invited-talk

Social engineering attacks on the knowledge worker

Authors:

Katharina Krombholz,

Heidelinde Hobel,

Edgar WeipplAuthors Info & Claims

SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Pages 28 - 35

https://doi.org/10.1145/2523514.2523596

Published: 26 November 2013 Publication History

Abstract

Social engineering has become an emerging threat in virtual communities and is an effective means to attack information systems. Today's knowledge workers make use of a number of services that leverage sophisticated social engineering attacks. Moreover, there is a trend towards BYOD (bring your own device) policies and the usage of online communication and collaboration tools in private and business environments. In globally acting companies, teams are no longer geographically co-located but staffed just-in-time. The decrease in personal interaction combined with the plethora of tools used (E-Mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social engineering attacks. Recent attacks on companies such as the New York Times, RSA, or Apple have shown that targeted spear-phishing attacks are an effective evolution of social engineering attacks. When combined with zero-day-exploits they become a dangerous weapon, often used by advanced persistent threats. This paper provides a taxonomy of well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the knowledge worker.

References

[1]

Anatomy of an attack. available online: http://httpblogs.rsa.com/anatomy-of-an-attack/, last accessed on 2013-07-17.

[2]

Google hack attack was ultra sophisticated. available online: http://www.wired.com/threatlevel/2010/01/operation-aurora/, last accessed on 2013-07-17.

[3]

Microsoft hacked: Joins apple, facebook, twitter -- InformationWeek. available online: http://www.informationweek.com/security/Attackacks/microsoft-hacked-joins-apple-facebook-tw/240149323, last accessed on 2013-07-10.

[4]

The robin sage experiment: Fake profile fools security pros. available at http://www.networkworld.com/news/2010/070810-the-robin-sage-experiment-fake.html?t51hb, last accessed on: 2013-07-14.

[5]

Whatsapp. available online: http://www.whatsapp.com/, last accessed on 2013-07-18.

[6]

L. Alvisi, A. Clement, A. Epasto, S. Lattanzi, and A. Panconesi. Sok: The evolution of sybil defense via social networks. IEEE Symposium on Security and Privacy, 2013.

Digital Library

[7]

G. Bader, A. Anjomshoaa, and A. Tjoa. Privacy aspects of mashup architecture. In Social Computing (SocialCom), 2010 IEEE Second International Conference on, pages 1141--1146, 2010.

Digital Library

[8]

M. Balduzzi, C. Platzer, T. Holz, E. Kirda, D. Balzarotti, and C. Kruegel. Abusing social networks for automated user profiling. In Recent Advances in Intrusion Detection, pages 422--441. Springer, 2010.

Digital Library

[9]

R. Ballagas, M. Rohs, J. G. Sheridan, and J. Borchers. Byod: Bring your own device. In In Proceedings of the Workshop on Ubiquitous Display Environments, Ubicomp, 2004.

[10]

L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your contacts are belong to us: automated identity theft attacks on social networks. In Proceedings of the 18th international conference on World wide web, pages 551--560. ACM, 2009.

Digital Library

[11]

Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu. The socialbot network: when bots socialize for fame and money. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 93--102. ACM, 2011.

Digital Library

[12]

G. Brown, T. Howe, M. Ihbe, A. Prakash, and K. Borders. Social networks and context-aware spam. In Proceedings of the 2008 ACM conference on Computer supported cooperative work, CSCW '08, pages 403--412, New York, NY, USA, 2008. ACM.

Digital Library

[13]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM.

Digital Library

[14]

R. Cialdini. Influence: science and practice. Allyn and Bacon, 2001.

[15]

P. F. Drucker. Landmarks of tomorrow: a report on the new "post-modern" world. Harper, New York, 1st edition, 1959.

[16]

S. Granger. Social Engineering Fundamentals, Part I: Hacker Tactics. SecurityFocus, 2001.

[17]

N. Gruschka and M. Jensen. Attack surfaces: A taxonomy for attacks on cloud services. In IEEE CLOUD, pages 276--279, 2010.

Digital Library

[18]

C. Herley and D. Florencio. Phishing as a Tragedy of the Commons. NSPW 2008, Lake Tahoe, CA, 2008.

Digital Library

[19]

M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa. Towards automating social engineering using social networking sites. In Computational Science and Engineering, 2009. CSE'09. International Conference on, volume 3, pages 117--124. IEEE, 2009.

Digital Library

[20]

M. Huber, M. Mulazzani, M. Leithner, S. Schrittwieser, G. Wondracek, and E. Weippl. Social snapshots: digital forensics for online social networks. In Proceedings of the 27th Annual Computer Security Applications Conference, 2011.

Digital Library

[21]

M. Huber, M. Mulazzani, S. Schrittwieser, and E. Weippl. Cheap and automated socio-technical attacks based on social networking sites. In 3rd Workshop on Artificial Intelligence and Security (AISec'10), 10 2010.

