See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/267340031

Advanced social engineering attacks

Article in Journal of Information Security and Applications · October 2014

DOI: 10.1016/j.jisa.2014.09.005

CITATIONS READS

283 16,002

4 authors, including:

Heidelinde Hobel Edgar Weippl

Semantic Web Company SBA Research
15 PUBLICATIONS 402 CITATIONS 329 PUBLICATIONS 3,531 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Theoretical Language Security View project

Picture Privacy View project

All content following this page was uploaded by Edgar Weippl on 16 October 2017.

The user has requested enhancement of the downloaded file.

 Advanced Social Engineering AttacksI

Katharina Krombholz, Heidelinde Hobel, Markus Huber, Edgar Weippl

SBA Research, Favoritenstraße 16, AT-1040 Vienna, Austria

Abstract
Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information
systems. The services used by today’s knowledge workers prepare the ground for sophisticated social engineering attacks.
The growing trend towards BYOD (bring your own device) policies and the use of online communication and collaboration
tools in private and business environments aggravate the problem. In globally acting companies, teams are no longer
geographically co-located, but staffed just-in-time. The decrease in personal interaction combined with a plethora of
tools used for communication (e-mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social
engineering attacks. Recent attacks on companies such as the New York Times and RSA have shown that targeted
spear-phishing attacks are an effective, evolutionary step of social engineering attacks. Combined with zero-day-exploits,
they become a dangerous weapon that is often used by advanced persistent threats. This paper provides a taxonomy of
well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the
knowledge worker.
Keywords: security, privacy, social engineering, attack scenarios, knowledge worker, bring your own device

1. Introduction users consider their interaction partners as trusted, even

though the only identification is an e-mail address or a
The Internet has become the largest communication and virtual profile. In recent years, security vulnerabilities in
information exchange medium. In our everyday life, com- online communication and data sharing channels have of-
munication has become distributed over a variety of online ten been misused to leak sensitive information. Such vul-
communication channels. In addition to e-mail and IM nerabilities can be fixed and the security of the channels
communication, Web 2.0 services such as Twitter, Face- can be strengthened. However, even security-enhancing
book, and other social networking sites have become a methods are powerless when users are manipulated by so-
part of our daily routine in private and business commu- cial engineers. The term knowledge worker was coined by
nication. Companies expect their employees to be highly Peter Drucker more than 50 years ago and still describes
mobile and flexible concerning their workspace [10] and the basic characteristics of a worker whose main capital
there is an increasing trend towards expecting employ- is knowledge [17]. The most powerful tool an attacker
ees and knowledge workers to use their own devices for can use to access this knowledge is Social Engineering:
work, both in the office and elsewhere. This increase in manipulating a person into giving information to the so-
flexibility and, conversely, reduction in face-to-face com- cial engineer. It is superior to most other forms of hack-
munication and shared office space means that increasing ing in that it can breach even the most secure systems,
amounts of data need to be made available to co-workers as the users themselves are the most vulnerable part of
through online channels. The development of decentral- the system. Research has shown that social engineering
ized data access and cloud services has brought about a is easy to automate in many cases and can therefore be
paradigm shift in file sharing as well as communication, performed on a large scale. Social engineering has become
which today is mostly conducted over a third party, be it a an emerging threat in virtual communities. Multinational
social network or any other type of platform. In this world corporations and news agencies have fallen victim to so-
of ubiquitous communication, people freely publish infor- phisticated targeted attacks on their information systems.
mation in online communication and collaboration tools, Google’s internal system was compromised in 2009 [2], the
such as cloud services and social networks, with very little RSA security token system was broken in 2011 [1], Face-
thought of security and privacy. They share highly sen- book was compromised in 2013 [4], as was the New York
sitive documents and information in cloud services with Times [40]. Many PayPal costumers have received phish-
other virtual users around the globe. Most of the time, ing e-mails [45] and many have given the attackers private
information such as credit card numbers. These recent at-
tacks on high-value assets are commonly referred to as
I This paper is an extended version of the conference paper [31]

Preprint submitted to Journal of Information Security and Applications July 17, 2014
Advanced Persistent Threats (APTs). APTs often rely on information, manipulating them into divulging confiden-
a common initial attack vector: social engineering such as tial information or even into carrying out their malicious
spear-phishing and water-holing. The awareness for soft- attacks through influence and persuasion. Technical pro-
ware security issues and privacy-enhancing methods has tection measures are usually ineffective against this kind of
increased as serious incidents have been reported in the attack. In addition to that, people generally believe that
media. For example, the awareness for social engineering they are good at detecting such attacks. Research, how-
attacks over e-mail, which is without doubt the most fre- ever, indicates that people perform poorly on detecting
quently used communication channel on the Internet and lies and deception [42, 33]. The infamous attacks of Kevin
is flooded by scammers and social engineers every day, has Mitnick [35] showed how devastating sophisticated social
increased among users. However, the awareness for social engineering attacks are for the information security of both
engineering in cloud services and social networks is still companies and governmental organizations. When social
comparatively low. engineering is discussed in the information and computer
The main contributions of this article are the following: security field, it is usually by way of examples and sto-
ries (such as Mitnick’s). However, at a more fundamental
• We discuss social engineering with regards to knowl- level, important findings have been made in social psy-
edge workers. chology on the principles of persuasion. Particularly the
work of Cialdini [16], an expert in the field of persuasion,
• We provide a taxonomy of social engineering attacks.
is frequently cited in contributions to social engineering
• We give an overview of current attack vectors for so- research. Although Cialdini’s examples focus on persua-
cial engineering attacks. sion in marketing, the fundamental principles are crucial
for anyone seeking to understand how deception works.
• We discuss real-world incidents of successful social en-
gineering attacks. 2.2. Types of Social Engineering Attacks

