pattern recognition and applications lab social engineering · emotional state such as fear, anger,...

Pattern Recognition and Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic Engineering

Social Engineering

Giorgio Fumera

[email protected]

http://pralab.diee.unica.it 2

http://pralab.diee.unica.it

Social Engineering“The art of intentionally manipulating behaviour using specially crafted communication techniques.”

“Social engineering is the ‘art’ of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated.”

"Only amateurs attack machines, professionals target people."(Bruce Schneier)

In the context of information security, Social Engineering (SE) refers to psychological manipulation of people into performing actions or divulging confidential information.

SE focuses on the human factor, beside technological factors, leveraging on the natural human tendency to trust systems, other humans, ICT devices, etc.

3https://www.dogana-project.eu

https://www.dogana-project.eu/


Evolution of Social Engineering

4

Ageless artof deception

Old-school SE: adaptation to modern communication media (phone, early email usage)High-level skills and direct involvementwere required: IT experts, talented hackers


The "triangle of security"

5

The space where the assets exist and where all possible attacks fall


Evolution of Social Engineering

6

Ageless artof deception...

Old-school SE: adaptation to modern communication media (phone, early email usage)Required high-level skills and direct involvement

Current SE (SE 2.0): increasingly simpler for attackers- large amount of data

freely available andeasily machine-readable

- attack automation tools- involvement of

professionals:psychologists, marketingexperts, cognitivescientists


Modern Social Engineering features

7

Main factors:• evolution of social networks, scalability (mobile platforms), naivety of users• evolution of technologies enabling SE attack automationAbuse of technologies originally developed in different contexts


The role of Social Networks

8

SNs provide machine-readable and classified information, which can enable more contextualized attacks


The role of Open Source Intelligence

9

Linked open data


The "triangle of security" revisited

10

(Social Network Analysis)


Verizon Data Breach Investigation Report 2019

11

Threat actions in data breaches from 2013 to 2018

Top threat actions varieties in breaches


Verizon Data Breach Investigation Report 2019

12

SocialWhile hacking and malicious code may be the words that

resonate most with people when the term "data breach" is used,

there are other threat action categories that have been around

much longer and are still ubiquitous. Social engineering, along

with Misuse, Error, and Physical, do not rely on the existence of"cyberstuff" and are definitely worth discussing. [...]

Research points to users being significantly more susceptible to

social attacks they receive on mobile devices. This is the case for

email-based spear phishing, spoofing attacks that attempt to

mimic legitimate webpages, as well as attacks via social media.

The reasons for this stem from the design of mobile and howusers interact with these devices. [...] relatively limited screen

sizes that restrict what can be accessed and viewed clearly. Most

smartphones also limit the ability to view multiple pages side-by-

side [...] which make it tedious for users to check the veracity of

emails and requests while on mobile.

Top social actions varieties in breaches


Some facts about SE: phishing

13

12% of targeted users click on infecting links

23% of phishing emails are still opened

269 billion email sent each day

3.7 billion people send email each day

A.Binks, The art of phishing: past, present and future, Computer Fraud & Security, April 2019, 9–11

Phishing is the most common form of attack


Some facts about SE: fake accounts

14


Some facts about SE: fake accounts

15


Some facts about SE: targeted attacksSocial Engineering is becoming an efficient instrument to carry out serious targeted attacks

– identity thefts– industrial spying– on-demand attacks (e.g. Denial-of-Service on demand)– commoditization of SE services in cybercrime

and cyberterrorism

16

TARGETED ATTACK GROUP INFECTION VECTORS (ALL TIME)

Spear phishingemails

Watering holewebsites

Trojanized softwareupdates

Web serverexploits

Data storagedevices

0

10%

20%

30%

40%

50%

60%

70%

80%

65%

23%

5%1% 2%

Percentage of groups

INFECTION VECTORS PER TARGETED ATTACK GROUP (ALL TIME)

Three vectorsTwo vectorsOne vectorNo known vector(s)0

10%

20%

30%

40%

50%

60%

4%

15%

27%

54%

Percentage of groups

TOP COUNTRIES AFFECTED BY TARGETED ATTACK GROUPS (2016-2018)

COUNTRY ATTACKS

USA 255

India 128

Japan 69

China 44

Turkey 43

Saudi Arabia 42

South Korea 40

Taiwan 37

UAE 30

Pakistan 28

NUMBER OF ORGANIZATIONS AFFECTED BY TARGETED ATTACKS (YEAR)

2018201720160

100

200

300

400

500

600

455

388

582

Organizations

Spear-phishing emails remained the most popular avenue for attack and were used by 65 percent of all known groups.

