Automating social engineering (ASE)

Abstract-- Automated social engineering (ASE) takes the classical social engineering attack one step further and makes it a time efficient and thus cheap attack. ASE is enabled through social networking sites (SNSs) which entail a pool of digitized personal information which make traditional social engineering approaches such as dumpster diving obsolete. We created a proof of concept ASE bot on the basis of Facebook which is one of the biggest SNSs at the time of writing. In order to evaluate the feasibility of ASE attacks on Facebook we conducted two experiments on the basis of our ASE bot implementation. In the first experiment we evaluated the information gathering functionalities of the ASE bot on basis of five Swedish multinational corporations. Although our application on average found more than eight possible targets per organization, the actual number was dependent on the organization's network size in Facebook and the privacy awareness of their employees. In the second experiment we performed a Turing test were twenty test subjects had to decide if they were talking to a real person or to the ASE bot. The test subjects in generally were able to identify the ASE bot with a high probability. Although Facebook has a number of protective measures in place the ASE bot did not get detected or blocked during our experiments simply because it aimed at simulating an average Facebook user. Our results in conclusion showed that ASE bots are feasible from a technical standpoint and that existing chatbots need to be adapted for social networking services.

Publications

Towards Automating Social Engineering Using Social Networking Sites, PASSAT2009, Vancouver, CA

@article{ 10.1109/CSE.2009.205,

author = {Markus Huber and Stewart Kowalski and Marcus Nohlberg and Simon Tjoa},

title = {Towards Automating Social Engineering Using Social Networking Sites},

journal ={Computational Science and Engineering, IEEE International Conference on},

volume = {3},

year = {2009},

isbn = {978-0-7695-3823-5},

pages = {117-124},

doi = {http://doi.ieeecomputersociety.org/10.1109/CSE.2009.205},

publisher = {IEEE Computer Society},

address = {Los Alamitos, CA, USA},

}

Automated Social Engineering PoC, Masters thesis, DSV SecLab, SU/KTH Stockholm, Sweden

Automated Social Engineering PoC by Markus Huber is licensed under a Creative Commons Attribution-Noncommercial 3.0 Austria License.

Permissions beyond the scope of this license may be available at http://asebot.nysos.net

@MastersThesis{ ASEthesis09,

    title = "Automated Social Engineering, Proof of Concept",

    author = "Markus Huber",

    school = "DSV SecLab, Stockholm University/Royal Institute of Technology",

    month = mar,

    year = "2009",

    url = "http://asebot.nysos.net"

}

Related Work

Tobias Lauinger, Veikko Pankakoski, Davide Balzarotti, Engin Kirda, Honeybot: Your Man in the Middle for Automated Social Engineering, 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Jose, April 2010

Nohlberg, M., Kowalski, S. & Huber, M. (2008) Measuring Readiness for Automated Social Engineering

In Proceedings of the 7th Annual Security Conference. Las Vegas, USA, June 2008. 

Contact