The goal of this paper is to provide a comprehensive Social engineering attacks are multifaceted and include
and complete overview of social engineering attacks on the physical, social and technical aspects, which are used in
knowledge worker, to monitor the state of the art of re- different stages of the actual attack. This subsection aims
search in this field, and to provide a comprehensive taxon- to explain the different approaches attackers use.
omy to categorize social engineering attacks and measure
their impact. Our paper significantly extends the state of 2.2.1. Physical approaches
the art by including novel, non-traditional attacks such as As the name implies, physical approaches are those
APTs. Our taxonomy extends and combines already exist- where the attacker performs some form of physical action
ing work in this field, e.g., by Ivaturi et al. [28] and Foozy et in order to gather information on a future victim. This can
al. [36]. Furthermore, our taxonomy systemizes operators, range from personal information (such as social security
channels, types and attack vectors as well. The remainder number, date of birth) to valid credentials for a computer
of this paper is structured as follows: Section 2 contains system. An often-used method is dumpster diving [20],
a brief introduction to social engineering. In Section 3, i.e., searching through an organization’s trash. A dump-
we provide a detailed classification of social engineering ster can be a valuable source of information for attackers,
attacks. In Section 4, we describe advanced social engi- who may find personal data about employees, manuals,
neering attacks in online social networks, cloud services memos and even print-outs of sensitive information, such
and mobile applications. Before concluding our work in as user credentials. If an attacker can gain access to a tar-
Section 6, we discuss recent real-world social engineering geted organization’s offices - e.g., in open-plan workspaces
attacks in Section 5. - they may find information such as passwords written on
Post-it notes. Less sophisticated physical attacks involve
theft or extortion to obtain information.
2. Background
2.2.2. Social approaches
This section discusses the state of the art of social
engineering and computer-supported collaborative work The most important aspect of successful social engineer-
(CSCW ). Attacks are divided into four different cate- ing attacks are social approaches. Hereby attackers rely
gories: physical, technical, social and socio-technical ap- on socio-psychological techniques such as Cialdini’s prin-
proaches. ciples of persuasion to manipulate their victims. Examples
of persuasion methods include the use of (purported) au-
thority. One common social vector that is not explicitly
2.1. Social Engineering (SE)
addressed by Cialdini is curiosity, which is, e.g., used in
Social engineering is the art of getting users to com- spear-phishing and baiting attacks. In order to increase
promise information systems. Instead of technical attacks the chances of success of such attacks, the perpetrators of-
on systems, social engineers target humans with access to ten try to develop a relationship with their future victims.
2
According to [20], the most prevalent type of social attacks is typically directed at individuals or small groups of peo-
is performed by phone. ple. Scammers hope that by sending messages to a vast
number of users, they will fool enough people to make
2.2.3. Reverse social engineering their phishing attack profitable. Herley and Florencio [22]
Instead of contacting a potential victim directly, an at- argue that classical phishing is not lucrative, which might
tacker can attempt to make them believe that he/she is explain why phishing attacks are moving towards more so-
a trustworthy entity. The goal is to make potential vic- phisticated “spear-phishing” attacks. Spear-phishing at-
tims approach him, e.g., to ask for help. This indirect tacks are highly targeted messages carried out after initial
approach is known as “reverse social engineering” [20, 35] data-mining. Jagatic et al. [29] used social networking
and consists of three major parts: sabotage, advertising sites to mine data on students and to then send them a
and assisting [38]. The first step in this is sabotaging the message that looked like it had been sent by one of their
company’s computer system. This can range anywhere friends. By using such “social data”, the authors were able
from disconnecting someone from the company’s network to increase the success rate of phishing from 16 to 72 per-
to sophisticated manipulation of the victim’s software ap- cent. Hence, spear-phishing is considered a combination
plications. The attackers then advertise that they can fix of technological approaches and social engineering.
the problem. When the victim asks for help, the social en-
gineer will resolve the problem they created earlier while, 2.3. Computer-supported collaboration
e.g., asking the victim for their password (”so I can fix the Businesses and employees use a wide range of tech-
problem”) or telling them to install certain software. nologies to facilitate, automate and improve daily tasks.
We also see collaborative business structures emerging:
2.2.4. Technical approaches Computer-supported collaboration tools for file sharing or
Technical attacks are mainly carried out over the In- collaborative workspaces, internal or external communi-
ternet. Granger [20] notes that the Internet is especially cation, blogs, wikis, etc., help connect staff within the
interesting for social engineers to harvest passwords, as company and to customers, allow widespread and instant
users often use the same (simple) passwords for different information exchange about the entire business domain,
accounts. Most people are also not aware that they are and establish a constant communication channel to the
freely providing attackers (or anyone who will search for customers and partners of the company.
it) with plenty of personal information. Attackers often Considering the wide range of different communication
use search engines to gather personal information about channels created by these computer-supported collabora-
future victims. There are also tools that can gather and tion tools, social engineering attacks have a huge attack
aggregate information from different Web resources. One potential. However, in the business context, we differen-
of the most popular tools of this kind is Maltego1 . Social tiate between office communication and external commu-
networking sites are becoming valuable sources of informa- nication. This enables us to make predictions about a
tion as well (see Section 4 for more details). victim’s ability to detect a social engineering attack.

