Panning for gold: automatically analysing online social engineering attack surfaces

Matthew Edwards, Robert Larson, Benjamin Green, Awais Rashid, Alistair Baron

Research output: Contribution to journalArticle (Academic Journal)

250 Downloads (Pure)

Abstract

The process of social engineering targets people rather than IT infrastructure. Attackers use deceptive ploys to create compelling behavioural and cosmetic hooks, which in turn lead a target to disclose sensitive information or to interact with a malicious payload. The creation of such hooks requires background information on targets. Individuals are increasingly releasing information about themselves online, particularly on social networks. Though existing research has demonstrated the social engineering risks posed by such open source intelligence, this has been accomplished either through resource-intensive manual analysis or via interactive information harvesting techniques. As manual analysis of large-scale online information is impractical, and interactive methods risk alerting the target, alternatives are desirable.
In this paper, we demonstrate that key information pertinent to social engineering attacks on organisations can be passively harvested on a large-scale in an automated fashion. We address two key problems. We demonstrate that it is possible to automatically identify employees of an organisation using only information which is visible to a remote attacker as a member of the public. Secondly, we show that, once identified, employee profiles can be linked across multiple online social networks to harvest additional information pertinent to successful social engineering attacks. We further demonstrate our approach through analysis of the social engineering attack surface of real critical infrastructure organisations. Based on our analysis we propose a set of countermeasures including an automated social engineering vulnerability scanner that organisations can use to analyse their exposure to potential social engineering attacks arising from open source intelligence.
Original languageEnglish
Pages (from-to)18-34
Number of pages17
JournalComputers and Security
Volume69
Early online date29 Dec 2016
DOIs
Publication statusPublished - Aug 2017

Structured keywords

  • Cyber Security

Keywords

  • social engineering
  • vulnerability analysis
  • open source intelligence
  • social networks
  • competitive intelligence

Fingerprint Dive into the research topics of 'Panning for gold: automatically analysing online social engineering attack surfaces'. Together they form a unique fingerprint.

  • Cite this