Un experimento para crear conciencia en las personas acerca de los ataques de Ingeniería Social

Palabras clave: Ingeniería Social, Phishing, Ciber Ataque

Resumen

La Ingeniería Social es la técnica que permite obtener información confidencial de los usuarios, de manera fraudulenta, con la finalidad de usarla en contra de ellos mismos, o de las organizaciones en las que laboran.  Este estudio presenta un experimento enfocado a crear conciencia acerca de las consecuencias de este tipo de ataque, mediante la ejecución de un ataque controlado a personas de confianza. Para lograrlo, se han llevado a cabo un conjunto de engaños y actividades, que los atacantes usan comúnmente para obtener información sensible, incentivando la curiosidad de los contactos de las redes sociales para que visiten un blog personal con información ficticia. A más de esta interacción humana, se ha instalado un complemento oculto y no deseado, para recolectar información del usuario tales como: su dirección IP, país de origen, sistema operativo y tipo de navegador. Con la información recolectada, se realizó un ataque de escaneo a los puertos 80 (Web server) y 22 (SSH Server), para encontrar más información sensible. Posteriormente, se muestran los resultados a las víctimas. Además, luego del ataque se realizó una encuesta a los usuarios acerca de su conocimiento de Phishing y de Ingeniería Social.  Los resultados muestran que únicamente el 2% de las personas, sospecharon o preguntaron acerca del verdadero motivo para visitar el Blog. Más aún, demuestra que las personas que visitaron el blog, no tienen conocimiento y conciencia de cómo se puede vulnerar información sensible de una forma relativamente sencilla.

Descargas

La descarga de datos todavía no está disponible.

Citas

Aksu, D., Turgut, Z., Üstebay, S., & Aydin, M. A. (2019). Phishing analysis of websites using classification techniques. In Lecture Notes in Electrical Engineering (Vol. 504, pp. 251–258). Springer, Singapore. https://doi.org/10.1007/978-981-13-0408-8_21

Bahnsen, A. C., Bohorquez, E. C., Villegas, S., Vargas, J., & Gonzalez, F. A. (2017). Classifying phishing URLs using recurrent neural networks. In eCrime Researchers Summit, eCrime (pp. 1–8). IEEE. https://doi.org/10.1109/ECRIME.2017.7945048

Basnet, R., Mukkamala, S., & Sung, A. H. (2008). Detection of Phishing Attacks: A Machine Learning Approach. In Soft Computing Applications in Industry (pp. 373–383). Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-540-77465-5_19

Benavides, E., Fuertes, W., Sanchez, S., & Sanchez, M. (2019). Classification of Phishing Attack Solutions by Employing Deep Learning Techniques: A Systematic Literature Review. SISTI, 51–64. https://doi.org/10.1007/978-981-13-9155-2_5

Chen, W., Zhang, W., & Su, Y. (2018). Phishing detection research based on LSTM recurrent neural network. In Communications in Computer and Information Science (Vol. 901, pp. 638–645). Springer, Singapore. https://doi.org/10.1007/978-981-13-2203-7_52

Epishkina, A., & Zapechnikov, S. (2016). A syllabus on data mining and machine learning with applications to cybersecurity. In 2016 Third International Conference on Digital Information Processing, Data Mining, and Wireless Communications (DIPDMWC) (pp. 194–199). IEEE. https://doi.org/10.1109/DIPDMWC.2016.7529388

Feroz, M. N., & Mengel, S. (2015). Phishing URL Detection Using URL Ranking. In 2015 IEEE International Congress on Big Data (pp. 635–638). IEEE. https://doi.org/10.1109/BigDataCongress.2015.97

Hajgude, J, & Ragha, L. (2012). #x201C;Phish mail guard: Phishing mail detection technique by using textual and URL analysis #x201D; In 2012 World Congress on Information and Communication Technologies (pp. 297–302). https://doi.org/10.1109/WICT.2012.6409092

Hajgude, Jayshree, & Ragha, L. (2012). “Phish mail guard: Phishing mail detection technique by using textual and URL analysis.” In 2012 World Congress on Information and Communication Technologies (pp. 297–302). IEEE. https://doi.org/10.1109/WICT.2012.6409092

Hawanna, V. R., Kulkarni, V. Y., & Rane, R. A. (2016). A novel algorithm to detect phishing URLs. In 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT) (pp. 548–552). IEEE. https://doi.org/10.1109/ICACDOT.2016.7877645

Jiang, J., Chen, J., Choo, K.-K. R., Liu, C., Liu, K., Yu, M., & Wang, Y. (2018). A Deep Learning Based Online Malicious URL and DNS Detection Scheme (pp. 438–448). Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_22

Li, X., Geng, G., Yan, Z., Chen, Y., & Lee, X. (2016). Phishing detection based on newly registered domains. In 2016 IEEE International Conference on Big Data (Big Data) (pp. 3685–3692). IEEE. https://doi.org/10.1109/BigData.2016.7841036

Marchal, S., Armano, G., Grondahl, T., Saari, K., Singh, N., & Asokan, N. (2017). Off-the-Hook: An Efficient and Usable Client-Side Phishing Prevention Application. IEEE Transactions on Computers, 66(10), 1717–1733. https://doi.org/10.1109/TC.2017.2703808

Marchal, S., Francois, J., State, R., & Engel, T. (2014). PhishStorm: Detecting Phishing With Streaming Analytics. IEEE Transactions on Network and Service Management, 11(4), 458–471. https://doi.org/10.1109/TNSM.2014.2377295

Pereira, M., Coleman, S., Yu, B., DeCock, M., & Nascimento, A. (2018). Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic (pp. 295–314). Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_14