2.2.5. Socio-technical approaches 2.3.1. Office communication

Successful social engineering attacks often combine sev- Modern communication tools have changed communica-
eral or all of the different approaches discussed above. tion flows among staff members enormously, making the
However, socio-technical approaches have created the most high-speed exchange of information possible. There are so-
powerful weapons of social engineers. One example is the phisticated technologies that protect the security of data
so-called baiting attack: Attackers leave malware-infected transfer. However, the majority of these countermeasures
storage media in a location where it is likely to be found cover technical attacks, while social engineering attacks
by future victims. Such “road apples” could, e.g., be a remain unconsidered. In enterprise environments, face-to-
USB drive containing a Trojan horse [48]. Attackers addi- face communication is often replaced by e-mails or instant
tionally exploit the curiosity of people by adding tempting messages, generating a novel attack surface for social engi-
labels to these road apples (storage media), such as “con- neers. Obviously, social engineering attacks coming from
fidential” or “staff lay-off 2014”. Another common com- internal accounts or e-mails with forged internal addresses
bination of technical and social approaches is phishing. are more likely to slip through the defenses of a potential
Phishing is usually done via e-mail or instant messaging victim. For instance, Parsons et al. [39] conducted a role-
and is aimed at a large user group in a rather indiscrimi- play scenario experiment in which 117 participants were
nate way, similar to spam. Social engineering, in contrast, tested on their ability to distinguish between phishing e-
mails and benign e-mails. Their results indicated that peo-
1 Maltego is an open source intelligence and forensics application.
ple with a higher awareness level are able to identify signif-
It allows the mining and gathering of information as well as the
icantly more phishing e-mails. Valuable personal informa-
representation of this information in a meaningful way. http://www. tion gained through social engineering attacks could have
paterva.com/maltego/ direct consequences, such as the exploit of a bank account,
3
or indirect consequences, such as reputation loss [50]; it • Social networks offer a variety of opportunities for
could also be used to improve the effectiveness of further social engineering attacks. Given their potential to
social engineering attacks. Overall, we face multifarious create fake identities and their complex information-
social engineering attacks - once an attack is successful, sharing model, they make it easy for attackers to hide
the external adversary can use the information to become their identity and harvest sensitive information.
an insider and perform even more successful social engi-
neering attacks. • Cloud services can be used to gain situational aware-
ness of a collaboration scenario. Attackers may place
2.3.2. External communication a file or software in a shared directory to make the
victim hand information over.
As with intra-office communication, there is a trend to-
wards the use of e-mail services, cloud, blogs, etc., for ex- • Websites are most commonly used to perform wa-
ternal communication, creating the same challenges as in terholing attacks. Furthermore, they can be used in
internal communication. However, as the organizational combination with e-mails to perform phishing attacks
border becomes increasingly blurred, it is difficult to de- (e.g., sending an e-mail to a potential customer of a
cide which information may be published or passed on to bank that contains a link to a malicious website that
an external communication partner. For instance, market- looks just like the bank’s original website).
ing blogs are useful for advertising purposes, but also carry
the risk of unwanted information leakage. Another exam- We also classify the attack by operator. The originator
ple is the release of information, e.g., about staff members, (operator) of a social engineering attack can be:
on LinkedIn, where a potential adversary can find out how
many people are employed over a number of years and infer • Human: If the attack is conducted directly by a per-
the economic status of the respective company from this son. The number of targets is limited due to the lower
data [8]. The strongest potential risk of external commu- capacity compared to an attack conducted by soft-
nication lies in the broad range of possible communication ware.
channels. Furthermore, new trends increase the number
• Software: Certain types of attacks can be automated
of channels, such as Bring Your Own Device (BYOD) [34]
with software. Examples include the Social Engineer-
and the idea of “technology gets personal”, which is used
ing Toolkit (SET), which can be used to craft spear-
by Thomson [52] to explain the impact of using mobile
phishing e-mails [53]. A number of authors have dis-
devices to work with corporate information in insecure en-
cussed automated social engineering based on online
vironments, such as cafés or public transport systems. He
social networks, such as Boshmaf et al. [13], Hu-
refers to mobile technology as the “window into the enter-
ber et al. [25] and Krombholz et al. [32]. The main
prises”. Of course, security systems are installed on most
advantage of automated attacks is that the number
of these devices; however, these systems offer no protection
of possible targets that can be reached within a short
from social engineering attacks.
period of time is considerably higher than with purely
human attacks.
3. Social Engineering Taxonomy
Furthermore, we categorize social engineering attacks
In this section, we propose a taxonomy for the classi- into four types, namely:
fication of social engineering attacks. Figure 1 illustrates • Physical as described in Section 2.2.1
the structure of our taxonomy and the attack scenarios,
which we describe in detail in this section. • Technical as described in Section 2.2.4
To classify social engineering attacks, we first introduce
three main categories: Channel, Operator, and Type. • Social as described in Section 2.2.2
Attacks can be performed via the following channels:
• Socio-technical as described in Section 2.2.5
• E-mail is the most common channel for phishing and
Concerning social engineering, we determine the follow-
reverse social engineering attacks.
ing attack scenarios: Attackers perform social engineer-
• Instant messaging applications are gaining popu- ing attacks over a variety of different channels. They are
larity among social engineers as tools for phishing and mostly conducted by humans as well as by software and
reverse social engineering attacks. They can also be furthermore categorized as physical, technical, social or
used easily for identity theft to exploit a trustworthy socio-technical. The boundaries of the individual types of
relationship. attack are highly expandable and have, in most cases, not
yet been technically exhausted.
• Telephone, Voice over IP are common attack
channels for social engineers to make their victim de- • Phishing is the attempt to acquire sensitive infor-
liver sensitive information. mation or to make somebody act in a desired way
4
 Figure 1: Overview of our classification of attack characteristics and attack scenarios.

by masquerading as a trustworthy entity in an elec- an attacker who has the capabilities and intent to
tronic communication medium. They are usually tar- comprise a system persistently.
geted at large groups of people. Phishing attacks can
be performed over almost any channel, from physi- • Baiting is an attack during which a malware-infected
cal presence of the attacker to websites, social net- storage medium is left in a location where it is likely
works or even cloud services. Attacks targeted at spe- to be found by the targeted victims.
cific individuals or companies are referred to as spear-
Table 1 outlines the relationship between our proposed
phishing. Spear-phishing requires the attacker to first
social engineering taxonomy and current attack scenarios.
gather information on the intended victims, but the
We classified current social engineering attack scenarios
success rate is higher than in conventional phishing.
based on our taxonomy. We can, for example, observe that
If a phishing attack is aimed at high-profile targets in
a number of social engineering attacks exclusively rely on
enterprises, the attack is referred to as whaling.
a physical attack channel, such as shoulder surfing, dump-
• Dumpster diving is the practice of sifting through ster diving and baiting. To protect against this class of
the trash of private individuals or companies to find attacks, physical security needs to be improved. The table
discarded items that include sensitive information furthermore highlights that the majority of today’s social
that can be used to compromise a system or a spe- engineering attacks rely on a combination of social and
cific user account. technical methods. Hence, to effectively protect against
socio-technical attacks, user awareness for social engineer-
• Shoulder surfing refers to using direct observation ing attacks needs to be improved and their devices pro-
techniques to get information, such as looking over tected on a technical level.
someone’s shoulder at their screen or keyboard.

