ABSTRACT
During the past few years, social engineering has rapidly evolved and has become a mainstream technique in cybercrime and terrorism. It is used especially in targeted attacks involving complex human and technological exploits, aimed at deceiving humans and IT systems. Building on the work carried out in the DOGANA project, funded by the European Union, this paper provides an overview of the evolution and of the current landscape of social engineering, and introduces as its main contribution a theoretical model of how human exploits are built, named the Victim Communication Stack.
- L. Kharouni et al., "Operation Pawn Storm Using Decoys to Evade Detection," Trendmicro, 2014. {Online}. Available: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdfGoogle Scholar
- P. Paganini, "The differences between targeted attacks and advanced persistent threats," 2015. {Online}. Available: http://securityaffairs.co/wordpress/40228/cyber-crime/targeted-attacks-vs-advanced-persistent-threats.html.Google Scholar
- K. D. Mitnick, W. L. Simon, and S. Wozniak, The art of deception: Controlling the human element of security. Indianapolis, IN: Wiley, 2001. Google ScholarDigital Library
- K. D. Mitnick and W. L. Simon, The art of intrusion: The real stories behind the exploits of hackers, intruders and Deceivers. New York: Wiley, John & Sons, 2005. Google ScholarDigital Library
- lvxferis, "Hacking the mind for fun and profit," in phrack.org, 2010. {Online}. Available: http://phrack.org/issues/67/15.html. Accessed: Mar. 6, 2017.Google Scholar
- S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," 2001. {Online}. Available: http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics. Accessed: Mar. 6, 2017.Google Scholar
- E. Frumento, F. Freschi, "How the Evolution of Workforces Influences Cybercrime Strategies: The Example of Healthcare," in B. Akhgar, B. Brewster (Eds.): Combatting Cybercrime and Cyberterrorism -- Challenges, Trends and Priorities, Springer, 2015.Google Scholar
- K. Thomas, D. Huang, D. Wang, E. Bursztein, C. Grier, T. J. Holt, C. Kruegel, D. McCoy, S. Savage, G. Vigna, Framing Dependencies Introduced by Underground Commoditization, Workshop on the Economics of Information Security, 2015.Google Scholar
- European Cybercrime Center (EC3), The Internet Organized Crime Threat Assessment (iOCTA), 2014. {Online}. Available: https://www.europol.europa.eu/content/internet-organised-crime-threatassesment-iocta.Google Scholar
- S. Blackmore, "The meme machine". United Kingdom: Oxford University Press, 1999.Google Scholar
- I. Mann, "Hacking the human: Social engineering techniques and security countermeasures". Aldershot, Hants, England: Ashgate Publishing, 2009.Google Scholar
- A. Algarni, Y. Xu, T. Chan, and Y.-C. Tian, "Social engineering in social networking sites: Affect-based model," 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013), pp. 508--515, Dec. 2013Google Scholar
- G. Farrell, K. Clark, D. Ellingworth, and K. Pease "Of targets and supertargets: a routine activity theory of high crime rates", Internet Journal of Criminology (IJC), Mar. 2005.Google Scholar
- A. Bermingham, M. Conway, L. McInerney, N. O'Hare, and A. F. Smeaton, "Combining social network analysis and sentiment analysis to explore the potential for online Radicalisation," International Conference on Advances in Social Network Analysis and Mining, Jul. 2009. Google ScholarDigital Library
- M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa, "Towards automating social engineering using social networking sites," International Conference on Computational Science and Engineering, 2009. Google ScholarDigital Library
- Anti-Phishing Working Group (APWG), "Phishing activity trends report {18} unifying the global response to Cybercrime", Oct. 3, 2016. {Online}. Available: http://docs.apwg.org/reports/apwg_trends_report_q2_2016.pdfGoogle Scholar
- Y. Ilyin, "What is "whaling", and what's the difference from phishing", Kaspersky Lab, January 6, 2016. {Online}. Available: https://business.kaspersky.com/whaling/5009/Google Scholar
- S. Pontiroli, "Social Engineering, Hacking The Human OS," in Kaspersky Blog, 2013. {Online}. Available: https://blog.kaspersky.com/social-engineering-hacking-the-human-os.Google Scholar
- C. Nachreiner, "Signature antivirus' dirty little secret," in HelpNet Security, 2015. {Online}. Available: http://www.net-security.org/article.php?id=2239&p=2.Google Scholar
- M. Valori, G. Pravettoni, C. Lucchiari and E. Frumento, "Cognitive approach for social engineering," Wien, 2010 {Online}. Available: https://deepsec.net/docs/Slides/2010/DeepSec_2010_Cognitive_approach_for_Social_Engineering.pdf.Google Scholar
- E. Frumento and R. Puricelli, "An innovative and comprehensive framework for Social Vulnerability Assessment," Magdeburger Journal zur Sicherheitsforschung, Proceedings, 2014Google Scholar
- J. Spaulding, S. Upadhyaya, A. Mohaisen, The landscape of Domain Name Typosquatting: Techniques and Countermeasures, arXiv Pre-Print, arXiv:1603.02767, 2016.Google Scholar
- T. Berners-Lee, "The next web," TED Talks, 2009. {Online}. Available: http://www.ted.com/talks/tim_berners_lee_on_the_next_web?nolanguage=us.Google Scholar
Index Terms
- Social Engineering 2.0: A Foundational Work: Invited Paper
Recommendations
Social Engineering for Security Attacks
MISNC, SI, DS 2016: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016Social Engineering is a kind of advance persistent threat (APT) that gains private and sensitive information through social networks or other types of communication. The attackers can use social engineering to obtain access into social network accounts ...
Behavioral analysis of botnets for threat intelligence
This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals ...
Overview of Social Engineering Attacks on Social Networks
AbstractSocial networks have become a trusted communication medium for both personal and professional communication. However, hackers regularly exploit the trust of the users of social networks for their own gain. This is often done by using phishing ...
Comments