ISTR 24 | February 2019 Facts and Figures 51Back to ToC

Symantec 2019 Internet Security Threat Report


Psychological Foundations

17


Psychological foundationsThe Theory of Gullibility

susceptibility to persuasion as an extension of credulity: willingness to believe someone or something even in the total absence of reasonable proof

The Theory of Optimistic Bias believing that positive events are more likely to occur to ourselves than to other people, and vice versa

As a consequence, people think that a. they will not be selected as a social engineering target b. they are more likely to resist than others

18


Social influenceSocial influence: change in one’s attitudes, behavior, or beliefs due to real or imagined external pressure.

Types of social influence:– compliance: change in behaviour resulting from a direct

request (e.g., signing online petitions)– persuasion: change in private attitude or belief resulting

from receiving a message (e.g., movie A is better than B)

19

R.E. Guadagno, R.B. Cialdini, Online Persuasion and Compliance: Social Influence on the Internet and beyond. In Y. Amichai-Hamburger (Ed.), The social net: The social psychology of the Internet, pp. 91-113, Oxford University Press, 2005. Available online: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.2.6571

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.2.6571


Social influenceCompliance: the six fundamental principles of influence

– reciprocity: returning assistance received from others– scarcity: items and opportunities appearing more attractive as they

become less available– social validation (conformity): consensus heuristic– liking (friendship): better to say "yes" to those one knows and likes– consistency/commitment: whether one has committed oneself to a

similar position in the past – “foot-in-the-door” influence tactic: successful because it affects one’s self-perception, leveraging desire for internal consistency

– authority: “believe an expert” decision heuristic

20

empirically examined also in online contexts: R.E. Guadagno, R.B. Cialdini, Online Persuasionand Compliance: Social Influence on the Internet and beyond.

K.v.L. Rhoads, R.B. Cialdini, The Business of Influence: Principles That Lead to Success in Commercial Settings.In J.P. Dillard and M. Pfau (Eds.), The Persuasion Handbook: Developments in Theory and Practice, Sage Press, 2002. Available online: https://www.d.umn.edu/~rvaidyan/mktg4731/Cialdini_InPress.doc

https://www.d.umn.edu/~rvaidyan/mktg4731/Cialdini_InPress.doc


On-line interactionsComputer mediated vs face-to-face communication is characterized by

– greater anonymity (but: user names, email addresses etc. can provide cues)

– lower relevance of physical appearance– physical distance is no longer a barrier– greater control over communication time and place

(but: blending of professional and personal life)– lack of social cues (e.g., eye contact, voice tone)

These features provide solid ground for effective social influence techniques.

21R.E. Guadagno, R.B. Cialdini, Online Persuasionand Compliance: Social Influence on the Internet and beyond.


Manipulation techniques• Pretexting and

impersonation• Reverse Social

Engineering• Baiting• Pressure and solution• Chain of authentication• Gaining credibility• From innocuous to

sensitive

• Priming• Social proof• Emotional states• Selective attention• Framing information• Leveraging authority• Personality types and

models• Body language

22


Pretexting and impersonationPretextingExploiting early intelligence gathered about a target individual to set up a scenario in which the attacker appears to know enough information to be deemed trustworthy, to convince the victim to give up valuable information

– plausible situation– character

ImpersonationNeed not being a real individual: likely a character specifically designed for the pretext

23ISTR 21 (2016) Symantec


Reverse Social EngineeringA classic, special case or pretexting technique used to ensure the attacker has solid credibility.Basic idea:

– to get the victim to seek assistance from the social engineer to solve a problem

– the social engineer then provides the assistance, which also aids the attack

The victim is requesting something from the social engineer, rather than the other way round.

24


Baiting• E-mails

Hi James,I don’t have time to follow up this lead so do you want it? The client wants to know more about our new services, sounded like a great opportunity:http://vulnerableinc.com/contact

• Dropped USB drives or CDs / DVDs with enticing labels

25


Pressure and solution• Pressure…

applying pressure to the victim in the form of a negative emotional state such as fear, anger, indignation, or shame

e.g., a fake message from the police claiming that you have breached some law, leveraging authority

• …and solutionpresenting the victim with a solution thatwould mitigate or remove the emotion

e.g, by asking to pay a (fake) fine

Similar to baiting: victims are blindedby the emotion much like they are blindedby the bait.