• Reverse social engineering is an attack where usu- 4. State-of-the-Art Attacks

ally trust is established between the attacker and the
victim. The attackers create a situation in which the This section provides an overview of state-of-the-art so-
victim requires help and then present themselves as cial engineering attacks. These attacks often use personal
someone the victim will consider someone who can information from online social networks or other cloud ser-
both solve their problem and is allowed to receive vices and can be performed in an automated fashion.
privileged information. Of course, the attackers try
to choose an individual who they believe has informa- 4.1. Online Social Networks (OSNs)
tion that will help them. While the more traditional forms of social engineer-
• Waterholing describes a targeted attack where the ing use information collected through dumpster diving or
attackers compromise a website that is likely to be of phone calls, OSNs contain a wealth of personal informa-
interest to the chosen victim. The attackers then wait tion that can be misused as an initial source for social
at the waterhole for their victim. engineering attacks. Huber et al. were among the first
researchers to argue that OSNs enable automated social
• Advanced Persistent Threat refers to long-term, engineering (ASE) attacks [23] because information har-
mostly Internet-based espionage attacks conducted by vested from OSNs is easy to process. The authors showed
5
Table 1: Classification of social engineering attacks according to our Social phishing and context-aware spam
taxonomy.
Phishing is a widely-spread threat on the Internet and
consists of an attacker attempting to lure victims into en-

Advanced Persistent Threat

Reverse Social Engineering
tering sensitive information like passwords or credit card
numbers into a faked website that is controlled by the at-
tacker. It has been shown that social phishing [29], where

Dumpster Diving
Shoulder Surfing
“social” information specific to the victim is used, can be
extremely effective compared to regular phishing. Jagatic

