A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed websites and scareware to name a few. This article presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial.

[1]  Marie-Francine Moens,et al.  New filtering approaches for phishing email , 2010, J. Comput. Secur..

[2]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[3]  Brian Anderson,et al.  CHAPTER 1 – USB Hacksaw , 2010 .

[4]  Lorrie Faith Cranor,et al.  Phishguru: a system for educating users about semantic attacks , 2009 .

[5]  Barack Obama,et al.  Statement on the Release of the 'Framework for Improving Critical Infrastructure Cybersecurity' by the National Institute of Standards and Technology, February 12, 2014 , 2014 .

[6]  George Loukas,et al.  Physical-Cyber Attacks , 2015 .

[7]  Akira Yamada,et al.  Visual similarity-based phishing detection without victim site information , 2009, 2009 IEEE Symposium on Computational Intelligence in Cyber Security.

[8]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[9]  Jens Grossklags,et al.  Third-party apps on Facebook: privacy and the illusion of control , 2011, CHIMIT '11.

[10]  Wilson Huang,et al.  A Study of Social Engineering in Online Frauds , 2013 .

[11]  M. Eric Johnson,et al.  The Evolution of the Peer-to-Peer File Sharing Industry and the Security Risks for Users , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[12]  Nataasha Raul,et al.  Malware Detection Module using Machine Learning Algorithms to Assist in Centralized Security in Enterprise Networks , 2012, ArXiv.

[13]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[14]  Hong-yun Xiao,et al.  Analysis on Sandbox Technology of Adobe Reader X , 2013, 2013 International Conference on Computational and Information Sciences.

[15]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[16]  Romain Martin,et al.  An application to estimate the cyber-risk detection skill of mobile device users (IDEA) , 2013 .

[17]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[18]  Marianne Junger,et al.  RISK-DET: ICT Security Awareness Aspect Combining Education and Cognitive Sciences , 2014 .

[19]  Huajun Huang,et al.  Browser-Side Countermeasures for Deceptive Phishing Attack , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[20]  Iwan Gulenko Social against social engineering: Concept and development of a Facebook application to raise security and risk awareness , 2013, Inf. Manag. Comput. Secur..

[21]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[22]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[23]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[24]  Andrea J. Cullen,et al.  Social Engineering Detection Using Neural Networks , 2009, 2009 International Conference on CyberWorlds.

[25]  Maria Papadaki,et al.  Social engineering: assessing vulnerabilities in practice , 2009, Inf. Manag. Comput. Secur..

[26]  Gundeep Singh Bindra Masquerading as a Trustworthy Entity through Portable Document File (PDF) Format , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[27]  Elmarie Kritzinger,et al.  Cyber security for home users: A new way of protection through awareness enforcement , 2010, Comput. Secur..

[28]  G.W. Romney,et al.  IT security education is enhanced by analyzing Honeynet data , 2005, 2005 6th International Conference on Information Technology Based Higher Education and Training.

[29]  Aubrey Labuschagne,et al.  Design of cyber security awareness game utilizing a social media framework , 2011, 2011 Information Security for South Africa.

[30]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[31]  Lujo Bauer,et al.  The Effectiveness of Security Images in Internet Banking , 2015, IEEE Internet Computing.

[32]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[33]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[34]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[35]  Wenke Lee,et al.  SURF: detecting and measuring search poisoning , 2011, CCS '11.

[36]  Josef Langer,et al.  NFC Devices: Security and Privacy , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[37]  Yue Xu,et al.  Social engineering in social networking sites: Affect-based model , 2013, 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013).

[38]  Minaxi Gupta,et al.  A study of malware in peer-to-peer networks , 2006, IMC '06.

[39]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[40]  Gerhard Paass,et al.  Improved Phishing Detection using Model-Based Features , 2008, CEAS.

[41]  Gary Hinson,et al.  Social Engineering Techniques, Risks, and Controls , 2008 .

[42]  Jeffrey Robert Jacobs,et al.  Measuring the Effectiveness of the USB Flash Drive as a Vector for Social Engineering Attacks on Commercial and Residential Computer Systems , 2011 .

[43]  Harris Drucker,et al.  Support vector machines for spam categorization , 1999, IEEE Trans. Neural Networks.

[44]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[45]  Carolyn Penstein Rosé,et al.  CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites , 2011, TSEC.

[46]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[47]  Luis Corrons The Business of Rogueware , 2010 .

[48]  Hyunuk Hwang,et al.  A Study on MITM (Man in the Middle) Vulnerability in Wireless Network Using 802.1X and EAP , 2008, 2008 International Conference on Information Science and Security (ICISS 2008).

[49]  Edgar R. Weippl,et al.  Who on Earth Is "Mr. Cypher": Automated Friend Injection Attacks on Social Networking Sites , 2010, SEC.

[50]  Steve Gold The changing face of malware , 2009 .

[51]  Nur Izura Udzir,et al.  Towards a dynamic file integrity monitor through a security classification , 2011 .

[52]  Alexandre Gazet,et al.  Comparative analysis of various ransomware virii , 2010, Journal in Computer Virology.

