An Experiment to Create Awareness in People concerning Social Engineering Attacks
Abstract
Social Engineering is the technique of obtaining confidential information from users, in a fraudulent way, with the purpose of using it against themselves, or against the organizations where they work. This study presents an experiment focused on raising awareness about the consequences of this type of attack, by executing a controlled attack on trustworthy people. To accomplish this, we have carried out a set of activities or tricks that attackers use to obtain information, inspiring the curiosity of social network contacts to visit a personal blog with fictitious information. In addition to this human interaction, a hidden plug-in has been installed to collect user information such as his IP address, country, operative system, and browser type. With the information collected, a pentesting attack has been done to ports 80 and 22, in order to collect more information. Finally, the results were shown to the victims. In addition, after the attack, users were surveyed about their knowledge of Phishing or Social Engineering. The results demonstrate that only 2% of people suspected or asked about the real reason to visit the Blog. Furthermore, it reveals that the people, who visited the blog, don not have any knowledge and awareness of how to steal sensitive information in a relatively simple way.Downloads
References
Aksu, D., Turgut, Z., Üstebay, S., & Aydin, M. A. (2019). Phishing analysis of websites using classification techniques. In Lecture Notes in Electrical Engineering (Vol. 504, pp. 251–258). Springer, Singapore. https://doi.org/10.1007/978-981-13-0408-8_21
Bahnsen, A. C., Bohorquez, E. C., Villegas, S., Vargas, J., & Gonzalez, F. A. (2017). Classifying phishing URLs using recurrent neural networks. In eCrime Researchers Summit, eCrime (pp. 1–8). IEEE. https://doi.org/10.1109/ECRIME.2017.7945048
Basnet, R., Mukkamala, S., & Sung, A. H. (2008). Detection of Phishing Attacks: A Machine Learning Approach. In Soft Computing Applications in Industry (pp. 373–383). Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-540-77465-5_19
Benavides, E., Fuertes, W., Sanchez, S., & Sanchez, M. (2019). Classification of Phishing Attack Solutions by Employing Deep Learning Techniques: A Systematic Literature Review. SISTI, 51–64. https://doi.org/10.1007/978-981-13-9155-2_5
Chen, W., Zhang, W., & Su, Y. (2018). Phishing detection research based on LSTM recurrent neural network. In Communications in Computer and Information Science (Vol. 901, pp. 638–645). Springer, Singapore. https://doi.org/10.1007/978-981-13-2203-7_52
Epishkina, A., & Zapechnikov, S. (2016). A syllabus on data mining and machine learning with applications to cybersecurity. In 2016 Third International Conference on Digital Information Processing, Data Mining, and Wireless Communications (DIPDMWC) (pp. 194–199). IEEE. https://doi.org/10.1109/DIPDMWC.2016.7529388
Feroz, M. N., & Mengel, S. (2015). Phishing URL Detection Using URL Ranking. In 2015 IEEE International Congress on Big Data (pp. 635–638). IEEE. https://doi.org/10.1109/BigDataCongress.2015.97
Hajgude, J, & Ragha, L. (2012). #x201C;Phish mail guard: Phishing mail detection technique by using textual and URL analysis #x201D; In 2012 World Congress on Information and Communication Technologies (pp. 297–302). https://doi.org/10.1109/WICT.2012.6409092
Hajgude, Jayshree, & Ragha, L. (2012). “Phish mail guard: Phishing mail detection technique by using textual and URL analysis.” In 2012 World Congress on Information and Communication Technologies (pp. 297–302). IEEE. https://doi.org/10.1109/WICT.2012.6409092
Hawanna, V. R., Kulkarni, V. Y., & Rane, R. A. (2016). A novel algorithm to detect phishing URLs. In 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT) (pp. 548–552). IEEE. https://doi.org/10.1109/ICACDOT.2016.7877645
Jiang, J., Chen, J., Choo, K.-K. R., Liu, C., Liu, K., Yu, M., & Wang, Y. (2018). A Deep Learning Based Online Malicious URL and DNS Detection Scheme (pp. 438–448). Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_22
Li, X., Geng, G., Yan, Z., Chen, Y., & Lee, X. (2016). Phishing detection based on newly registered domains. In 2016 IEEE International Conference on Big Data (Big Data) (pp. 3685–3692). IEEE. https://doi.org/10.1109/BigData.2016.7841036
Marchal, S., Armano, G., Grondahl, T., Saari, K., Singh, N., & Asokan, N. (2017). Off-the-Hook: An Efficient and Usable Client-Side Phishing Prevention Application. IEEE Transactions on Computers, 66(10), 1717–1733. https://doi.org/10.1109/TC.2017.2703808
Marchal, S., Francois, J., State, R., & Engel, T. (2014). PhishStorm: Detecting Phishing With Streaming Analytics. IEEE Transactions on Network and Service Management, 11(4), 458–471. https://doi.org/10.1109/TNSM.2014.2377295