26


Chain of authenticationManufacturing or orchestrating a situation where the victim “assumes” the social engineer has already been validated

To gain access to a hospital’s server room, a social engineer (SE) approaches the receptionist (R) posing as an air-conditioning repair engineer.SE: I’m here to perform a maintenance check of the air conditioning units in the server room, the IT department sent me here as apparently you have keysR: Sorry we don’t have them, the only person with keys is the porter, his office is just down the hallSE leaves and then returns a few minutes later saying: SE: Sorry but no one is answering at the door, I’ll try again a little laterSE could continue pretending to try the door and telling R that they are not answering, until R agrees to investigate herself. When R tries the door, the porter answers and R explains:R: Ah you are in after all, this gentleman is here to do some stuff with the air conditioning in the server room, can you take him up there

The porter will then very likely assume that R has already validated the engineer, creating the chain of authentication.

27


Gaining credibility• An employee might be suspicious by receiving a call asking:

“Hello, could you tell me what version of Web browser you’re using?”

• A more credible call would be:“Hello, I’m calling from the IT department, we’re performing some remote patching, can you tell if your Web browser has been updated to version 7.0?”

• An even better call:“Hi James, it’s Simon from the Service Desk, have you got 2 seconds or are you guys still busy with the xyz project? …Ah well listen, we’re performing some remote patching, can you tell me if your Web browser has been updated to version 7.0? If not I’ll need to send Dave down to sort it out there.”

28


From innocuous to sensitiveTo a social engineer any piece of “innocuous” information is a piece of a jigsaw puzzle, one that could be used to identify another, possibly more significant piece of information.

Example– you throw in the garbage a letter from your insurance

company with an additional offer, since no sensitive data is present, but...

– ...if a social engineer finds this letter, he/she gains the knowledge that you have an insurance, with a particular company, paving the way for impersonation, pretexting, etc.

29


PrimingA fascinating psychological phenomenon

– an individual can be exposed to certain words, ideas or actions that will make them more likely to “choose” associated words, ideas or actions, even without knowing they have

– a victim could be primed into a specific state, such as being more “agreeable”

Priming can support phishing attacks.

30


Social proofPeople follow the crowd: it is human nature to seek the comfort that comes with fitting in with everyone else.Compare the following messages: which one will be most successful?

Dear all,We’re trying to push our social media presence. Unfortunately, the vast majority of staff haven’t liked our corporate page. Please could you follow the link to remedy this.http://www.somesocialmediawebsite.com/IT Support

Dear all,Thank you for the great positive response to our social media push. The vast majority of your department have responded with a ‘like’ and we’re really pleased. Join the rest of us if you haven’t already using the following link.http://www.somesocialmediawebsite.com/IT Support

31


Emotional states• The social engineer tries to invoke a certain emotional

state in the victim– pity– kindness– fear– trust

• This is not an easy task, as emotions are unpredictable

32


Selective attention• Sometimes referred to as “cocktail party effect”

we are able to filter out the unwanted sounds, and single out and understand a single voice among the many others

• All that social engineer needs to do is ensure the victim’s attention is focused on something complicated enough to prevent any other information from being processed

• The “anything else” would be the element that achieves the objective

33


Framing information• Framing is about presenting information in such a way

as to steer the viewer’s subjective perception in a certain direction– sales advertisement: “Up to 50% off”

• Compare the following messages: which one will be most effective in getting the help?– Hey Susan, I have already spoken to David and Simon in

your department. They were really helpful and answered most of my questions, send my thanks. However, they couldn’t answer a couple of questions, can you help?

– Hey Susan, [...]. However, there were a couple of questions they said you’d be the best person to answer, have you got a couple of minutes to help me out?

