Un experimento para crear conciencia en las personas acerca de los ataques de Ingeniería Social
Resumen
La Ingeniería Social es la técnica que permite obtener información confidencial de los usuarios, de manera fraudulenta, con la finalidad de usarla en contra de ellos mismos, o de las organizaciones en las que laboran. Este estudio presenta un experimento enfocado a crear conciencia acerca de las consecuencias de este tipo de ataque, mediante la ejecución de un ataque controlado a personas de confianza. Para lograrlo, se han llevado a cabo un conjunto de engaños y actividades, que los atacantes usan comúnmente para obtener información sensible, incentivando la curiosidad de los contactos de las redes sociales para que visiten un blog personal con información ficticia. A más de esta interacción humana, se ha instalado un complemento oculto y no deseado, para recolectar información del usuario tales como: su dirección IP, país de origen, sistema operativo y tipo de navegador. Con la información recolectada, se realizó un ataque de escaneo a los puertos 80 (Web server) y 22 (SSH Server), para encontrar más información sensible. Posteriormente, se muestran los resultados a las víctimas. Además, luego del ataque se realizó una encuesta a los usuarios acerca de su conocimiento de Phishing y de Ingeniería Social. Los resultados muestran que únicamente el 2% de las personas, sospecharon o preguntaron acerca del verdadero motivo para visitar el Blog. Más aún, demuestra que las personas que visitaron el blog, no tienen conocimiento y conciencia de cómo se puede vulnerar información sensible de una forma relativamente sencilla.Descargas
Citas
Aksu, D., Turgut, Z., Üstebay, S., & Aydin, M. A. (2019). Phishing analysis of websites using classification techniques. In Lecture Notes in Electrical Engineering (Vol. 504, pp. 251–258). Springer, Singapore. https://doi.org/10.1007/978-981-13-0408-8_21
Bahnsen, A. C., Bohorquez, E. C., Villegas, S., Vargas, J., & Gonzalez, F. A. (2017). Classifying phishing URLs using recurrent neural networks. In eCrime Researchers Summit, eCrime (pp. 1–8). IEEE. https://doi.org/10.1109/ECRIME.2017.7945048
Basnet, R., Mukkamala, S., & Sung, A. H. (2008). Detection of Phishing Attacks: A Machine Learning Approach. In Soft Computing Applications in Industry (pp. 373–383). Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-540-77465-5_19
Benavides, E., Fuertes, W., Sanchez, S., & Sanchez, M. (2019). Classification of Phishing Attack Solutions by Employing Deep Learning Techniques: A Systematic Literature Review. SISTI, 51–64. https://doi.org/10.1007/978-981-13-9155-2_5
Chen, W., Zhang, W., & Su, Y. (2018). Phishing detection research based on LSTM recurrent neural network. In Communications in Computer and Information Science (Vol. 901, pp. 638–645). Springer, Singapore. https://doi.org/10.1007/978-981-13-2203-7_52
Epishkina, A., & Zapechnikov, S. (2016). A syllabus on data mining and machine learning with applications to cybersecurity. In 2016 Third International Conference on Digital Information Processing, Data Mining, and Wireless Communications (DIPDMWC) (pp. 194–199). IEEE. https://doi.org/10.1109/DIPDMWC.2016.7529388
Feroz, M. N., & Mengel, S. (2015). Phishing URL Detection Using URL Ranking. In 2015 IEEE International Congress on Big Data (pp. 635–638). IEEE. https://doi.org/10.1109/BigDataCongress.2015.97
Hajgude, J, & Ragha, L. (2012). #x201C;Phish mail guard: Phishing mail detection technique by using textual and URL analysis #x201D; In 2012 World Congress on Information and Communication Technologies (pp. 297–302). https://doi.org/10.1109/WICT.2012.6409092
Hajgude, Jayshree, & Ragha, L. (2012). “Phish mail guard: Phishing mail detection technique by using textual and URL analysis.” In 2012 World Congress on Information and Communication Technologies (pp. 297–302). IEEE. https://doi.org/10.1109/WICT.2012.6409092
Hawanna, V. R., Kulkarni, V. Y., & Rane, R. A. (2016). A novel algorithm to detect phishing URLs. In 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT) (pp. 548–552). IEEE. https://doi.org/10.1109/ICACDOT.2016.7877645
Jiang, J., Chen, J., Choo, K.-K. R., Liu, C., Liu, K., Yu, M., & Wang, Y. (2018). A Deep Learning Based Online Malicious URL and DNS Detection Scheme (pp. 438–448). Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_22
Li, X., Geng, G., Yan, Z., Chen, Y., & Lee, X. (2016). Phishing detection based on newly registered domains. In 2016 IEEE International Conference on Big Data (Big Data) (pp. 3685–3692). IEEE. https://doi.org/10.1109/BigData.2016.7841036
Marchal, S., Armano, G., Grondahl, T., Saari, K., Singh, N., & Asokan, N. (2017). Off-the-Hook: An Efficient and Usable Client-Side Phishing Prevention Application. IEEE Transactions on Computers, 66(10), 1717–1733. https://doi.org/10.1109/TC.2017.2703808
Marchal, S., Francois, J., State, R., & Engel, T. (2014). PhishStorm: Detecting Phishing With Streaming Analytics. IEEE Transactions on Network and Service Management, 11(4), 458–471. https://doi.org/10.1109/TNSM.2014.2377295
