SOCIAL ENGINEERING: THE ART OF HUMAN HACKING
Mohammed Asad Hashmi
mah1g11@ecs.soton.ac.uk
School of Electronics and Computer Science, University of Southampton
use of social networking websites, lots of information
about a person can be gathered from social
networking websites (SNS). Moreover SNSs provide
data in machine readable form, thus helping the
automation of attacks. [2]. Social engineering attacks
have a high success rate due to limited education and
meagre awareness regarding social engineering [3].
Abstract
Uses of antivirus programs and anti spyware
programs, protect our data and provides security
from hackers and their technical expertise. But now
hackers have advanced their skill, now they not only
rely and use their technical skills but also utilize and
exploit human skills to con. Now they study human
habits and behaviour to exploit their weaknesses in
order to gain access to information way easier and
cheaper, and thus are termed as social engineers.
This technical report looks deep into the working of
social engineering, how is social engineering so
successful? What methods do social engineers
employ to exploit a victim? And then we look into the
research being done to detect and defend against this
attack.
2. Impact of social engineering attacks
A Social Engineering attack can have a high
impact on an organization. A single attack can drain
out millions of dollars spent on firewalls, security
policies, secure routers and all other such guards. [4].
A single successful attack makes the system
penetrable and can be used to achieve different goals.
Therefore social engineers do not “burn” their
sources, as an undetected Social Engineering attack
can
be
used
repeatedly
for
different
goals.[4].According to U.S Federal Trade
Commission (FTC) , social engineering – related
issues cost individuals and business approximately
$52.6 billion in 2004 and it approximately effects 10
million Americans each year.[5]. White house has
blocked access to twitter website for undisclosed
reasons, though President Barack Obama is known to
have two twitter accounts. Researchers say this has
been done for privacy control, the staff members in
white house might use this site in order to provide
information over the website which might turn out be
exploited. [6].
An individual‟s information can easily be
obtained nowadays from their profiles over a social
networking website. The design of social networking
websites allure users to enter more information into
their profiles and in turn create a more valuable data
pool to generate more profits [7][16].This is one the
main weapons of an attacker in the information
gathering phase of an attack. Furthermore social
1. Introduction
Security is not a technological problem anymore.
Earlier use of antivirus and firewall programs
enhanced the security of the organization to a mighty
level. But that is not the case anymore, meagre use of
antivirus and firewall programs is not enough for the
security of an organization. Developers continually
invent and enhance security technologies making it
difficult to exploit technical vulnerabilities. What
remains easily exploitable is the human element [1].
Cracking the human element is easy, requires just a
phone call and has minimal risk [1]. Social
engineering is the art of exploiting the human factor
of security.
Victims are deceived to let in
confidential information to the attackers or perform
malicious actions [2]. Social engineering usually
starts with acquiring background information of the
target. The initial information is gathered via phone
calls, dumpster diving etc. But now due to emerging
1
networking‟s websites help in the automation of
attacks, by maintaining data in machine readable
format [18]. The goal of automation is to reduce the
time spent on information gathering by a human, as
developing and maintaining a rapport with the victim
is a time consuming task and hence the attack
becomes expensive [7]. Tools such as “Social
Engineering Toolkit” make it easy for the attacker to
automate an attack with any preferred method [15].
f)
3. Types and skills of Social engineering
Attacks
can contain personal information, credit card
details or company‟s organizational chart which
aids in the information gathering for an attack.
Phishing: Phishing is the technique of
attempting to gain information such as
passwords, usernames, credit card numbers etc.
by masquerading as an authorized and
trustworthy entity. An exact of replica of a
website of an authorized firm is made and the
user is persuaded and trick into entering valuable
information, which the attacker utilizes for
personal benefits.
g) Phone Phishing ( Vishing )
Attacks are direct (face to face) or indirect with
the use of technology and electronic media. Here we
evaluate some of them. [19][13]
a) Hoaxing: Attempt to trick someone into
believing something false to be real. This results
in taking a rash decision to due to the fear of an
untoward accident. The attacker takes advantage
of this fear developed and eludes the victim into
performing an action which the attacker wants.
b) Impersonating staff: A scenario is created by
impersonating as someone from inside the
company in order to gain confidential
information from the target or persuade to
perform malicious actions usually via telephone
or email.
c) Intimidation tactics The attacker pretends to be
someone from a high authority, someone
important, an inspector from the government, as
someone who can instil fear into the regular
working employees of the organization. He
already comes yelling and in a furious way to
make an entrance and threatens to fire the
employee if the employee doesn‟t provide the
information at the instance. The employee,
scared, provides all the information without any
thought for authorization.
d) Creating Confusion: This tactic involves
creating a problem to take advantage. Such as
setting off the alarm, so that everyone vacates the
premises without logging off their sessions. Thus
logged-on session is used by the attacker for
exploitation.
e) Dumpster Diving: Office documents or mails
which are thrown away without being totally
ripped off or shredded, are a great source of
information for social engineering attackers. It
Vishing is the practice of leveraging IP-based
voice messaging technologies (primarily Voice
over Internet Protocol, or VoIP) to socially
engineer the intended victim into providing
personal, financial or other confidential
information for the purpose of financial reward.
