On the anatomy of social engineering attacks—A literature‐based dissection of successful attacks

The aim of this study was to explore the extent to which persuasion principles are used in successful social engineering attacks. Seventy-four scenarios were extracted from 4 books on social engineering (written by social engineers) and analysed. Each scenario was split into attack steps, containing single interactions between offender and target. For each attack step, persuasion principles were identified. The main findings are that (a) persuasion principles are often used in social engineering attacks, (b) authority (1 of the 6 persuasion principles) is used considerably more often than others, and (c) single-principle attack steps occur more often than multiple-principle ones. The social engineers identified in the scenarios more often used persuasion principles compared to other social influences. The scenario analysis illustrates how to exploit the human element in security. The findings support the view that security mechanisms should include not only technical but also social countermeasures.

[1]  Rosanna E. Guadagno,et al.  Weapons of Influence Misused: A Social Influence Analysis of Why People Fall Prey to Internet Scams , 2014 .

[2]  Ira S. Winkler,et al.  Information Security Technology? Don't Rely on It. A Case Study in Social Engineering , 1995, USENIX Security Symposium.

[3]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[4]  M. Townsley,et al.  Crime Script Analysis of Drug Manufacturing In Clandestine Laboratories Implications for Prevention , 2011 .

[5]  Anita Lavorgna,et al.  Wildlife trafficking in the Internet age , 2014 .

[6]  Lynne K. Dunn The Department of Justice , 1989 .

[7]  S. Milgram BEHAVIORAL STUDY OF OBEDIENCE. , 1963, Journal of abnormal psychology.

[8]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[9]  Daniel J. O'Keefe,et al.  An odds‐ratio‐based meta‐analysis of research on the door‐in‐the‐face influence strategy , 2001 .

[10]  S. Chainey,et al.  Profiling Illegal Waste Activity: Using Crime Scripts as a Data Collection and Analytical Strategy , 2011 .

[11]  Vinay Nadkarni,et al.  Low-Dose, High-Frequency CPR Training Improves Skill Retention of In-Hospital Pediatric Providers , 2011, Pediatrics.

[12]  Nicolas Guéguen,et al.  Foot-in-the-Door and Door-in-the-Face: A Comparative Meta-Analytic Study , 2005, Psychological reports.

[13]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[14]  Chad R. Mortensen,et al.  Fear and Loving in Las Vegas: Evolution, Emotion, and Persuasion , 2009, JMR, Journal of marketing research.

[15]  Harris Chaiklin Ghost in the Wires. My Adventures as the World’s Most Wanted Hacker , 2012 .

[16]  Andy P. Field,et al.  Discovering Statistics Using SPSS , 2000 .

[17]  S. Chaiken,et al.  The effect of message framing on breast self-examination attitudes, intentions, and behavior. , 1987, Journal of personality and social psychology.

[18]  Stewart Kowalski,et al.  Towards Automating Social Engineering Using Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.

[19]  R. Cialdini,et al.  Reciprocal Concessions Procedure for Inducing Compliance: The Door-in-the-Face Technique , 1975 .

[20]  Bill Jordan The Origins of Social Engineering , 2018, Freedom and the Welfare State.

[21]  Douglas P. Twitchell Social Engineering and its Countermeasures , 2009 .

[22]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[23]  David M. Szymanski Modality and offering effects in sales presentations for a good versus a service , 2001 .

[24]  J. Brady,et al.  The Belmont Report. Ethical principles and guidelines for the protection of human subjects of research. , 2015, The Journal of the American College of Dentists.

[25]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[26]  Wolter Pieters,et al.  The persuasion and security awareness experiment: reducing the success of social engineering attacks , 2015, Journal of Experimental Criminology.

[27]  C. Beckett Julian Assange: the unauthorised autobiography , 2011 .

[28]  R. Bond,et al.  Culture and conformity: A meta-analysis of studies using Asch's (1952b, 1956) line judgment task. , 1996 .

[29]  S. Milgram Obedience to Authority: An Experimental View , 1975 .