Pereira, M., Coleman, S., Yu, B., DeCock, M., & Nascimento, A. (2018). Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic (pp. 295–314). Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_14
Rao, R. S., & Pais, A. R. (2018). Detection of phishing websites using an efficient feature-based machine learning framework. Neural Computing and Applications, 1–23. https://doi.org/10.1007/s00521-017-3305-0
Rodríguez, G. E., Benavides, D. E., Torres, J., Flores, P., & Fuertes, W. (2018). Cookie scout: An analytic model for prevention of cross-site scripting (XSS) using a cookie classifier. Advances in Intelligent Systems and Computing (Vol. 721). https://doi.org/10.1007/978-3-319-73450-7_47
Saxe, J., & Berlin, K. (2017). eXpose: A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs, File Paths and Registry Keys. Retrieved from http://arxiv.org/abs/1702.08568
Shima, K., Miyamoto, D., Abe, H., Ishihara, T., Okada, K., Sekiya, Y., … Doi, Y. (2018). Classification of URL bitstreams using Bag of Bytes. Retrieved from http://member.wide.ad.jp/~shima/publications/20180219-ni2018-url-clf.pdf
Spaulding, J., & Mohaisen, A. (2018). Defending internet of things against malicious domain names using D-FENS. In Proceedings - 2018 3rd ACM/IEEE Symposium on Edge Computing, SEC 2018 (pp. 387–392). IEEE. https://doi.org/10.1109/SEC.2018.00051
Sur, C. (2018). DeepSeq: learning browsing log data based personalized security vulnerabilities and counter intelligent measures. Journal of Ambient Intelligence and Humanized Computing, 1–30. https://doi.org/10.1007/s12652-018-1084-9
Vanhoenshoven, F., Napoles, G., Falcon, R., Vanhoof, K., & Koppen, M. (2016). Detecting malicious URLs using machine learning techniques. In 2016 IEEE Symposium Series on Computational Intelligence (SSCI) (pp. 1–8). IEEE. https://doi.org/10.1109/SSCI.2016.7850079
Vazhayil, A., Vinayakumar, R., & Soman, K. (2018). Comparative Study of the Detection of Malicious URLs Using Shallow and Deep Networks. In 2018 9th International Conference on Computing, Communication and Networking Technologies, ICCCNT 2018 (pp. 1–6). IEEE. https://doi.org/10.1109/ICCCNT.2018.8494159
Vrbančič, G., Fister, I., & Podgorelec, V. (2018). Swarm Intelligence Approaches for Parameter Setting of Deep Learning Neural Network. In Proceedings of the 8th International Conference on Web Intelligence, Mining and Semantics - WIMS ’18 (pp. 1–8). New York, New York, USA: ACM Press. https://doi.org/10.1145/3227609.3227655
Williams, N., & Li, S. (2017). Simulating Human Detection of Phishing Websites: An Investigation into the Applicability of the ACT-R Cognitive Behaviour Architecture Model. In 2017 3rd IEEE International Conference on Cybernetics (CYBCONF) (pp. 1–8). IEEE. https://doi.org/10.1109/CYBConf.2017.7985810
Woodbridge, J., Anderson, H. S., Ahuja, A., & Grant, D. (2018). Detecting homoglyph attacks with a siamese neural network. In Proceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018 (pp. 22–28). https://doi.org/10.1109/SPW.2018.00012
Yi, P., Guan, Y., Zou, F., Yao, Y., Wang, W., & Zhu, T. (2018). Web Phishing Detection Using a Deep Learning Framework. Wireless Communications and Mobile Computing, 2018, 1–9. https://doi.org/10.1155/2018/4678746
Yuan, X. (2017). PhD Forum: Deep Learning-Based Real-Time Malware Detection with Multi-Stage Analysis. In 2017 IEEE International Conference on Smart Computing, SMARTCOMP 2017 (pp. 1–2). IEEE. https://doi.org/10.1109/SMARTCOMP.2017.7946997
Zhang, Jiahua, & Li, X. (2017). Phishing Detection Method Based on Borderline-Smote Deep Belief Network (pp. 45–53). Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_5
Zhang, Jianyi, Pan, Y., Wang, Z., & Liu, B. (2016). URL Based Gateway Side Phishing Detection Method. In 2016 IEEE Trustcom/BigDataSE/ISPA (pp. 268–275). IEEE. https://doi.org/10.1109/TrustCom.2016.0073
Zhang, X., Zeng, Y., Jin, X. B., Yan, Z. W., & Geng, G. G. (2018). Boosting the phishing detection performance by semantic analysis. In Proceedings - 2017 IEEE International Conference on Big Data, Big Data 2017 (Vol. 2018-Janua, pp. 1063–1070). IEEE. https://doi.org/10.1109/BigData.2017.8258030
Zhao, J., Wang, N., Ma, Q., & Cheng, Z. (2019). Classifying Malicious URLs Using Gated Recurrent Neural Networks (pp. 385–394). Springer, Cham. https://doi.org/10.1007/978-3-319-93554-6_36
Zou Futai, Gang Yuxiang, Pei Bei, Pan Li, & Li Linsen. (2016). Web Phishing detection based on graph mining. In 2016 2nd IEEE International Conference on Computer and Communications (ICCC) (pp. 1061–1066). IEEE. https://doi.org/10.1109/CompComm.2016.7924867
Copyright (c) 2020 Science Magazine Unemi
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors can keep the copyright, granting the journal right of first publication. Alternatively, authors can transfer copyright to the journal, which allow authors non-commercial use of the work, including the right to place it in a file open access.