The term “vishing” is derived from a
combination of “voice” and “phishing. [29][30].
4. Defending against social engineering
attacks
User education is the most powerful defence
against social engineering attacks backed up by
strong and clear policies.[13][14][17] With limited
strictly controlled scientific studies on social
engineering, we need to have conceptualize social
engineering attacks so as to detect them.[12] We
discuss ways to detect and prevent social engineering
attacks.
4.1SEADM – Social engineering
detection model
attack
We hereby discuss social engineering detection
model (SEADM) [8] as illustrated in Figure 1[8]. It is
often difficult for an individual to make rational
decisions in a limited time frame. With the
complexity of the attack and the skill of the social
engineer, an individual can only make an educated
guess regarding the likelihood of an attack. What an
individual would need is a predefined set of
guidelines to determine the likelihood of an attack.
This model suggests a practical application model to
determine if a social engineering attack is being
2
performed. [8] The model specifies a set of
guidelines in the form of a flowchart in order to
determine an attack. Though it is said to detect, there
is more of prevention involved, because by any
means if it is felt that there is a level of discomfort in
providing the required information, it is advised to
elevate the request. [8]
(POI) with both written and oral conversations with
the help of ontological semantics [9].The person of
interest (POI) is the attacker who gathers information
for the attack. This system understands Natural
language (NL) text to extract and calculate
4.2 OST (Ontological Semantic Technology)
We discuss here a computational system for detection
and automatic extraction of hidden semantic
information from verbal output of a person of Interest
3
check if use of neural networks can be useful for the
same.
ii) Extracting Features from the call –
This stage identifies certain attributes and features
from the phone call or the caller which would help
the system to easily identify whether is it an SE
attack. This is done by identifying keywords, which
are used in numerical training vectors to be used for
neural network learning, fed for neural network
processing.
iii)Feed features to NN(Neural Networks) –
Matlab NN toolbox is used for this process. The
extracted information is fed into with the appropriate
data tuning and a minimum training error is sort after.
Training error determines the ability of the NN box to
detect SE attacks. [11]
Drawbacks:  Carried out on an experimental data set and not
real case scenarios.
 Heavy cost involved to integrate this model into
all call centres.
information that POI gives away unintentionally. For
example suppose the POI, in one conversation
mentions that he went to Florida on vacation, and in
another mentions “The Birth of Venus” was worth
seeing. The system detects the contradiction in the
conversation by understanding natural language and
with the help of access to an encyclopaedia and
specific knowledge about paintings. (“The Birth of
Venus” is in Florence, Italy, not Florida). OST
consists of repositories of linguist knowledge and
repositories of world used to disambiguate different
meanings of words and sentences. They contain
language independent knowledge and concept, one
lexicon per language which is used to represent their
meaning along with the Proper Name Dictionary
(PND), which contains names of people,
organizations, countries etc. along with their
description, interlinking them with other PND
entries. (StAn), Semantic Text Analyzer is software
that produces text meaning representations (TMRs)
from text that it processes. The TMRs are fed into
InfoStore, a knowledge resource of Ontological
semantic technology, from which information is
processed and reasoned according to the
requirements to be determined which in our case is to
detect contradictions in conversations. [9]
4.4 A Multi-layered defence against Social
Engineering
David Gragg in [13] has defined a multi-layered
defence mechanism against social engineering. Due
to the defence being multi-layered there is a strong
chance that the attack gets detected in anyone of the
layers, even if it manages to get through some of
them. The security policies are made such that they
address numerous areas in order to be a foundation
for social engineering, such as access controls;
setting up accounts, access approval etc.
