Panning for gold : automatically analysing online social engineering attack surfaces

Edwards, Matthew and Larson, Robert and Green, Benjamin and Rashid, Awais and Baron, Alistair (2017) Panning for gold : automatically analysing online social engineering attack surfaces. Computers and Security, 69. pp. 18-34. ISSN 0167-4048

[thumbnail of servs_redux]
Preview
PDF (servs_redux)
servs_redux.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial-NoDerivs.

Download (360kB)

Abstract

The process of social engineering targets people rather than IT infrastructure. Attackers use deceptive ploys to create compelling behavioural and cosmetic hooks, which in turn lead a target to disclose sensitive information or to interact with a malicious payload. The creation of such hooks requires background information on targets. Individuals are increasingly releasing information about themselves online, particularly on social networks. Though existing research has demonstrated the social engineering risks posed by such open source intelligence, this has been accomplished either through resource-intensive manual analysis or via interactive information harvesting techniques. As manual analysis of large-scale online information is impractical, and interactive methods risk alerting the target, alternatives are desirable. In this paper, we demonstrate that key information pertinent to social engineering attacks on organisations can be passively harvested on a large-scale in an automated fashion. We address two key problems. We demonstrate that it is possible to automatically identify employees of an organisation using only information which is visible to a remote attacker as a member of the public. Secondly, we show that, once identified, employee profiles can be linked across multiple online social networks to harvest additional information pertinent to successful social engineering attacks. We further demonstrate our approach through analysis of the social engineering attack surface of real critical infrastructure organisations. Based on our analysis we propose a set of countermeasures including an automated social engineering vulnerability scanner that organisations can use to analyse their exposure to potential social engineering attacks arising from open source intelligence.

Item Type:
Journal Article
Journal or Publication Title:
Computers and Security
Additional Information:
This is the author’s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 69, 2017 DOI: 10.1016/j.cose.2016.12.013
Uncontrolled Keywords:
/dk/atira/pure/subjectarea/asjc/3300/3308
Subjects:
?? social engineeringvulnerability analysisopen source intelligencesocial networkscompetitive intelligencelawgeneral computer sciencecomputer science(all) ??
ID Code:
83828
Deposited By:
Deposited On:
05 Jan 2017 09:14
Refereed?:
Yes
Published?:
Published
Last Modified:
10 Nov 2024 01:13