Rao, R. S., & Pais, A. R. (2018). Detection of phishing websites using an efficient feature-based machine learning framework. Neural Computing and Applications, 1–23. https://doi.org/10.1007/s00521-017-3305-0

Rodríguez, G. E., Benavides, D. E., Torres, J., Flores, P., & Fuertes, W. (2018). Cookie scout: An analytic model for prevention of cross-site scripting (XSS) using a cookie classifier. Advances in Intelligent Systems and Computing (Vol. 721). https://doi.org/10.1007/978-3-319-73450-7_47

Saxe, J., & Berlin, K. (2017). eXpose: A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs, File Paths and Registry Keys. Retrieved from http://arxiv.org/abs/1702.08568

Shima, K., Miyamoto, D., Abe, H., Ishihara, T., Okada, K., Sekiya, Y., … Doi, Y. (2018). Classification of URL bitstreams using Bag of Bytes. Retrieved from http://member.wide.ad.jp/~shima/publications/20180219-ni2018-url-clf.pdf

Spaulding, J., & Mohaisen, A. (2018). Defending internet of things against malicious domain names using D-FENS. In Proceedings - 2018 3rd ACM/IEEE Symposium on Edge Computing, SEC 2018 (pp. 387–392). IEEE. https://doi.org/10.1109/SEC.2018.00051

Sur, C. (2018). DeepSeq: learning browsing log data based personalized security vulnerabilities and counter intelligent measures. Journal of Ambient Intelligence and Humanized Computing, 1–30. https://doi.org/10.1007/s12652-018-1084-9

Vanhoenshoven, F., Napoles, G., Falcon, R., Vanhoof, K., & Koppen, M. (2016). Detecting malicious URLs using machine learning techniques. In 2016 IEEE Symposium Series on Computational Intelligence (SSCI) (pp. 1–8). IEEE. https://doi.org/10.1109/SSCI.2016.7850079

Vazhayil, A., Vinayakumar, R., & Soman, K. (2018). Comparative Study of the Detection of Malicious URLs Using Shallow and Deep Networks. In 2018 9th International Conference on Computing, Communication and Networking Technologies, ICCCNT 2018 (pp. 1–6). IEEE. https://doi.org/10.1109/ICCCNT.2018.8494159

Vrbančič, G., Fister, I., & Podgorelec, V. (2018). Swarm Intelligence Approaches for Parameter Setting of Deep Learning Neural Network. In Proceedings of the 8th International Conference on Web Intelligence, Mining and Semantics - WIMS ’18 (pp. 1–8). New York, New York, USA: ACM Press. https://doi.org/10.1145/3227609.3227655

Williams, N., & Li, S. (2017). Simulating Human Detection of Phishing Websites: An Investigation into the Applicability of the ACT-R Cognitive Behaviour Architecture Model. In 2017 3rd IEEE International Conference on Cybernetics (CYBCONF) (pp. 1–8). IEEE. https://doi.org/10.1109/CYBConf.2017.7985810

Woodbridge, J., Anderson, H. S., Ahuja, A., & Grant, D. (2018). Detecting homoglyph attacks with a siamese neural network. In Proceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018 (pp. 22–28). https://doi.org/10.1109/SPW.2018.00012

Yi, P., Guan, Y., Zou, F., Yao, Y., Wang, W., & Zhu, T. (2018). Web Phishing Detection Using a Deep Learning Framework. Wireless Communications and Mobile Computing, 2018, 1–9. https://doi.org/10.1155/2018/4678746

Yuan, X. (2017). PhD Forum: Deep Learning-Based Real-Time Malware Detection with Multi-Stage Analysis. In 2017 IEEE International Conference on Smart Computing, SMARTCOMP 2017 (pp. 1–2). IEEE. https://doi.org/10.1109/SMARTCOMP.2017.7946997

Zhang, Jiahua, & Li, X. (2017). Phishing Detection Method Based on Borderline-Smote Deep Belief Network (pp. 45–53). Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_5

Zhang, Jianyi, Pan, Y., Wang, Z., & Liu, B. (2016). URL Based Gateway Side Phishing Detection Method. In 2016 IEEE Trustcom/BigDataSE/ISPA (pp. 268–275). IEEE. https://doi.org/10.1109/TrustCom.2016.0073

Zhang, X., Zeng, Y., Jin, X. B., Yan, Z. W., & Geng, G. G. (2018). Boosting the phishing detection performance by semantic analysis. In Proceedings - 2017 IEEE International Conference on Big Data, Big Data 2017 (Vol. 2018-Janua, pp. 1063–1070). IEEE. https://doi.org/10.1109/BigData.2017.8258030

Zhao, J., Wang, N., Ma, Q., & Cheng, Z. (2019). Classifying Malicious URLs Using Gated Recurrent Neural Networks (pp. 385–394). Springer, Cham. https://doi.org/10.1007/978-3-319-93554-6_36

Zou Futai, Gang Yuxiang, Pei Bei, Pan Li, & Li Linsen. (2016). Web Phishing detection based on graph mining. In 2016 2nd IEEE International Conference on Computer and Communications (ICCC) (pp. 1061–1066). IEEE. https://doi.org/10.1109/CompComm.2016.7924867

Publicado
2020-01-09
Cómo citar
Benavides-Astudillo, E., Fuertes-Díaz, W., & Sánchez-Gordon, S. (2020). Un experimento para crear conciencia en las personas acerca de los ataques de Ingeniería Social. CIENCIA UNEMI, 13(32), 27-40. https://doi.org/10.29076/issn.2528-7737vol13iss32.2020pp27-40p
Sección
Artículos Científicos