4.3 Social attacks detection using Neural
Networks
5. CONCLUSION
Social engineering attacks are widespread and
very difficult to detect as the engineers are skilled
and possess various effective techniques. People have
limited knowledge about the attacks due to which the
attacks go unnoticed. Though some feel that as it
involves human factor there are limited ways to
identify an attack and defend against it, new ways are
being discussed about as described in this report. We
also look into applying artificial intelligence for the
detection and prevention of these attacks, which has
not been looked into for the same. Though prevention
and defence mechanisms are being sought, the best
solution is to educate people about it and define
strong and clear policies. [13] [14] [17] Conducting
awareness and education programs in the
organization, and that being checked by auditing
programs to monitor policy compliance, so as to
prevent and reduce the impact of social engineering.
Figure 2
The term “Neural Networks” refers to the
computational model which depicts the biological
neurons in the human brain. [10]. A neural node is
programmed to act as a biological neuron. This
model works in 3 steps in figure 2.[10]
i)Benchmark Data – A data set was generated by
[8]Dr.Marcus Rogers, in Cyber Forensics Program at
Purdue University who proposed a solution which
relies on computer systems to analyze telephonic
conversations to detect if the receiver is being
deceived. Here benchmark data is used in order to
4
References
the 2010 workshop on New security paradigms.Pages
115-128
1. Hacking Human: Data-Archaeology and
Surveillance in Social Networks. Jason Nolan and
Michelle Levesque ACM SIGGROUP Bulletin –
Special issue on virtual communities Volume 25
Issue 2, February 2005, Pages 33-37
9. V. Rao and H. Rao, “C++ Neural Networks and
Fuzzy
Logic”, MIS Press, New York, 1993.
2. Towards Automating Social Engineering
Using Social Networking Sites Huber, M.;
Kowalski, S.; Nohlberg, M.; Tjoa, S.; This paper
appears in: Computational Science and Engineering,
2009. CSE '09. International Conference on
Issue Date: 29-31 Aug. 2009 On page(s): 117 - 124
10. Social Engineering Detection using Neural
Networks. Sandouka, H.; Cullen, A.J.; Mann, I.;
This paper appears in: CyberWorlds, 2009. CW '09.
International
Conference
on
Issue
Date: 7-11
Sept.
2009
On page(s): 273 - 278
3. The use of formal social engineering techniques to
identify weaknesses during a computer vulnerability
competition . Derek Kyedar , Michael nettis , Steven
P. Fulton .Journal of computing sciences in colleges
Volume 26 Issue 2 ,December 2010 Pages 80-87
11. A Framework for Conceptualizing Social
Engineering Attacks. Jose J. Gonzalez, Jose M.
Sarriegi and Alazne Gurrutxaga Critical Information
Infrastructures
Security
First International Workshop, CRITIS 2006, Samos,
Greece, August 31 - September 1, 2006. Revised
Papers
4. Social Engineering: The “Dark Art”. Tim
Thornburgh.InfoSecCD 2004 Proceedings of the 1st
annual conference on Information security
curriculum development. Pages 133-135
12. An attack vector for deception through persuasion
used by hackers and crackers. Hasan, M.I.;
Prajapati, N.B.; This paper appears in: Networks
and Communications, 2009. NETCOM '09. First
International
Conference
on
Issue
Date: 27-29
Dec.
2009
On page(s): 254 - 258
5. An Investigation of Heuristics of Human
Judgment in Detecting Deception and Potential
Implications in Countering Social Engineering.
Tiantian Qi; This paper appears in: Intelligence and
Security
Informatics,
2007
IEEE
Issue
Date: 23-24
May
2007
On page(s): 152 - 159
13. Preventing Social Engineering in Ubiquitous
Environment. Nyamsuren, E.; Ho-Jin Choi; This
paper appears in: Future Generation Communication
and
Networking
(FGCN
2007)
Issue
Date: 6-8
Dec.
2007
On page(s): 573 - 577
6. Analysis of a Social Engineering Threat to
Information Security Exacerbated by
Vulnerabilities Exposed Through the Inherent
14. Social Engineering Toolkit - A Systematic
Approach to Social Engineering. Pavkovic, N.;
Perkov, L.; This paper appears in: MIPRO, 2011
Proceedings of the 34th International Convention
Issue
Date: 23-27
May
2011
On page(s): 1485 - 1489
Nature of Social Networking Websites. David mills
InfoSec 2009 Information Security Curriculum
Development Conference .Pages 139-141.
7. Social Engineering Attack Detection Model:
SEADM. Bezuidenhout, M.; Mouton, F.; Venter,
H.S.; This paper appears in: Information Security for
South
Africa
(ISSA),
2010
Issue
Date: 2-4
Aug.