Pereira, M., Coleman, S., Yu, B., DeCock, M., & Nascimento, A. (2018). Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic (pp. 295–314). Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_14
Rao, R. S., & Pais, A. R. (2018). Detection of phishing websites using an efficient feature-based machine learning framework. Neural Computing and Applications, 1–23. https://doi.org/10.1007/s00521-017-3305-0
Rodríguez, G. E., Benavides, D. E., Torres, J., Flores, P., & Fuertes, W. (2018). Cookie scout: An analytic model for prevention of cross-site scripting (XSS) using a cookie classifier. Advances in Intelligent Systems and Computing (Vol. 721). https://doi.org/10.1007/978-3-319-73450-7_47
Saxe, J., & Berlin, K. (2017). eXpose: A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs, File Paths and Registry Keys. Retrieved from http://arxiv.org/abs/1702.08568
Shima, K., Miyamoto, D., Abe, H., Ishihara, T., Okada, K., Sekiya, Y., … Doi, Y. (2018). Classification of URL bitstreams using Bag of Bytes. Retrieved from http://member.wide.ad.jp/~shima/publications/20180219-ni2018-url-clf.pdf
Spaulding, J., & Mohaisen, A. (2018). Defending internet of things against malicious domain names using D-FENS. In Proceedings - 2018 3rd ACM/IEEE Symposium on Edge Computing, SEC 2018 (pp. 387–392). IEEE. https://doi.org/10.1109/SEC.2018.00051
Sur, C. (2018). DeepSeq: learning browsing log data based personalized security vulnerabilities and counter intelligent measures. Journal of Ambient Intelligence and Humanized Computing, 1–30. https://doi.org/10.1007/s12652-018-1084-9
Vanhoenshoven, F., Napoles, G., Falcon, R., Vanhoof, K., & Koppen, M. (2016). Detecting malicious URLs using machine learning techniques. In 2016 IEEE Symposium Series on Computational Intelligence (SSCI) (pp. 1–8). IEEE. https://doi.org/10.1109/SSCI.2016.7850079
Vazhayil, A., Vinayakumar, R., & Soman, K. (2018). Comparative Study of the Detection of Malicious URLs Using Shallow and Deep Networks. In 2018 9th International Conference on Computing, Communication and Networking Technologies, ICCCNT 2018 (pp. 1–6). IEEE. https://doi.org/10.1109/ICCCNT.2018.8494159
Vrbančič, G., Fister, I., & Podgorelec, V. (2018). Swarm Intelligence Approaches for Parameter Setting of Deep Learning Neural Network. In Proceedings of the 8th International Conference on Web Intelligence, Mining and Semantics - WIMS ’18 (pp. 1–8). New York, New York, USA: ACM Press. https://doi.org/10.1145/3227609.3227655
Williams, N., & Li, S. (2017). Simulating Human Detection of Phishing Websites: An Investigation into the Applicability of the ACT-R Cognitive Behaviour Architecture Model. In 2017 3rd IEEE International Conference on Cybernetics (CYBCONF) (pp. 1–8). IEEE. https://doi.org/10.1109/CYBConf.2017.7985810
Woodbridge, J., Anderson, H. S., Ahuja, A., & Grant, D. (2018). Detecting homoglyph attacks with a siamese neural network. In Proceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018 (pp. 22–28). https://doi.org/10.1109/SPW.2018.00012
Yi, P., Guan, Y., Zou, F., Yao, Y., Wang, W., & Zhu, T. (2018). Web Phishing Detection Using a Deep Learning Framework. Wireless Communications and Mobile Computing, 2018, 1–9. https://doi.org/10.1155/2018/4678746
Yuan, X. (2017). PhD Forum: Deep Learning-Based Real-Time Malware Detection with Multi-Stage Analysis. In 2017 IEEE International Conference on Smart Computing, SMARTCOMP 2017 (pp. 1–2). IEEE. https://doi.org/10.1109/SMARTCOMP.2017.7946997
Zhang, Jiahua, & Li, X. (2017). Phishing Detection Method Based on Borderline-Smote Deep Belief Network (pp. 45–53). Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_5
Zhang, Jianyi, Pan, Y., Wang, Z., & Liu, B. (2016). URL Based Gateway Side Phishing Detection Method. In 2016 IEEE Trustcom/BigDataSE/ISPA (pp. 268–275). IEEE. https://doi.org/10.1109/TrustCom.2016.0073
Zhang, X., Zeng, Y., Jin, X. B., Yan, Z. W., & Geng, G. G. (2018). Boosting the phishing detection performance by semantic analysis. In Proceedings - 2017 IEEE International Conference on Big Data, Big Data 2017 (Vol. 2018-Janua, pp. 1063–1070). IEEE. https://doi.org/10.1109/BigData.2017.8258030
Zhao, J., Wang, N., Ma, Q., & Cheng, Z. (2019). Classifying Malicious URLs Using Gated Recurrent Neural Networks (pp. 385–394). Springer, Cham. https://doi.org/10.1007/978-3-319-93554-6_36
Zou Futai, Gang Yuxiang, Pei Bei, Pan Li, & Li Linsen. (2016). Web Phishing detection based on graph mining. In 2016 2nd IEEE International Conference on Computer and Communications (ICCC) (pp. 1061–1066). IEEE. https://doi.org/10.1109/CompComm.2016.7924867
Derechos de autor 2020 CIENCIA UNEMI
Esta obra está bajo licencia internacional Creative Commons Reconocimiento-NoComercial-SinObrasDerivadas 4.0.
Los autores pueden mantener el copyright, concediendo a la revista el derecho de primera publicación. Alternativamente, los autores pueden transferir el copyright a la revista, la cual permitirá a los autores el uso no-comercial del trabajo, incluyendo el derecho a colocarlo en un archivo de acceso libre.