[30]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[31]  Richard H. Baker,et al.  The computer security handbook , 1985 .

[32]  Vincent Nicomette,et al.  A Vulnerability Life Cycle-Based Security Modeling and Evaluation Approach , 2013, Comput. J..

[33]  A. Edmondson Learning from Mistakes is Easier Said Than Done: Group and Organizational Influences on the Detection and Correction of Human Error , 1996 .

[34]  Eric Beauregard,et al.  Script Analysis of the Hunting Process of Serial Sex Offenders , 2007 .

[35]  Irene M. Y. Woon,et al.  Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior , 2006 .

[36]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[37]  Nobuyuki Chikudate,et al.  If human errors are assumed as crimes in a safety culture: A lifeworld analysis of a rail crash , 2009 .

[38]  Robert B. Whittingham,et al.  The Blame Machine: Why Human Error Causes Accidents , 2004 .

[39]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[40]  J. Freedman,et al.  Compliance without pressure: the foot-in-the-door technique. , 1966, Journal of personality and social psychology.

[41]  Ariel M. Aloe,et al.  The Door-in-the-Face Persuasive Message Strategy: A Meta-Analysis of the First 35 Years , 2012 .

[42]  E. W. Morris No , 1923, The Hospital and health review.

[43]  Xin Luo,et al.  Social Engineering: The Neglected Human Factor for Information Security Management , 2011, Inf. Resour. Manag. J..

[44]  Hein S. Venter,et al.  Necessity for ethics in social engineering research , 2015, Comput. Secur..

[45]  Christopher Hadnagy,et al.  Social Engineering: The Art of Human Hacking , 2010 .

[46]  P. Tremblay,et al.  Body Switching and Related Adaptations in the Resale of Stolen Vehicles. Script Elaborations and Aggregate Crime Learning Curves , 2001 .

[47]  J Reason,et al.  The contribution of latent human failures to the breakdown of complex systems. , 1990, Philosophical transactions of the Royal Society of London. Series B, Biological sciences.

[48]  Thomas Blass,et al.  The Milgram Paradigm After 35 Years: Some Things We Now Know About Obedience to Authority1 , 1999 .

[49]  D. Zucker The Belmont Report , 2014 .

[50]  I. Mann Hacking the Human: Social Engineering Techniques and Security Countermeasures , 2008 .

[51]  Russell G. Smith,et al.  Organised crime and public sector corruption: A crime scripts analysis of tactical displacement risks , 2013 .

[52]  C. K. Hofling,et al.  AN EXPERIMENTAL STUDY IN NURSE‐PHYSICIAN RELATIONSHIPS , 1966, The Journal of nervous and mental disease.

[53]  Bullée,et al.  On the anatomy of social engineering attacks , 2017 .

[54]  L. Miller,et al.  Self-disclosure and liking: a meta-analytic review. , 1994, Psychological bulletin.

[55]  S Milgram,et al.  Some Conditions of Obedience and Disobedience to Authority , 1965 .

[56]  Steven D. Penrod,et al.  Social Influence Model: A formal integration of research on majority and minority influence processes. , 1984 .

[57]  S. Asch Effects of Group Pressure Upon the Modification and Distortion of Judgments , 1951 .

[58]  D. Cornish THE PROCEDURAL ANALYSIS OF OFFENDING AND ITS RELEVANCE FOR SITUATIONAL PREVENTION , 1994 .

[59]  D. Kim Rossmo,et al.  Target selection patterns in rape , 2010 .

[60]  Bin Zhao,et al.  Error Reporting in Organizations , 2006 .

[61]  Raj Sharman,et al.  Handbook of Research on Social and Organizational Liabilities in Information Security , 2008 .

[62]  Pieter H. Hartel,et al.  Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention , 2016, SG-CRC.

[63]  R. Hauptman Kingpin: How One Hacker Took over the Billion-Dollar Cybercrime Underground , 2013 .

[64]  G. Gigerenzer How to Make Cognitive Illusions Disappear: Beyond “Heuristics and Biases” , 1991 .