project that attempts to predict a persons’ vulnerability to SE based on demographic factors. In this paper, we demonstrate the different types of social engineering based attacks that exist on SNSs, the purposes of these attacks, reasons why people fell (or did not fall) for these attacks, based on users’ opinions. A qualitative questionnaire-based survey was conducted to collect and analyse people’s experiences with social engineering tricks, deceptions, or attacks on SNSs.

[1]  Yuguang Fang,et al.  Privacy and security for online social networks: challenges and opportunities , 2010, IEEE Network.

[2]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[3]  M. Workman Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008 .

[4]  Yue Xu,et al.  Social engineering in social networking sites: phase-based and source-based models , 2013 .

[5]  Taizan Chan,et al.  Toward understanding social engineering , 2013 .

[6]  Yue Xu,et al.  Social engineering in social networking sites: Affect-based model , 2013, 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013).

[7]  I. Norman K. Denzin Ii. Yvonna S. Lincoln,et al.  The SAGE Handbook of Qualitative Research -3/E. , 2010 .

[8]  Alessandro Acquisti,et al.  School of Phish: A Real-Word Evaluation of Anti-Phishing Training (CMU-CyLab-09-002) , 2009 .

[9]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[10]  Thomas Peltier,et al.  Social Engineering: Concepts and Solutions , 2006 .

[11]  A. Strauss,et al.  Grounded theory , 2017 .

[12]  Marcus Nohlberg Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks , 2008 .

[13]  Ronald C. Dodge,et al.  The Influences of Social Networks on Phishing Vulnerability , 2012, 2012 45th Hawaii International Conference on System Sciences.

[14]  Peter Pecho,et al.  Social Networks Security , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[15]  N. Denzin,et al.  The Sage Handbook of Qualitative Research , 2007 .

[16]  D. Gragg A Multi-Level Defense Against Social Engineering , 2003 .

[17]  Hein S. Venter,et al.  Social engineering attack detection model: SEADM , 2010, 2010 Information Security for South Africa.

[18]  KvedarDerek,et al.  The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition , 2010 .

[19]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[20]  Ali Darwish,et al.  Towards understanding phishing victims' profile , 2012, 2012 International Conference on Computer Systems and Industrial Informatics.

[21]  R. Cialdini Influence: Science and Practice , 1984 .

[22]  Douglas P. Twitchell Social engineering in information assurance curricula , 2006, InfoSecCD '06.

[23]  N. Denzin,et al.  Handbook of Qualitative Research , 1994 .

[24]  J. Creswell,et al.  Qualitative Research Designs , 2007 .

[25]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[26]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[27]  Kathryn Parsons,et al.  Information Management & Computer Security Why do some people manage phishing e-mails better than others ? , 2016 .

[28]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[29]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[30]  Richard G. Brody,et al.  Flying under the radar: social engineering , 2012 .

[31]  Monark Bag,et al.  A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model , 2012 .

[32]  Scott A. Golder,et al.  Security Issues and Recommendations for Online Social Networks. , 2007 .

[33]  Kent Marett,et al.  Self-efficacy, Training Effectiveness, and Deception Detection: A Longitudinal Study of Lie Detection Training , 2004, ISI.

[34]  Kenton O'Hara,et al.  Social Impact , 2019, Encyclopedia of Food and Agricultural Ethics.