[53]  Jim Giles Scareware: the inside story , 2010 .

[54]  Dragos Gavrilut,et al.  Malware detection using machine learning , 2009, 2009 International Multiconference on Computer Science and Information Technology.

[55]  Chao Yang,et al.  Who is peeping at your passwords at Starbucks? — To catch an evil twin access point , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[56]  Paul C. van Oorschot,et al.  On instant messaging worms, analysis and countermeasures , 2005, WORM '05.

[57]  Nitesh Saxena,et al.  Neural Signatures of User-Centered Security: An fMRI Study of Phishing, and Malware Warnings , 2014, NDSS.

[58]  Mohd Faizal Abdollah,et al.  Generic Taxonomy of Social Engineering Attack , 2011 .

[59]  Chenniappan Chellappan,et al.  Detection and Recognition of File Masquerading for E-mail and Data Security , 2010, CNSA.

[60]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[61]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[62]  Scott P. Robertson,et al.  Proceedings of the SIGCHI Conference on Human Factors in Computing Systems , 1991 .

[63]  Jong Kim,et al.  WarningBird: Detecting Suspicious URLs in Twitter Stream , 2012, NDSS.

[64]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .

[65]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[66]  Thomas M. Chen Trends in Viruses and Worms , 1904 .

[67]  A. Konak Broadening E-Commerce Information Security Education Using Virtual Computing Technologies , 2012 .

[68]  K. Dahal,et al.  Intelligent Phishing Website Detection System using Fuzzy Techniques , 2008, 2008 3rd International Conference on Information and Communication Technologies: From Theory to Applications.

[69]  Nilesh B. Prajapati,et al.  An Attack Vector for Deception Through Persuasion Used by Hackers and Crakers , 2009, 2009 First International Conference on Networks & Communications.

[70]  Ka-Ping Yee,et al.  Guidelines and Strategies for Secure Interaction Design , 2005 .

[71]  M. Angela Sasse,et al.  Towards a Simulation of Information Security Behaviour in Organisations , 2014, Cyberpatterns.

[72]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[73]  Neal Leavitt Instant messaging: a new target for hackers , 2005, Computer.

[74]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[75]  Bruce Schneier,et al.  Inside risks: semantic network attacks , 2000, CACM.

[76]  Common Cyber Attacks : Reducing The Impact , .

[77]  Bonnie Brinton Anderson,et al.  How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study , 2015, CHI.

[78]  Ali A. Ghorbani,et al.  IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART C: APPLICATIONS AND REVIEWS 1 Toward Credible Evaluation of Anomaly-Based Intrusion-Detection Methods , 2022 .

[79]  Lech J. Janczewski,et al.  A Taxonomy for Social Engineering attacks , 2011 .

[80]  Srdjan Capkun,et al.  Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems , 2010 .

[81]  John C. Platt,et al.  Robust scareware image detection , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[82]  Wouter Joosen,et al.  Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse , 2015, NDSS.

[83]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[84]  George Loukas,et al.  Cyber-Physical Attacks: A Growing Invisible Threat , 2015 .

[85]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[86]  Sanjay Ranka,et al.  Detecting Internet worms at early stage , 2005, IEEE Journal on Selected Areas in Communications.

[87]  Jae-Kwang Lee,et al.  "Reminder: please update your details": Phishing Trends , 2009, 2009 First International Conference on Networks & Communications.

[88]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[89]  Matt Bishop,et al.  A Flexible Containment Mechanism for Executing Untrusted Code , 2002, USENIX Security Symposium.

[90]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[91]  Konstantin Beznosov,et al.  Key Challenges in Defending Against Malicious Socialbots , 2012, LEET.

[92]  Adam Sedgewick,et al.  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 , 2014 .

[93]  Ron Lepofsky,et al.  COBIT® 5 for Information Security , 2014 .

[94]  Kevin F. McCrohan,et al.  Influence of Awareness and Training on Cyber Security , 2010 .

[95]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[96]  Tarun Kumar Sharma,et al.  Social Engineering Prevention by Detecting Malicious URLs Using Artificial Bee Colony Algorithm , 2013, SocProS.

[97]  Todd R. Andel,et al.  Developing a virtualization platform for courses in networking, systems administration and cyber security education , 2009, SpringSim '09.

[98]  Timothy Grance,et al.  Guidelines on Security and Privacy in Public Cloud Computing | NIST , 2012 .

[99]  Vishrut Sharma An Analytical Survey of Recent Worm Attacks , 2011 .

[100]  Erdem Uçar,et al.  The positive outcomes of information security awareness training in companies - A case study , 2009, Inf. Secur. Tech. Rep..

[101]  Tobias Lauinger,et al.  Honeybot, Your Man in the Middle for Automated Social Engineering , 2010, LEET.

[102]  Lloyd Bridges Malware: The changing face of malware , 2008 .

[103]  Niels Provos,et al.  Cybercrime 2.0: when the cloud turns dark , 2009, CACM.

