research-article

Social Engineering 2.0: A Foundational Work: Invited Paper

Authors:
Davide Ariu

Università degli Studi di Cagliari, Piazza d'Armi, Cagliari, Italy and Pluribus One S.r.l., Cagliari Italy

Università degli Studi di Cagliari, Piazza d'Armi, Cagliari, Italy and Pluribus One S.r.l., Cagliari Italy
View Profile

,
Enrico Frumento

CEFRIEL, Milano Italy

CEFRIEL, Milano Italy
View Profile

,
Giorgio Fumera

Università degli Studi di Cagliari, Piazza d'Armi, Cagliari, Italy

Università degli Studi di Cagliari, Piazza d'Armi, Cagliari, Italy
View Profile

Authors Info & Claims

CF'17: Proceedings of the Computing Frontiers ConferenceMay 2017Pages 319–325https://doi.org/10.1145/3075564.3076260

Published:15 May 2017Publication History

CF'17: Proceedings of the Computing Frontiers Conference

Pages 319–325

ABSTRACT

During the past few years, social engineering has rapidly evolved and has become a mainstream technique in cybercrime and terrorism. It is used especially in targeted attacks involving complex human and technological exploits, aimed at deceiving humans and IT systems. Building on the work carried out in the DOGANA project, funded by the European Union, this paper provides an overview of the evolution and of the current landscape of social engineering, and introduces as its main contribution a theoretical model of how human exploits are built, named the Victim Communication Stack.

References

L. Kharouni et al., "Operation Pawn Storm Using Decoys to Evade Detection," Trendmicro, 2014. {Online}. Available: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdfGoogle Scholar
P. Paganini, "The differences between targeted attacks and advanced persistent threats," 2015. {Online}. Available: http://securityaffairs.co/wordpress/40228/cyber-crime/targeted-attacks-vs-advanced-persistent-threats.html.Google Scholar
K. D. Mitnick, W. L. Simon, and S. Wozniak, The art of deception: Controlling the human element of security. Indianapolis, IN: Wiley, 2001. Google ScholarDigital Library
K. D. Mitnick and W. L. Simon, The art of intrusion: The real stories behind the exploits of hackers, intruders and Deceivers. New York: Wiley, John & Sons, 2005. Google ScholarDigital Library
lvxferis, "Hacking the mind for fun and profit," in phrack.org, 2010. {Online}. Available: http://phrack.org/issues/67/15.html. Accessed: Mar. 6, 2017.Google Scholar
S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," 2001. {Online}. Available: http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics. Accessed: Mar. 6, 2017.Google Scholar
E. Frumento, F. Freschi, "How the Evolution of Workforces Influences Cybercrime Strategies: The Example of Healthcare," in B. Akhgar, B. Brewster (Eds.): Combatting Cybercrime and Cyberterrorism -- Challenges, Trends and Priorities, Springer, 2015.Google Scholar
K. Thomas, D. Huang, D. Wang, E. Bursztein, C. Grier, T. J. Holt, C. Kruegel, D. McCoy, S. Savage, G. Vigna, Framing Dependencies Introduced by Underground Commoditization, Workshop on the Economics of Information Security, 2015.Google Scholar
European Cybercrime Center (EC3), The Internet Organized Crime Threat Assessment (iOCTA), 2014. {Online}. Available: https://www.europol.europa.eu/content/internet-organised-crime-threatassesment-iocta.Google Scholar
S. Blackmore, "The meme machine". United Kingdom: Oxford University Press, 1999.Google Scholar
I. Mann, "Hacking the human: Social engineering techniques and security countermeasures". Aldershot, Hants, England: Ashgate Publishing, 2009.Google Scholar
A. Algarni, Y. Xu, T. Chan, and Y.-C. Tian, "Social engineering in social networking sites: Affect-based model," 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013), pp. 508--515, Dec. 2013Google Scholar
G. Farrell, K. Clark, D. Ellingworth, and K. Pease "Of targets and supertargets: a routine activity theory of high crime rates", Internet Journal of Criminology (IJC), Mar. 2005.Google Scholar
A. Bermingham, M. Conway, L. McInerney, N. O'Hare, and A. F. Smeaton, "Combining social network analysis and sentiment analysis to explore the potential for online Radicalisation," International Conference on Advances in Social Network Analysis and Mining, Jul. 2009. Google ScholarDigital Library
M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa, "Towards automating social engineering using social networking sites," International Conference on Computational Science and Engineering, 2009. Google ScholarDigital Library
Anti-Phishing Working Group (APWG), "Phishing activity trends report {18} unifying the global response to Cybercrime", Oct. 3, 2016. {Online}. Available: http://docs.apwg.org/reports/apwg_trends_report_q2_2016.pdfGoogle Scholar
Y. Ilyin, "What is "whaling", and what's the difference from phishing", Kaspersky Lab, January 6, 2016. {Online}. Available: https://business.kaspersky.com/whaling/5009/Google Scholar
S. Pontiroli, "Social Engineering, Hacking The Human OS," in Kaspersky Blog, 2013. {Online}. Available: https://blog.kaspersky.com/social-engineering-hacking-the-human-os.Google Scholar
C. Nachreiner, "Signature antivirus' dirty little secret," in HelpNet Security, 2015. {Online}. Available: http://www.net-security.org/article.php?id=2239&p=2.Google Scholar
M. Valori, G. Pravettoni, C. Lucchiari and E. Frumento, "Cognitive approach for social engineering," Wien, 2010 {Online}. Available: https://deepsec.net/docs/Slides/2010/DeepSec_2010_Cognitive_approach_for_Social_Engineering.pdf.Google Scholar
E. Frumento and R. Puricelli, "An innovative and comprehensive framework for Social Vulnerability Assessment," Magdeburger Journal zur Sicherheitsforschung, Proceedings, 2014Google Scholar
J. Spaulding, S. Upadhyaya, A. Mohaisen, The landscape of Domain Name Typosquatting: Techniques and Countermeasures, arXiv Pre-Print, arXiv:1603.02767, 2016.Google Scholar
T. Berners-Lee, "The next web," TED Talks, 2009. {Online}. Available: http://www.ted.com/talks/tim_berners_lee_on_the_next_web?nolanguage=us.Google Scholar