Digital Library

[22]

M. Huber, M. Mulazzani, E. Weippl, G. Kitzler, and S. Goluch. Friend-in-the-middle attacks: Exploiting social networking sites for spam. IEEE Internet Computing: Special Issue on Security and Privacy in Social Networks, 5 2011.

Digital Library

[23]

D. Irani, M. Balduzzi, D. Balzarotti, E. Kirda, and C. Pu. Reverse social engineering attacks in online social networks. Detection of Intrusions and Malware, and Vulnerability Assessment, pages 55--74, 2011.

Digital Library

[24]

T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 50(10): 94--100, 2007.

Digital Library

[25]

K. Krombholz, D. Merkl, and E. Weippl. Fake identities in social media: A case study on the sustainability of the facebook business model. JoSSR, 4(2): 175--212, 2012.

[26]

K. Marett, D. Biros, and M. Knode. Self-efficacy, Training Effectiveness, and Deception Detection: A Longitudinal Study of Lie Detection Training. lecture notes in computer science, 3073: 187--200, 2004.

[27]

K. Miller, J. Voas, and G. Hurlburt. Byod: Security and privacy considerations. IT Professional, 14(5): 53--55, 2012.

Digital Library

[28]

K. Mitnick and W. Simon. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.

Digital Library

[29]

M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E. Weippl. Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 5--5, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[30]

R. Nelson. Methods of Hacking: Social Engineering. online, 2008. available at: http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html, last accessed on 2013-07-04.

[31]

K. Parsons, A. McCormac, M. Pattinson, M. Butavicius, and C. Jerram. Phishing for the truth: A scenario-based experiment of users' behavioural response to emails. In L. Janczewski, H. Wolfe, and S. Shenoi, editors, Security and Privacy Protection in Information Processing Systems, volume 405 of IFIP Advances in Information and Communication Technology, pages 366--378. Springer Berlin Heidelberg, 2013.

[32]

N. Perlroth. Chinese hackers infiltrate new york times computers, Jan. 2013. available at https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html, last accessed on: 2013-07-01.

[33]

R. Potharaju, A. Newell, C. Nita-Rotaru, and X. Zhang. Plagiarizing smartphone applications: attack strategies and defense techniques. In Proceedings of the 4th international conference on Engineering Secure Software and Systems, ESSoS'12, pages 106--120, Berlin, Heidelberg, 2012. Springer-Verlag.

Digital Library

[34]

T. Qin and J. Burgoon. An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering. Intelligence and Security Informatics, 2007 IEEE, pages 152--159, 2007.

[35]

J. C. Roberts, II and W. Al-Hamdani. Who can you trust in the cloud? a review of security issues within cloud computing. In Proceedings of the 2011 Information Security Curriculum Development Conference, InfoSecCD '11, pages 15--19, New York, NY, USA, 2011. ACM.

Digital Library

[36]

S. Schrittwieser, P. Fruehwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, and E. Weippl. Guess Who Is Texting You? Evaluating the Security of Smartphone Messaging Applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.

[37]

SocialEngineer. What is phishing -- paypal phishing examples. available online: http://www.social-engineer.org/wiki/archives/Phishing/Phishing-PayPal.html, last accessed on 2013-07-04.

[38]

Sophos. Sophos facebook id probe shows 41% of users happy to reveal all to potential identity thieves, 2007. available online: http://www.sophos.com/en-us/press-office/press-releases/2007/08/facebook.aspx, last accessed on 2013-07-13.

[39]

S. Stasiukonis. Social Engineering, the USB Way. 2006. available at http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634, last accessed on: 2013-07-02.

[40]

L. Tam, M. Glassman, and M. Vandenwauver. The psychology of password management: a tradeoff between security and convenience. Behav. Inf. Technol., 29(3): 233--244, May 2010.

Digital Library

[41]

H. Thompson. The human element of information security. Security Privacy, IEEE, 11(1): 32--35, 2013.

Digital Library

Cited By

Zaoui MYousra BYassine SYassine MKarim O(2024)A Comprehensive Taxonomy of Social Engineering Attacks and Defense Mechanisms: Toward Effective Mitigation StrategiesIEEE Access10.1109/ACCESS.2024.340319712(72224-72241)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3403197
Herrmann D(2024)Cyber Espionage and Cyber DefenceInformation Technology for Peace and Security10.1007/978-3-658-44810-3_5(93-116)Online publication date: 1-Nov-2024
https://doi.org/10.1007/978-3-658-44810-3_5
Yasmeen KAdnan M(2023)Zero-day and zero-click attacks on digital banking: a comprehensive review of double troubleRisk Management10.1057/s41283-023-00130-425:4Online publication date: 28-Sep-2023
https://doi.org/10.1057/s41283-023-00130-4
Show More Cited By