Waterholing
et al. [29] found that when phishing e-mails impersonated a
Phishing

Baiting
target’s friend, the success rate increased from 16% to 72%.
The social graph is, therefore, not only of value for the so-
cial network operator, but also for attackers. This is the
E-mail X X X case especially if it contains additional information like a
Instant Messenger X X valid e-mail address or recent communication between the
Telephone, VoIP X X victim and a friend whom the attacker can impersonate.
Channel Social Network X X With automated data extraction from social networks, a
Cloud X vast amount of further usable data becomes available to
Website X X X spammers. Prior conversations within the social network,
such as private messages, comments or wall posts, could
Physical X X X X X
be used to determine the language normally used for mes-
Human X X X X X
Operator sage exchange between the victim and his friends, as a
Software X X X X X phishing target might find it very suspicious to receive a
Physical X X X message in English from a friend with whom they normally
Technical X X communicate in French. Context-aware spam misuses per-
Type
Social X sonal information extracted from OSNs to increase the
Socio-technical X X X X X appearance of authenticity of traditional spam messages.
Brown et al. [14] identified three context-aware spam at-
tacks: relationship-based attacks, unshared-attribute at-
tacks, and shared-attribute attacks. Relationship-based
attacks solely exploit relationship information, making this
the spam equivalent of social phishing. The two other at-
that information on employees of a given target company tacks exploit additional information from social networks,
can be collected in an automated fashion and potentially information that is either shared or not shared between
misused for automated social engineering. Reverse social the spam target and the spoofed friend. An example of an
engineering describes a particular social engineering tech- unshared attack are birthday cards that seem to originate
nique where an attacker lures the victim into initiating from the target’s friend. Shared attributes, e.g., photos
the conversion as described in 2.2.3. Irani et al. [27] ar- in which both the spam target and her spoofed friend are
gue that OSNs enable reverse social engineering attacks tagged, can be exploited for context-aware spam. Huber
and describe three potential attack vectors. The authors et al. [24, 26] found that the missing support for communi-
evaluated their proposed attack vectors on three different cation security can be exploited to automatically extract
OSNs: recommendation-based reverse social engineering personal information from online social networks. More-
on Facebook, demographic-based reverse social engineer- over, the authors showed that the extracted information
ing on Badoo and visitor-tracking-based reverse social en- could be misused to target a large number of users with
gineering on Friendster. Their results show that reverse context-aware spam.
social engineering attacks are feasible in practice and can
be automated by exploiting the features of current on- Fake profiles
line social networks. While social spam is usually sent At the time of writing, the only requirement for the
via an OSN’s primary communication channel, attackers creation of a social networking account is a valid e-mail
who harvest information can also send traditional e-mail address, which makes it rather easy for attackers to cre-
messages to deliver spam because users provide their e- ate fake accounts. A study by Sophos published in 2007
mail addresses on their profiles. If spam is delivered via with randomly chosen Facebook users showed that approx-
traditional e-mail instead of OSN platforms, these mali- imately 41% of social networking users accepted friendship
cious messages cannot be detected by the OSN’s provider. requests from a fake profile [46]. Ryan and Mauch [5] fur-
Balduzzi et al. [9] showed that OSNs can be misused for ther showed that fake profiles can be misused to infiltrate
automated user profiling, to validate large sets of e-mail social networks: they set up a profile for a fictional Amer-
addresses and to collect additional personal information ican cyber threat analyst, called “Robin Sage”, and were
corresponding to these sets. able to gain access to sensitive information in the military
6
and information security community. Bilge et al. [11] out- to invite the victim to share specific information with the
lined two sophisticated fake profile attacks that could be attacker in the cloud. According to Roberts et al. [43],
used to infiltrate the trusted circles of social networking one of the biggest weaknesses of cloud services is that the
users: profile cloning attacks, where attackers clone exist- users - companies and individual users - lose control over
ing user profiles and attempt to “reinvite” their friends, their data when they store and access it remotely. On
and cross-profile cloning attacks, where attackers create traditional servers that are owned by a company itself, it
a cloned profile on an online social network where the can restrict access and define customized access policies.
target user does not yet have a profile and then contact In cloud services, the responsibility for that is shifted to
the targets’ friends. If a user, for example, has a Face- a third party. Therefore, if a cloud service is to be used
book account but no LinkedIn account, an attacker could for the exchange of sensitive information, a certain level of
clone the Facebook profile to create a LinkedIn profile and trust must be established not only between collaborating
then contact the target’s Facebook friends who are also users, but also between the cloud hosting company and
on LinkedIn. Bilge et al. showed that their attacks can the user. The most commonly observed attacks on cloud
be fully automated and are feasible in practice. If an at- services are spear-phishing and APTs.
tacker is able to create fake accounts on a large scale, Sybil
attacks on OSNs are possible. OSN providers therefore 4.3. Mobile applications
use various protection mechanisms to limit the creation of The increased use of mobile applications in both busi-
large amounts of fake accounts [49]. Boshmaf et al. [13] ness and private contexts makes them an increasingly pop-
however found that OSNs can be infiltrated on a large ular channel for social engineering attacks. In business
scale. They evaluated how vulnerable OSNs are to a large- communication, mobile messaging and e-mail applications
scale infiltration by socialbots - computer programs that are of high interest to social engineers. BYOD policies
control OSN accounts and mimic real users. The authors established by companies often include the use of mobile
created a Socialbot Network (SbN): a group of adaptive so- phones and tablets. More and more employees use their
cialbots that are orchestrated in a command-and-control smartphones to check their company e-mails or to read
fashion on Facebook. The authors used 102 fake profiles to documents that are stored in the cloud. However, many
send friendship requests to 5,053 randomly selected Face- smartphone users use highly vulnerable smartphone appli-
book users. 19.3% of these users accepted the friendship cations that can be misused to conduct social engineering
requests. Next, the SbN tried to infiltrate the circle of attacks. Schrittwieser et al. [44] presented two different at-
friends of the users who had accepted their fake friendship tack scenarios that can serve as a starting point for such an
requests. Within 8 weeks, the SbN was able to further attack. In their work [44], they demonstrated how sender
infiltrate the network and gain access to personal infor- ID spoofing can be done on popular mobile messaging ap-
mation. A recent survey by Alvisi et al. [7] provides an plications such as WhatsApp [6]. A social engineer can use
overview of Sybil defenses for online social networks and this to send a message to a victim while pretending to be
proposes community detection algorithms. one of his friends. The authors also highlighted how vul-
nerabilities can be exploited to hijack user accounts, which
4.2. Cloud services can then be used to perform social engineering. Consider-
Cloud services provide a new channel through which ing that many smartphone applications are highly vulner-
social engineers can conduct attacks on the knowledge able and can leak sensitive information, we can conclude
worker. Knowledge workers frequently collaborate with that such mobile devices offer a variety of attack vectors
others who do not work at the same location. Sharing for social engineering and other attacks on user privacy.
information on a cloud service has therefore become pop- Moreover, some smartphone applications request permis-
ular. In this scenario, an attacker exploits this situation sions to access sensitive data on the user’s device. If an
and uses the cloud as a channel for the social engineering attacker were to create such an application, they would
attack. Recent publications described a variety of possible obtain the information and could use it as a starting point
attacks in the cloud, e.g., an attacker placing a malicious for a social engineering attack. Chin et al. [15] discussed
file into another user’s cloud as described by Gruschka et how inter-application information exchange can be sniffed
al. [21] and then using social engineering to make them on smartphones and then be misused to violate application
execute the malicious file. A malicious piece of software policies and permissions. In some cases, such as described
can also be used to extract personal information from the by Potharaju et al. [41], the attacker simply plagiarizes a
victim’s account, which is then used to perform more tar- popular smartphone application and deploys it in order to
geted attacks. Mulazzani et al. [37] provide countermea- perform an attack.
sures to reduce the risk by preventing the attacker from
placing malicious files on Dropbox, one of the currently 5. Real-world Examples
most commonly used cloud services. The level of trust
between users of a shared directory or file is not always In this section, we describe how targeted attacks against
as high as desired. Social engineers can exploit this fact the knowledge worker are performed in real-world scenar-
by using a fake identity or a compromised user account ios. Two methods were prevalently used in recent social
7
engineering attacks, namely spear-phishing and waterhol- the attacks through university computers located in the
ing attacks. We discuss these two methods in detail and United States. Again, the initial attack vector had been a
in the context of recent real-world attacks. spear-phishing attack which sent fake FedEx notifications.
The New York Times hired computer security experts to
5.1. Spear-Phishing analyze the attack and prevent a persistent threat. They
found that some of the methods used to break into the
Many companies deploy highly sophisticated end-point
company’s infrastructure were associated with the Chinese
security controls to protect their networks. Nevertheless,
military. Additionally, the malware that was installed to
targeted attacks such as spear-phishing are an increasing
gain access to the computers within the company’s net-
threat for knowledge workers because of their targeted pre-
work followed the pattern of previously reported Chinese
cision. In practice, the first step within an attack scenario
attacks. Perlroth [40] also reported that the same univer-
is that the attacker seeks publicly available information
sity computers in the United States had been previously
on the company’s Internet site and public profiles on so-
used by hackers from the Chinese military. With this at-
cial networks to obtain precise information on the targeted
tack, the hackers stole the passwords of all employees at
victim. Then the attacker constructs an e-mail using the
The New York Times and were thus able to access the
gathered information to gain the victim’s trust. In gen-
personal devices of 53 people. However, according to The
eral, such e-mails are only sent to a carefully selected small
New York Times, no customer data was stolen. The char-
group of people. In most cases, they contain attachments
acteristics of the attack clearly indicate a political motive
with malicious software to provide a remote control tool to
for this APT. China’s Ministry of National Defense stated
the attacker. Zero-day exploits are a good way of installing
that hacking is clearly prohibited under Chinese law and
a backdoor via an existing vulnerability. The remote con-
denied being the originator of the attack. According to
trol functionality is then used to harvest sensitive infor-
Perlroth [40] China is using such attacks to control its pub-
mation and to get into internal company networks. In this
lic image in the West and therefore authorized attackers
section, we discuss three real-world spear-phishing attacks
to injure organizations that might damage the reputations
and their impact on knowledge workers.
of Chinese authorities. They furthermore reported that
RSA, 2011. As described in [1], RSA suffered from an at- hackers assigned by Chinese authorities had stolen sensi-
tack by an advanced persistent threat. A small number tive information from more than 30 Western journalists.
of employees received an e-mail with “2011 Recruitment
The Red October Cyber-espionage Network. Kaspersky
Plan” in the subject line. Even though most of them
Lab [3] recently released a new research report on spear-
found this e-mail in their junk mail folder, the e-mail was
phishing attacks against diplomatic, governmental and re-
prepared well enough to convince the receiver of its trust-
search organizations. The majority of the organizations
worthiness. A number of employees thus directly opened
targeted were located in former USSR Republics in East-
the e-mail from the junk mail folder. The e-mail had a
ern Europe and Central Asia. The attack was launched
spreadsheet attached. According to [1], the spreadsheet
in 2007 and remained active until the beginning of 2013.
contained a zero-day exploit that installed a backdoor via
Sensitive data was not only stolen from research institu-
an Adobe Flash vulnerability. The attacker chose to use
tions but also from nuclear and energy groups as well as
a Poison Ivy2 variant to obtain remote control of the tar-
aerospace organizations. Similar to the attacks against
get’s device which initially was not detected. After the
RSA and The New York Times, the attackers sent a spear-
initial social engineering phase was completed, the attack-
phishing e-mail to a carefully selected group of people. For
ers compromised further machines in the local network.
example, the attackers advertised cheap diplomatic cars in
The attackers then successfully compromised a number of
spear-phishing messages, which included custom malware.
strategic accounts and were able to steal sensitive infor-
According to Kaspersky [3], the malware architecture con-
mation on RSA’s SecurID system. Eventually RSA had to
sisted of malicious extensions, info-stealing modules and a
replace millions of SecurID tokens [51] due to this success-
backdoor Trojan that exploited Microsoft Office security
ful social engineering attack.
vulnerabilities. The attackers also exfiltrated an enormous
amount of sensitive data from the infiltrated networks.
New York Times, 2013. The New York Times was hit by
Stolen credentials were arranged in lists and then used to
a similar attack as RSA. Chinese hackers performed a 4-
guess passwords of additional systems. The Red October
month targeted attack, infiltrating The New York Times
APT remained active for almost six years. The in-depth
computer systems and harvesting the employees’ user cre-
analysis revealed artifacts within the executables of the
dentials [40]. Reports suggest that there is evidence of
malware that indicate that the attackers were located in a
political motives behind the attack. The attackers broke
Russian-speaking country.
into e-mail accounts, tried to cloak the source of traffic to
the The New York Times and to route traffic caused by
5.2. Waterholing
Recently, waterholing attacks have been the major vec-
2 http://www.poisonivy-rat.com/ tor in attacks on multi-national corporations alongside
8
spear-phishing. Instead of directly targeting employees ever, are hard to counter even with additional user aware-
with customized phishing messages, the attackers target ness training and security policies. One possible approach
websites that are likely to be visited by their victims. They to counter waterholing attacks could be to identify the
infect specific websites with malware and expect that some most popular websites visited by employees to conduct an
of their target companies’ employees will visit them. additional monitoring of these websites.