Index Terms

Social Engineering 2.0: A Foundational Work: Invited Paper
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy
  2. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
    2. Social engineering attacks
      1. Phishing

Recommendations

Social Engineering for Security Attacks
MISNC, SI, DS 2016: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016

Social Engineering is a kind of advance persistent threat (APT) that gains private and sensitive information through social networks or other types of communication. The attackers can use social engineering to obtain access into social network accounts ...
Read More
Behavioral analysis of botnets for threat intelligence

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals ...
Read More
Overview of Social Engineering Attacks on Social Networks
Abstract
Social networks have become a trusted communication medium for both personal and professional communication. However, hackers regularly exploit the trust of the users of social networks for their own gain. This is often done by using phishing ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CF'17: Proceedings of the Computing Frontiers Conference
May 2017
450 pages
ISBN:9781450344876
DOI:10.1145/3075564
General Chair:
Roberto Giorgi
University of Siena, IT
,
Program Chairs:
Michela Becchi
North Carolina State University
,
Francesca Palumbo
University of Sassari, IT
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 May 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Malware
Phishing
Social Engineering
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
CF'17 Paper Acceptance Rate43of87submissions,49%Overall Acceptance Rate240of680submissions,35%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 11
  Total Citations
  View Citations
- 766
  Total Downloads
- Downloads (Last 12 months)66
- Downloads (Last 6 weeks)15
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Social Engineering 2.0: A Foundational Work: Invited Paper

CF'17: Proceedings of the Computing Frontiers Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Social Engineering for Security Attacks

Behavioral analysis of botnets for threat intelligence

Overview of Social Engineering Attacks on Social Networks