2010
On page(s): 1 - 8
15. Cheap and Automated Socio-Technical Attacks
based on Social Networking Sites. Markus
Huber,Martin Mulazzani,Sebastian crittwieser,Edgar
Weippl. AISec 2010 Proceedings of the 3rd ACM
workshop on Artificial intelligence and security.
Pages 61-64
8. Ontological Semantic Technology for Detecting
Insider Threat and Social Engineering. Victor Ruskin
and Julia M. Taylor. NSPW 20120 Proceedings of
16. Social Engineering in Information Assurance
Curricula. Douglas P. Twitchell. InfoSecCD '06
5
‟04 : Proceedings of the 5th conference on
Information technology education.Pages 177-181
Proceedings of the 3rd annual conference on
Information security curriculum development. Pages
191-193.
24. Two methodologies for physical penetration
testing
using
social
engineering
.Trajce
Dimkov, André van Cleeff, Wolter Pieters, Pieter
Hartel. ACSAC‟10:Proceedings of the 26th Annual
Computer Security Applications Conference.Pages
399-408
17. Data Retrieval from Online Social Network
Profiles for Social Engineering Applications. Alim,
S.; Abdul-Rahman, R.; Neagu, D.; Ridley, M.;
This paper appears in: Internet Technology and
Secured Transactions, 2009. ICITST 2009.
International
Conference
for
Issue
Date: 9-12
Nov.
2009
On page(s): 1 - 5
25. Social engineering: a serious underestimated
problem.Guido Rößling, Marius Müller.ITiCSE
‟09:Proceedings of the 14th annual ACM SIGCSE
conference on Innovation and technology in
computer science education.Pages 384-384
18. Case study on social engineering techniques for
persuasion. Mosin Hasan, Nilesh Prajapati, Safvan
Vohara. International journal on applications of graph
theory in wireless ad hoc networks and sensor
networks 2.2 (2010) Pages: 17-23
26. The Art of Intrusion: The Real Stories Behind the
Exploits of Hackers, Intruders and Deceivers by
Kevin D. Mitnick and William L. Simon .
ISBN: 978-0764569593.Wiley
19.Social engineering based attacks : Model and new
Zealand perspective. Proceedings of the International
Multiconference on Computer Science and
Information Technology pp. 847–853
27. K. Mitnick, W.L. Simon, “The Art of Deception:
Controlling the Human Element of Security”, John
Wiley and
Sons, October 2002
20. Security Analysis of Information Systems
taking into account Social Engineering Attacks.
Kotenko, I.; Stepashkin, M.; Doynikova, E.; This
paper appears in: Parallel, Distributed and NetworkBased Processing (PDP), 2011 19th Euromicro
International
Conference
on
Issue
Date: 9-11
Feb.
2011
On page(s): 611 - 618
28.The Vishing Guide, G Ollmann - IBM Global
Technology Services, 2007
29.Vishing. Slade E. Griffin, Casey C. Rackley
.InfoSecCD ‟08 Proceedings of the 5th annual
conference on Information security curriculum
development.Pages 33-35 .
21. Hacking tricks toward security on network
environments. Tzer-Shyong Chen; Fuh-Gwo Jeng;
Yu-Chia Liu; This paper appears in: Parallel and
Distributed
Computing,
Applications
and
Technologies, 2006. PDCAT '06. Seventh
International
Conference
on
Issue
Date: Dec.
2006
On page(s): 442 - 447
30. Phishing: Phishing. Anti-phishing software,
Confidence trick, E-mail spoofing, Pharming, Social
engineering (security), Vishing, Transport Layer
Security, Phreaking, Copyright infringement of
software ,John McBrester, Frederic P. Miller , Agnes
F. Vandome . Alpha Press
22. A Low-cost Secure Schemes for Authentications
and Access Control with the Use of
Multiple Public IC Cards. Kuo-Yi Chen; Chin-Yang
Lin;
Ting-Wei
Hou; This
paper
appears
in: Advanced Computer Theory and Engineering
(ICACTE), 2010 3rd International Conference on
Issue
Date: 20-22
Aug.
2010
On page(s): V3-609 - V3-613
31. A social-engineering-centric data collection
initiative to study phishing
Federico Maggi,Alessandro Sisto,Stefane Zanero.
BADGERS „11 Proceedings of the First Workshop
on Building Analysis Datasets and Gathering
Experience Returns for Security. Pages 107-108
23. The urgency for effective user privacy-education
to counter social engineering attacks on secure
computer systems .Gregory L. Orgill, Gordon W.
Romney, Michael G. Bailey, Paul M. Orgill . CITC5
6