Apple, Facebook, Twitter. In 2013, a zero-day vulnerabil-

6. Conclusions
ity in Java was exploited to specifically infiltrate corporate
networks [55] via waterholing attacks. Apple and Face- In this paper, we described common attack scenarios for
book fell victim to this. The attackers first compromised modern social engineering attacks on knowledge workers.
the development site ”iPhoneDevSDK”, which is a pop- BYOD-policies and distributed collaboration as well as
ular forum for iOS application developers. The website communication over third-party channels offers a variety of
was modified to exploit the Java vulnerability on devices new attack vectors for advanced social engineering attacks.
which visited the website. A number of Apple’s employees We believe that a detailed understanding of the attack vec-
visited the infected website and their devices were com- tors is required to develop efficient countermeasures and
promised. The infected machines were connected to Ap- protect knowledge workers from social engineering attacks.
ple’s cooperate network and the attackers were thus able To facilitate this, we introduced a comprehensive taxon-
to infiltrate Apple’s internal networks [54]. Facebook’s omy of attacks, classifying them by attack channel, op-
internal network was infiltrated by the same waterholing erator, different types of social engineering and specific
campaign [56]. In both reported cases, it is assumed that attack scenarios. We discussed real-world examples and
no confidential data was stolen. A similar breach was advanced attack vectors used in popular communication
reported earlier; however, it was not confirmed that the channels and the specific issues of computer-supported col-
main cause was related to Java’s zero-day vulnerability. laboration of knowledge workers in the business environ-
In this attack, the attackers exploited Twitter’s network ment such as cloud services, social networks and mobile
and were able to compromise about 250, 000 user accounts, devices as part of BYOD policies. In this paper, we not
stealing user names, e-mail addresses, session tokens and only discussed complex advanced attack scenarios, but also
encrypted passwords [30]. At first, it was believed that provided a comprehensive classification that can serve as a
the attack was conducted by Chinese attackers instructed basis for the development of countermeasures and further
by the country’s government or military, but others dis- interdisciplinary research in the field.
agree and believe that one of Twitter’s employees visited
the same infected website as Apple’s and Facebook’s em-
ployees [55]. 7. Acknowledgements
Reports on real-world examples focus to a large extent
This research was funded by the Austrian Science Fund
on the initial attack vector of social engineering and do
(FWF): P 26289-N23 and COMET K1, FFG - Austrian
not cover the technical aspects of these attacks. The first
Research Promotion Agency.
systematic analysis of targeted attacks at a large scale was
conducted by Le Blond et al. [12]. In addition to the so-
cial aspects of targeted attacks, Le Blond et al.’s analysis References
discussed technical aspects based on malicious emails re-
[1] Anatomy of an attack. available online: http://blogs.rsa.
ceived by an NGO over a four-year period. The authors com/anatomy-of-an-attack/, last accessed on 2013-07-17.
found that malicious office documents are the most pop- [2] Google hack attack was ultra sophisticated. avail-
ular attack vectors, followed by malicious archives. The able online: http://www.wired.com/threatlevel/2010/01/
analysis also showed that attackers tend to use well-known operation-aurora/, last accessed on 2013-07-17.
[3] Kaspersky lab identifies operation “red october,” an ad-
instead of zero-day vulnerabilities. The real-world exam- vanced cyber-espionage campaign targeting diplomatic
ples of recent attacks performed by APTs underline that and government institutions worldwide. available on-
social engineering remains the most successful strategy to line: http://www.kaspersky.com/about/news/virus/2013/
compromise large-scale organizations. The examples also Kaspersky_Lab_Identifies_Operation_Red_October_an_
Advanced_Cyber_Espionage_Campaign_Targeting_Diplomatic_
highlight that the predominant channels of social engineer- and_Government_Institutions_Worldwide, last accessed on
ing are e-mail communication and websites. Suggestions to 2014-01-10.
counter social engineering attacks focus mainly on security [4] Microsoft hacked: Joins apple, facebook, twitter – Informa-
policies and staff training [35, 18]. Gragg [19] points out tionWeek. available online: http://www.informationweek.
com/security/\Attackacks/microsoft-hacked-joins-apple-
that any education on social engineering must include psy- facebook-tw/240149323, last accessed on 2013-07-10.
chology and persuasion in order to understand and counter [5] The robin sage experiment: Fake profile fools security
attacks. Srikwan [47] recommends cartoons to teach users pros. available at http://www.networkworld.com/news/2010/
070810-the-robin-sage-experiment-fake.html?t51hb, last
about social engineering and phishing. In the light of our
accessed on: 2013-07-14.
discussed examples, user education might indeed help to [6] Whatsapp. available online: http://www.whatsapp.com/, last
counter spear-phishing attacks. Waterholing attacks, how- accessed on 2013-07-18.

9
 [7] L. Alvisi, A. Clement, A. Epasto, S. Lattanzi, and A. Panconesi. attacks. 2011.
Sok: The evolution of sybil defense via social networks. IEEE [29] T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social
Symposium on Security and Privacy, 2013. phishing. Communications of the ACM, 50(10):94–100, 2007.
[8] G. Bader, A. Anjomshoaa, and A. Tjoa. Privacy aspects of [30] R. King. Twitter: More than 250K user accounts
mashup architecture. In Social Computing (SocialCom), 2010 have been compromised. online, 2013. available at:
IEEE Second International Conference on, pages 1141–1146, http://www.zdnet.com/twitter-more-than-250k-user-accounts-
2010. have-been-compromised-7000010711/, last accessed on 2014-
[9] M. Balduzzi, C. Platzer, T. Holz, E. Kirda, D. Balzarotti, and 01-21.
C. Kruegel. Abusing social networks for automated user profil- [31] K. Krombholz, H. Hobel, M. Huber, and E. Weippl. Social
ing. In Recent Advances in Intrusion Detection, pages 422–441. engineering attacks on the knowledge worker. In Proceedings
Springer, 2010. of the 6th International Conference on Security of Information
[10] R. Ballagas, M. Rohs, J. G. Sheridan, and J. Borchers. Byod: and Networks, SIN ’13, pages 28–35, New York, NY, USA, 2013.
Bring your own device. In In Proceedings of the Workshop on ACM.
Ubiquitous Display Environments, Ubicomp, 2004. [32] K. Krombholz, D. Merkl, and E. Weippl. Fake identities in
[11] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your con- social media: A case study on the sustainability of the facebook
tacts are belong to us: automated identity theft attacks on so- business model. JoSSR, 4(2):175–212, 2012.
cial networks. In Proceedings of the 18th international confer- [33] K. Marett, D. Biros, and M. Knode. Self-efficacy, Training Ef-
ence on World wide web, pages 551–560. ACM, 2009. fectiveness, and Deception Detection: A Longitudinal Study
[12] S. L. Blond, A. Uritesc, C. Gilbert, Z. L. Chua, P. Saxena, and of Lie Detection Training. lecture notes in computer science,
E. Kirda. A look at targeted attacks through the lense of an 3073:187–200, 2004.
ngo. In 23rd USENIX Security Symposium (USENIX Security [34] K. Miller, J. Voas, and G. Hurlburt. Byod: Security and privacy
14), San Diego, CA, Aug. 2014. USENIX Association. considerations. IT Professional, 14(5):53–55, 2012.
[13] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu. The [35] K. Mitnick and W. Simon. The Art of Deception: Controlling
socialbot network: when bots socialize for fame and money. In the Human Element of Security. Wiley, 2002.
Proceedings of the 27th Annual Computer Security Applications [36] F. Mohd Foozy, R. Ahmad, M. Abdollah, R. Yusof, and
Conference, pages 93–102. ACM, 2011. M. Mas’ ud. Generic taxonomy of social engineering attack.
[14] G. Brown, T. Howe, M. Ihbe, A. Prakash, and K. Borders. 2011.
Social networks and context-aware spam. In Proceedings of [37] M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and
the 2008 ACM conference on Computer supported cooperative E. Weippl. Dark clouds on the horizon: using cloud storage as
work, CSCW ’08, pages 403–412, New York, NY, USA, 2008. attack vector and online slack space. In Proceedings of the 20th
ACM. USENIX conference on Security, SEC’11, pages 5–5, Berkeley,
[15] E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyz- CA, USA, 2011. USENIX Association.
ing inter-application communication in android. In Proceedings [38] R. Nelson. Methods of Hacking: Social
of the 9th international conference on Mobile systems, appli- Engineering. online, 2008. available at:
cations, and services, MobiSys ’11, pages 239–252, New York, http://www.isr.umd.edu/gemstone/infosec/ver2/ pa-
NY, USA, 2011. ACM. pers/socialeng.html, last accessed on 2013-07-04.
[16] R. Cialdini. Influence: science and practice. Allyn and Bacon, [39] K. Parsons, A. McCormac, M. Pattinson, M. Butavicius, and
2001. C. Jerram. Phishing for the truth: A scenario-based experi-
[17] P. F. Drucker. Landmarks of tomorrow: a report on the new ment of users’ behavioural response to emails. In L. Janczewski,
”post-modern” world. Harper, New York, 1st edition, 1959. H. Wolfe, and S. Shenoi, editors, Security and Privacy Pro-
[18] Gartner Inc. Protect Against Social Engineering Attacks. Gar- tection in Information Processing Systems, volume 405 of
nter Security webletter, 1(1), Feb. 2002. [Retrieved 2008-11-13]. IFIP Advances in Information and Communication Technol-
[19] D. Gragg. A Multi-Level Defense Against Social Engineering. ogy, pages 366–378. Springer Berlin Heidelberg, 2013.
SANS Reading Room, March, 13, 2003. [40] N. Perlroth. Chinese hackers infiltrate new york times comput-
[20] S. Granger. Social Engineering Fundamentals, Part I: Hacker ers, Jan. 2013. available at https://www.nytimes.com/2013/
Tactics. SecurityFocus, 2001. 01/31/technology/chinese-hackers-infiltrate-new-york-
[21] N. Gruschka and M. Jensen. Attack surfaces: A taxonomy for times-computers.html, last accessed on: 2013-07-01.
attacks on cloud services. In IEEE CLOUD, pages 276–279, [41] R. Potharaju, A. Newell, C. Nita-Rotaru, and X. Zhang. Pla-
2010. giarizing smartphone applications: attack strategies and defense
[22] C. Herley and D. Florencio. Phishing as a Tragedy of the Com- techniques. In Proceedings of the 4th international conference
mons. NSPW 2008, Lake Tahoe, CA, 2008. on Engineering Secure Software and Systems, ESSoS’12, pages
[23] M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa. Towards 106–120, Berlin, Heidelberg, 2012. Springer-Verlag.
automating social engineering using social networking sites. In [42] T. Qin and J. Burgoon. An Investigation of Heuristics of Human
Computational Science and Engineering, 2009. CSE’09. Inter- Judgment in Detecting Deception and Potential Implications in
national Conference on, volume 3, pages 117–124. IEEE, 2009. Countering Social Engineering. Intelligence and Security Infor-
[24] M. Huber, M. Mulazzani, M. Leithner, S. Schrittwieser, G. Won- matics, 2007 IEEE, pages 152–159, 2007.
dracek, and E. Weippl. Social snapshots: digital forensics for [43] J. C. Roberts, II and W. Al-Hamdani. Who can you trust in the
online social networks. In Proceedings of the 27th Annual Com- cloud? a review of security issues within cloud computing. In
puter Security Applications Conference, 2011. Proceedings of the 2011 Information Security Curriculum De-
[25] M. Huber, M. Mulazzani, S. Schrittwieser, and E. Weippl. velopment Conference, InfoSecCD ’11, pages 15–19, New York,
Cheap and automated socio-technical attacks based on social NY, USA, 2011. ACM.
networking sites. In 3rd Workshop on Artificial Intelligence [44] S. Schrittwieser, P. Fruehwirt, P. Kieseberg, M. Leithner,
and Security (AISec’10), 10 2010. M. Mulazzani, M. Huber, and E. Weippl. Guess Who Is Texting
[26] M. Huber, M. Mulazzani, E. Weippl, G. Kitzler, and S. Goluch. You? Evaluating the Security of Smartphone Messaging Appli-
Friend-in-the-middle attacks: Exploiting social networking sites cations. In Network and Distributed System Security Sympo-
for spam. IEEE Internet Computing, 15(3):28–34, 2011. sium (NDSS 2012), 2 2012.
[27] D. Irani, M. Balduzzi, D. Balzarotti, E. Kirda, and C. Pu. Re- [45] SocialEngineer. What is phishing - paypal phish-
verse social engineering attacks in online social networks. Detec- ing examples. available online: http://www.social-
tion of Intrusions and Malware, and Vulnerability Assessment, engineer.org/wiki/archives/Phishing/Phishing-PayPal.html,
pages 55–74, 2011. last accessed on 2013-07-04.
[28] K. Ivaturi and L. Janczewski. A taxonomy for social engineering [46] Sophos. Sophos facebook id probe shows 41% of users

10
 happy to reveal all to potential identity thieves, 2007. avail-
able online: http://www.sophos.com/en-us/press-office/press-
releases/2007/08/facebook.aspx, last accessed on 2013-07-13.
[47] S. Srikwan. Using Cartoons to Teach Internet Security. Cryp-
tologia, 32(2):137–154, 2008.
[48] S. Stasiukonis. Social Engineering, the USB Way. 2006. avail-
able at http://www.darkreading.com/security/perimeter/show
Article.jhtml?articleID=208803634, last accessed on: 2013-07-
02.
[49] T. Stein, E. Chen, and K. Mangla. Facebook immune system.
In Proceedings of the 4th Workshop on Social Network Systems,
SNS ’11, pages 8:1–8:8, New York, NY, USA, 2011. ACM.
[50] L. Tam, M. Glassman, and M. Vandenwauver. The psychol-
ogy of password management: a tradeoff between security and
convenience. Behav. Inf. Technol., 29(3):233–244, May 2010.
[51] The Wall Street Journal. Security tokens take hit, 2011.
Available at http://online.wsj.com/news/articles/
SB10001424052702304906004576369990616694366, last ac-
cessed: 01/12/2013.
[52] H. Thompson. The human element of information security. Se-
curity Privacy, IEEE, 11(1):32–35, 2013.
[53] TrustedSec. Social-engineer toolkit, 2013. available
online at: https://www.trustedsec.com/downloads/social-
engineer-toolkit/, last accessed 03/12/2013.
[54] Z. Whittaker. Apple hacked by same group that attacked Face-
book. online, 2013. available at: http://www.zdnet.com/apple-
hacked-by-same-group-that-attacked-facebook-7000011509/,
last accessed on 2014-01-21.
[55] Z. Whittaker. Facebook, Apple hacks could affect any-
one: Here’s what you can do. online, 2013. available
at: http://www.zdnet.com/facebook-apple-hacks-could-affect-
anyone-heres-what-you-can-do-7000011520/, last accessed on
2014-01-21.
[56] Z. Whittaker. Facebook hit by ’sophisticated attack’;
Java zero-day exploit to blame. online, 2013. avail-
able at: http://www.zdnet.com/facebook-hit-by-sophisticated-
attack-java-zero-day-exploit-to-blame-7000011390/, last ac-
cessed on 2014-01-21.

11

View publication stats