[104]  George Loukas,et al.  On the Feasibility of Automated Semantic Attacks in the Cloud , 2012, ISCIS.

[105]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[106]  Paul Thompson Deception as a Semantic Attack , 2006 .

[107]  LoukasGeorge,et al.  A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks , 2015 .

[108]  Edwin Donald Frauenstein,et al.  An Enterprise Anti-phishing Framework , 2009, World Conference on Information Security Education.

[109]  Hari Balakrishnan,et al.  Malware prevalence in the KaZaA file-sharing network , 2006, IMC '06.

[110]  M. Tariq Banday,et al.  Study of Botnets and Their Threats to Internet Security , 2009 .

[111]  Gianluca Stringhini,et al.  That Ain't You: Blocking Spearphishing Through Behavioral Modelling , 2015, DIMVA.

[112]  Jonathan J. Oliver,et al.  Anatomy of a Phishing Email , 2004, CEAS.

[113]  Anup Ghosh,et al.  Sandboxing and Virtualization: Modern Tools for Combating Malware , 2011, IEEE Security & Privacy.

[114]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[115]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[116]  Hsiu-Sen Chiang,et al.  Internet security: malicious e-mails detection and protection , 2004, Ind. Manag. Data Syst..

[117]  Christian Dietrich Identification and recognition of remote-controlled malware , 2012 .

[118]  Steve Love,et al.  Designing a Mobile Game to Teach Conceptual Knowledge of Avoiding 'Phishing Attacks' , 2012 .

[119]  Dawn Xiaodong Song,et al.  Design and Evaluation of a Real-Time URL Spam Filtering Service , 2011, 2011 IEEE Symposium on Security and Privacy.

[120]  Kyumin Lee,et al.  The social honeypot project: protecting online communities from spammers , 2010, WWW '10.

[121]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[122]  Brian Anderson,et al.  Seven Deadliest USB Attacks , 2010 .

[123]  David Ma,et al.  Does domain highlighting help people identify phishing sites? , 2011, CHI.

[124]  Ashley L. Podhradsky,et al.  Xbox 360 Hoaxes, Social Engineering, and Gamertag Exploits , 2013, 2013 46th Hawaii International Conference on System Sciences.

[125]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[126]  Suku Nair,et al.  Phishing Attacks in a Mobile Environment , 2006 .

[127]  InduShobha N. Chengalur-Smith,et al.  An overview of social engineering malware: Trends, tactics, and implications , 2010 .

[128]  Jörg Schwenk,et al.  Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures , 2005, ISPEC.

[129]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[130]  Silvio Lattanzi,et al.  SoK: The Evolution of Sybil Defense via Social Networks , 2013, 2013 IEEE Symposium on Security and Privacy.

[131]  Christian Hempelmann,et al.  Ontological semantic technology for detecting insider threat and social engineering , 2010, NSPW '10.

[132]  Benjamin Morin,et al.  What If You Can't Trust Your Network Card? , 2011, RAID.

[133]  Christopher Krügel,et al.  Analyzing and Detecting Malicious Flash Advertisements , 2009, 2009 Annual Computer Security Applications Conference.

[134]  Kirstie Hawkey,et al.  Do windows users follow the principle of least privilege?: investigating user account control practices , 2010, SOUPS.

[135]  Fang Yu,et al.  Finding the Linchpins of the Dark Web: a Study on Topologically Dedicated Hosts on Malicious Web Infrastructures , 2013, 2013 IEEE Symposium on Security and Privacy.

[136]  Patricia Chavez-Burbano,et al.  Case of study: Identity theft in a university WLAN Evil twin and cloned authentication web interface , 2013, 2013 World Congress on Computer and Information Technology (WCCIT).

[137]  A. Porter Phishing on Mobile Devices , 2011 .

[138]  Ponnurangam Kumaraguru,et al.  PhishAri : Automatic Realtime Phishing Detection on Twitter Anupama Aggarwal , 2012 .

[139]  Gianluca Stringhini,et al.  Hit 'em where it hurts: a live security exercise on cyber situational awareness , 2011, ACSAC '11.

[140]  Jukka Vuorinen,et al.  Dissecting social engineering , 2013, Behav. Inf. Technol..

[141]  A. Calder,et al.  IT Governance: An International Guide to Data Security and ISO27001/ISO27002 , 2003 .

[142]  Hilarie Orman,et al.  The Compleat Story of Phish , 2013, IEEE Internet Computing.

[143]  Xavier Leroy Java Bytecode Verification: An Overview , 2001, CAV.

[144]  Andrew H. Sung,et al.  Detection of Phishing Attacks: A Machine Learning Approach , 2008, Soft Computing Applications in Industry.

[145]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[146]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[147]  Robbie Allen,et al.  Active Directory: Designing, Deploying, and Running Active Directory , 2008 .

[148]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[149]  Oded Nov,et al.  Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks , 2015 .

[150]  Gianluca Stringhini,et al.  Shady paths: leveraging surfing crowds to detect malicious web pages , 2013, CCS.

[151]  Christopher Krügel,et al.  Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection , 2014, RAID.

[152]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..