34


Social Engineering and Computer Security

35


Social Engineering attack model

36

F. Mouton, L. Leenen, H.S. Venter, Social engineering attack examples, templates and scenarios, Computers & Security 59 (2016) 186–209


Social Engineering attack taxonomies

37

Greitzer et al., Analysis of unintentional insider threats deriving from social engineering exploits, IEEE S&P, 2014


Social Engineering attack taxonomies

38

Semantic Attack: manipulation of the user-computer interfacing with the purpose to breach a computer system’s information securitythrough user deception (a specific definition of Social Engineering)

R. Heartfield and G. Loukas, A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys 48, Art. 37, 2015


Example: drive-by download attack

39



Example: WiFi evil twin phishing attack

40



Example: SNS malvertisement attack

41



Example: fake mobile app attack

42



SE for Advanced Persistent Threats

43

targeted attacks

allowing the attacker to gain a privileged access inside the company network

assets are accessible by the victims, other vulnerable systems


Example: document attached to email

44Microsoft Security Intelligence Report – Volume 21, 2016


Social Engineering attack cycle

45

K.D. Mitnick, W.L. Simon, The art of deception: Controlling the human element of security. John Wiley & Sons, 2002

T R U S T

Limits of this model:• SE attacks are often iterative, not sequential• no suggestions on how to protect



46

M. Nohlberg, S. Kowalski. The cycle of deception – a model of social engineering attacks, defenses and victims.Proc. of HAISA 2008, pp. 1–11

the attack circle



47


Specific model of single-stage phishing attacks



48


Specific model of multiple-stage phishing attacks



49

F. Mouton, L. Leenen, H.S. Venter, Social engineering attack examples, templates and scenarios, Computers & Security 59 (2016) 186–209


Technical• Spam e-mails• Phishing (fake web sites and

e-mails)• Vishing (voice phishing)• Context-aware phishing

– spear phishing– whaling

• Popup window• Interesting software

(trojans)

Non-technical• Dumpster diving• Pretexting/impersonation• Spying and eavesdropping• Acting as a technical expert• Support staff

50

Attack vectors


E-mail fraud statistics

51proofpoint – The Human Factor 2018


Phishing statistics



Context-aware phishingPhishing targets generic victims.

Context-aware phishing is more sophisticated:– spear phishing: targets employees or customers of a

specific organization– whaling: targets a highly valuable member of a specific

organization, e.g., a senior executive (aka CEO fraud)

53


Fake web sites: typosquatting statistics


Examples: www.gooogle.com, twiter.com, facebok.com


Defense Strategies

55


Defence strategies

56

M. Nohlberg, S. Kowalski. The cycle of deception – a model of social engineering attacks, defenses and victims. Proc. of HAISA 2008, pp. 1–11

The attack cycle (circle)...

...the defense cycle...


Defence strategies

57

The attack cycle (circle)...

...and the victim cycle

"Many crimes can be more readily prevented by focusing on the victim rather than the attacker"

M. Nohlberg, S. Kowalski. The cycle of deception – a model of social engineering attacks, defenses and victims. Proc. of HAISA 2008, pp. 1–11


Defence strategies

58


"Improved training and awareness are an organization’s most potent mitigation tools for thwarting social engineering exploits that target human psychological characteristics and limitations"


Protection mechanisms

59

• Policy and Process Control• Awareness Training

(user deception is the primary attack vector)Organisational

• Sandboxing Mechanisms• Authorisation, Authentication, and Accounting (AAA)• Monitoring• Integrity Checking• Machine Learning

Technical



Defense strategies: summing up

60

Anti-virus software, robust firewalls, etc.Useful, but not sufficient

Technology measures

The most effectiveway to prepare for a phishing attackNot limited to IT staff: company-wide education

Training


Some (obvious?) suggestionsIf something looks ‘phishy’, it probably is

– if an offer in an email looks too good to be true, it’s almost certainly a spam email

– poor spelling or grammar is a good sign that something is not right

– keep an eye on the sender’s email address: spoofing works by using a similar name or email combination with a few small, often unnoticeable, differences

– do not trust shortened links: search for a shortened link checker online; if you are still not sure do not click on it

61

A.Binks, The art of phishing: past, present and future, Computer Fraud & Security, April 2019, 9–11


Training• EU H2020 Project DOGANA

https://www.dogana-project.eu“Social Vulnerability Assessment”

• Survey on simulation and training platformsSee document 3.1 in the Dogana repository – open source toolkits (e.g., trustedsec SET, gophish)– companies: e.g., knowbe4

• Take your free test of phishing vulnerability– https://www.opendns.com/phishing-quiz– https://www.phishingbox.com/phishing-iq-test

62

https://www.dogana-project.eu/

https://www.opendns.com/phishing-quiz

https://www.phishingbox.com/phishing-iq-test

pattern recognition and applications lab social engineering · emotional state such as fear, anger,...

Documents