Index Terms

Social engineering attacks on the knowledge worker
1. Information systems
  1. Data management systems
    1. Database administration
2. Security and privacy
  1. Network security
  2. Systems security
    1. Operating systems security

Recommendations

Social Engineering for Security Attacks
MISNC, SI, DS 2016: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016

Social Engineering is a kind of advance persistent threat (APT) that gains private and sensitive information through social networks or other types of communication. The attackers can use social engineering to obtain access into social network accounts ...
Advanced social engineering attacks

Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems. The services used by today's knowledge workers prepare the ground for sophisticated social engineering attacks. The ...
Reverse social engineering attacks in online social networks
DIMVA'11: Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment

Social networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site on the Internet, and has been reporting growth rates as high as 3% per week. One of the key ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

November 2013

483 pages

ISBN:9781450324984

DOI:10.1145/2523514

General Chairs:
Atilla Elçi
Aksaray University, Turkey
,
Manoj Singh Gaur
Malaviya National Institute of Technology, India
,
Mehmet A. Orgun
Macquarie University, Australia
,
Oleg B. Makarevich
Southern Federal University, Russia

Copyright © 2013 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

Macquarie U., Austarlia
MNIT: Malaviya National Institute of Technology
Aksaray Univ.: Aksaray University
SFedU: Southern Federal University

In-Cooperation

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 November 2013

Check for updates

Author Tags

Qualifiers

Invited-talk

Conference

SIN '13

Sponsor:

MNIT
Aksaray Univ.
SFedU

SIN '13: The 6th International Conference on Security of Information and Networks

November 26 - 28, 2013

Aksaray, Turkey

Acceptance Rates

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
1,920
Total Downloads

Downloads (Last 12 months)99
Downloads (Last 6 weeks)4

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zaoui MYousra BYassine SYassine MKarim O(2024)A Comprehensive Taxonomy of Social Engineering Attacks and Defense Mechanisms: Toward Effective Mitigation StrategiesIEEE Access10.1109/ACCESS.2024.340319712(72224-72241)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3403197
Herrmann D(2024)Cyber Espionage and Cyber DefenceInformation Technology for Peace and Security10.1007/978-3-658-44810-3_5(93-116)Online publication date: 1-Nov-2024
https://doi.org/10.1007/978-3-658-44810-3_5
Yasmeen KAdnan M(2023)Zero-day and zero-click attacks on digital banking: a comprehensive review of double troubleRisk Management10.1057/s41283-023-00130-425:4Online publication date: 28-Sep-2023
https://doi.org/10.1057/s41283-023-00130-4
Saini YSharma LChawla PParashar S(2022)Social Engineering AttacksEmerging Technologies in Data Mining and Information Security10.1007/978-981-19-4193-1_49(497-509)Online publication date: 29-Sep-2022
https://doi.org/10.1007/978-981-19-4193-1_49
Freire JGarcés B(2022)Preparation of a Social Engineering Attack, from Scratch to Compromise: A USB Dropper and Impersonation ApproachInformation and Communication Technologies10.1007/978-3-031-18272-3_19(281-293)Online publication date: 5-Oct-2022
https://doi.org/10.1007/978-3-031-18272-3_19
Quader FJaneja V(2021)Insights into Organizational Security Readiness: Lessons Learned from Cyber-Attack Case StudiesJournal of Cybersecurity and Privacy10.3390/jcp10400321:4(638-659)Online publication date: 11-Nov-2021
https://doi.org/10.3390/jcp1040032
Kumar RKumar SArjariya P(2021)A Comprehensive Survey of Security Challenges and Threats in Internet of Things2021 5th International Conference on Information Systems and Computer Networks (ISCON)10.1109/ISCON52037.2021.9702368(1-5)Online publication date: 22-Oct-2021
https://doi.org/10.1109/ISCON52037.2021.9702368
Fuertes WArévalo DCastro JRon MEstrada CAndrade RPeña FBenavides E(2021)Impact of Social Engineering Attacks: A Literature ReviewDevelopments and Advances in Defense and Security10.1007/978-981-16-4884-7_3(25-35)Online publication date: 29-Oct-2021
https://doi.org/10.1007/978-981-16-4884-7_3
Rivera RPazmiño LBecerra FBarriga J(2021)An Analysis of Cyber Espionage ProcessDevelopments and Advances in Defense and Security10.1007/978-981-16-4884-7_1(3-14)Online publication date: 29-Oct-2021
https://doi.org/10.1007/978-981-16-4884-7_1
Wang ZSun LZhu H(2020)Defining Social Engineering in CybersecurityIEEE Access10.1109/ACCESS.2020.29928078(85094-85115)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2992807
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten