Social Engineering for Security Attacks

Jennifer Nelson, X. Lin, C.

Chen, J. Iglesias and J. J. Li
Computer Science, Kean University
1000 Morris Avenue,
Union NJ 07083 USA
001-908-737-4262
{neljenni, juli}@kean.edu

ABSTRACT study how the attackers can take advantage of users’

Social Engineering is a kind of advance persistent threat (APT) vulnerabilities to carry out such types of attacks.
that gains private and sensitive information through social The intention of social engineering attacks is to remain inside
networks or other types of communication. The attackers can use the compromised accounts as long as possible to steal as much
social engineering to obtain access into social network accounts data as possible. Such attacks are often well funded, organized,
and stays there undetected for a long period of time. The purpose and sophisticated. Social engineering attackers usually target
of the attack is to steal sensitive data and spread false information members of large organizations with high value information.
rather than to cause direct damage. Such targets can include Financial industries, production companies, and the government
Facebook accounts of government agencies, corporations, schools are examples of organizations that would be targeted.
or high-profile users. We propose to use IDS, Intrusion Detection
Social engineering attacks often use persuasive emails or
System, to battle such attacks. What the social engineering does
social network contacts to lure users to malicious sites for gaining
is try to gain easy access, so that the attacks can be repeated and
further information of the user and then use such information to
ongoing. The focus of this study is to find out how this type of
get into the user’s organization to steal information or cause
attacks are carried out so that they can properly detected by IDS in
further damages.
future research.

CCS Concepts 2. WAYS TO CARRY OUT SOCIAL

• Security and privacy → Human and societal aspects of ENGINEERING ATTACKS
security and privacy → Social aspects of security and According to Trend Micro, about 91% of targeted attacks
privacy • Security and privacy → Intrusion/anomaly using social engineering involve spear phishing emails or social
detection and malware mitigation → Social engineering network contacts (Micro, 2012). With such data, it is believed that
attacks spear phishing is the primary way of attacks to gain access to
targeted users, their networks and their organizations. Social
Keywords engineering attackers mainly use this form of attack because it
Social network security, advance persistent threat (APT), social targets a specific organization and is very effective especially as
engineering, spear-phishing. emails and social network contacts continue to be one of the main
forms of communication for individuals inside businesses.
1. INTRODUCTION
According to Computer Business Review (2014), APT
Social engineering is a kind of advance persistent threats that
attacks with social engineering can also be carried out by simply
has grown increasingly over the past few years along with other
exploiting Windows functionalities such as file sharing and
threats to the entire cyber security. The threats and the attackers
SharePoint. Attackers can user social engineering to find shared
who take advantage of the vulnerability of users are becoming
files and use them to gain access to critical data. It has been
more sophisticated and persistent. Attackers have started focusing
founded that Windows protocol Microsoft NTLM has weaknesses
on both small attacks to random online users and high-profile
that allow such attacks.
organizations with more visible impacts. In social networks, their
targets could be large organization with sensitive information or 3. SPEAR-PHISHING
individual accounts with large followers. Data show that we now
Spear phishing is a kind of e-mail/contact spoofing fraud
have 1.7 billion social network users. The question of how to
attempts that target members of a specific organization, seeking
protect all these users, as well as large organization from social
unauthorized access to confidential data. Spear phishing attempts
engineering attacks, becomes an important research topic. We
are not typically initiated by “random hackers” but are more likely
Permission to make digital or hard copies of all or part of this work for to be conducted by perpetrators out for financial gain, trade
personal or classroom use is granted without fee provided that copies are secrets, or military information. Spear phishing emails or contact
not made or distributed for profit or commercial advantage and that messaging usually include a malicious attachment that needs to be
copies bear this notice and the full citation on the first page. Copyrights downloaded or a malicious link that needs to be clicked. The goal
for components of this work owned by others than ACM must be honored.
of social engineering is to fool users to download the malicious
Abstracting with credit is permitted. To copy otherwise, or republish, to
post on servers or to redistribute to lists, requires prior specific permission file or to lick the link with malicious content
and/or a fee. Request permissions from [email protected].
MISNC, SI, DS '16, August 15-17, 2016, Union, NJ, USA 3.1 Social Engineering
© 2016 ACM. ISBN 978-1-4503-4129-5/16/08…$15.00 Since most people are used to the threat of phishing emails,
DOI: http://dx.doi.org/10.1145/2955129.2955158. attackers have now made spear phishing emails more
sophisticated through two methods: 1) making it look like coming
from a trusted source, and 2) using social network, such as
messaging and posting, to attract more people to the malicious
files or links. Attackers often does social engineering research to
obtain key information about targeted organization before creating
meaningful emails and messages that appear to be legit to
effectively attract victims.

Figure 2. An example spear phishing attack with social

engineering content.
The social engineering content more often includes a link in
the email or message. In fact malicious links are more common
Figure 1. An example of social engineering attack using email than malicious files because such files might not get through
or messaging. scanners. But there is no way to scan a link because scanning the
content of a link would involving an action similar to clicking the
link. Figure 3 shows an example of a fake link with a malicious
This social engineering approach of knowing more fake login page pretending to be a paypal site to gain the victim’s
information and tailor emails/messages to reflect such information paypal account authentication information.
has raised the chances that the targeted user will open such email
or message because it appears to be from a known source with
legitimate content. Figure 1 diagram shows a spear phishing life
cycle where the entire attack goes through a cycle starting from
the email/message with content obtained through social
engineering research. Once the victims fall into the social
engineering trap, they will download the file or click the link,
which gives the control and access of their systems to the
attackers.
The cycle includes 5 steps. First the attackers send a phishing
email to the victims. When the victims get on a computer to
receive the email, a piece of malware will be injected into the
victims’ computers if they choose to click on a link or download a
file. Once the malware is implanted into the victims’ computers, it
will get into the storage space to steal sensitive information such
as bank accounts and send it to the attackers. The malware can
even cause further damage by getting into the router that the
compromised computer connects to and gain control of the entire
LAN managed by the router. It could even become a worm to
attack other devices on the network.
Spear phishing attacks taking adavantage of social
engineering is infact quite common in our daily email and
messaging communicaiton. We received three such attacks in this
one month. Figure 2 shows a snapshot of such an attack we
received on a social network account with a malicious file
attachment. It shows that such an attack happens very frequently
everywhere in the network. Figure 3. An example with spear phishing attack with social
enginering content and mailicous links.
 12. SET then prompts you to enter where you want to send
3.2 Attack Steps it from. Choose accordingly.
In summary, we found that we can use the following steps to A spear phishing attacker researches specific organization
carry out a social enginering attack using spear phishing. and high level employees. Using information obtained from social
and corporate sites, an attacker can then create an email that
1. Attacker sends email/message with malware attachment or appears credible, part of social engineering.
link to targeted user (organization).
Once a spear phishing email/message’s link or attachment
2. User opens email/message because it appears to come from a
has been downloaded or clicked, malware is installed on user’s
trusted source and downloads attachment or clicks malicious computer. The malware then waits for attacker instructions. That
link in email/message of a social network. attacker can now research the organization’s network. User sees
3. Targeted system has now been comprised because the document or views page while malware is running undetected.
malicious content injects listeners or snipers into the Once key information is obtained, the attacker continues until data
organization to which the victim belongs. is extracted. According to Trend Micro, about 94% of spear
4. The malicious code installs tools on the systems of the phishing emails/messages include attachments (Micro, 2012). The
spear phishing emails/messages without attachments usually
victim’s organization to be able to stay undetected until
target international organizations or non-corporate organizations.
confidential information is obtained.
5. Attacker is able to extract data continuously for a long period 4. WAYS TO PREVENT/REDUCE THE
of time without being discovered. RISK OF SOCIAL ENGINEERING
ATTACKS
These steps can acutally be automated using tools provided
We propose the following ways to reduce the risk of social
by Kali Linux. This is a simple way we found for spear phishing
engineering attacks:
email to be sent. With an additional step of social enginering in
gather user information throught social networks, we can use the 1) Use a firewall to limit access to your network.
following simple steps to carry out spear phishing attacks in a a 2) Install comprehensive security on all your devices, like
batch with a large group of emails and messages (2014). McAfee LiveSafe™ service, since malware is a key
component in successful spear phishing attacks.
1. After installing Virtual Box/VMARE on you computer.
You then to install Kali Linux. 3) Don’t click on attachments or links you receive from
people you don’t know.
2. Once installed you go to Applications, Exploitation
4) Keep your personal information private, i.e. do not give
Tools, then choose Social Engineering Toolkit, out too much information on social network. Be
setoolkit. suspicious of anyone who asks for your home address,
phone number, Social Security number, or other
3. Terminal screen appears where you choose the 1st personal identifying information. And,
option Social-Engineering Attacks
5) Remember that once you share personal information
4. Next choose 1 for Spear-Phishing Attack Vectors and online it’s out of your control. Share cautiously on
then Next you choose 2 for Create a FileFormat social network sites.
Payload. 6) Check to see if the websites you share sensitive
information with use two-factor authentication. This is a
5. Choose 4 for Microsoft Word RTF Fragments security technique that uses something that you know,
MS10_87 such as your password, and something you possess,
such as your phone, to verify your identity. For example,
6. Choose a payload, 5 for Windows Meterpreter
your bank may ask for your password online, as well as
Reverse_TCP(x64)
a code that it has sent via text message to your phone.
7. You will then be prompted to enter a port number to This is a 2nd layer of protection and should be enabled
listen on. 443 is the default port and requires no changes. for sensitive information.
Malicious file is created.
8. Rename the File: so that the user can think it is The above steps outline ways to prevent the phishing attacks
coming from a trusted source. carried out through social engineering. This approach tried to
prevent attacks before their occurrence. In our other work, we
9. Create Email: You are then prompted to attack with
tried to detect attacks when they occur. Such detection relies on
single email address or mass mailer. Choose 1 for
the monitoring of the network traffic to discover data patterns and
Email-Attack Single Email Address.
identify outliers as attack events.
10. SET: then prompts you to send using html or using Machine learning algorithms have often been used to classify
plain text. HTML Is best so that it looks more authentic. data into categories such as attacks or normal traffic. The existing
11. You can then write your email. Once complete type Ctrl algorithms assume the existence of mathematical models and
+ C. work on certain types of data. We will use an approach as given in
(Bassu 2012 [5]) to discover data patterns. We also study 6. ACKNOWLEDGMENTS
improvement of some machine learning algorithms as reported in This research was partially supported through Kean
(Rossikova 2016 [6]). University SpF 2015 Student Partnering with Faculty summer
We hope our work will contribute to the field of social research program. The support of the Kean University Foundation
engineering attack studies and help users decide what to share on and ORSP is greatly appreciated.
social networks and their associated risks. Social network is a
great form of communication which allows individual users to 7. REFERENCES
communicate simultaneously with a large group of users. [1] How difficult is it to carry out an APT attack? (n.d.).
However its security and the prevention of social engineers from Retrieved May 07, 2014,
using information gathered form social network for attacks is an from http://www.cbronline.com/news/cybersecurity/data/ho
important topic to study make social network a more popular and w-difficult-it-is-to-carry-out-an-atp-attack-4261415.
safe place for communication. [2] Spear-phishing statistics from 2014-2015 - InfoSec
Resources. (2015, August 19). Retrieved June 08, 2016, from
5. CONCLUSIONS http://resources.infosecinstitute.com/spear-phishing-
Spear phishing emails/messages continue to be successful as statistics-from-2014-2015.
cyber-attacks continue to become more sophisticated. It has been
[3] Micro, T. (2012). Spear-Phishing Email: Most Favored APT
estimated in 2015 that it takes 1 minute and 20 seconds for an
Attack Bait. Trend Micro, http://www. trendmicro. com.
employee in a company to open a phishing email/message
au/cloud-content/us/pdfs/security-intelligence/white-
(InfoSec Resources, 2015). They tend to take the bait quickly
papers/wp-spear-phishing-email-most-favored-apt-attack-
which leads to the lacking of time for detection system to run and
bait. pdf (accessed 1 October 2014).
to defend against phishing. Besides taking advantage of social
engineering, it is the most commonly used form of an APT-type [4] "Hack Like a Pro: How to Spear Phish with the Social
of attack. As long as emails/messages continue to be one of the Engineering Toolkit (SET) in BackTrack." Web log
main forms of communications in most organization, such attacks post. WonderHowTo. N.p., 2104. Web. 8 June 2016.
will continue and might be more successful along time with the <http://null-byte.wonderhowto.com/how-to/hack-like-pro-
help of social engineering research. spear-phish-with-social-engineering-toolkit-set-backtrack-
0148571/>.
Training should be conducted by all organizations to help
reduce the risk of these attacks. Employee awareness can help [5] D.Bassu, R.Izmailov, A.McIntosh, L.Ness, D.Shallcross,
reduce such attacks by a significant amount. Organization should “Centralized Multi--‐Scale Singular Vector Decomposition
also research new ways of securing communication amongst high for Feature Construction in LIDAR Image Classification
level employees who have access to confidential information. Problems”, Applied Imagery Pattern Recognition Workshop
2012.
Intrusion detection system can also be used to detect such
attacks once they are successful and with some impact to the [6] Y. Rossikova, J, J. Li and P. Morreale, “Intelligent Data
target organization. Further study is ongoing on the ways to Mining for Translator Correctness Prediction”,
prevent spear phishing attacks using social engineering and to CloudSecurity2016, Columbia unviersity NYC, April 2016.
detect such attacks once they are successfully impacting the
system with the changes to normal network and server traffic data
and their patterns.