 |
Abstract-- Automated social engineering (ASE) takes the classical social engineering attack one step further and makes it a time efficient and thus cheap attack. ASE is enabled through social networking sites (SNSs) which entail a pool of digitized personal information which make traditional social engineering approaches such as dumpster diving obsolete. We created a proof of concept ASE bot on the basis of Facebook
which is one of the biggest SNSs at the time of writing. In order to
evaluate the feasibility of ASE attacks on Facebook we conducted two
experiments on the basis of our ASE bot implementation. In the first
experiment we evaluated the information gathering functionalities of
the ASE bot on basis of five Swedish multinational corporations.
Although our application on average found more than eight possible
targets per organization, the actual number was dependent on the
organization's network size in Facebook and the privacy awareness of
their employees. In the second experiment we performed a Turing test
were twenty test subjects had to decide if they were talking to a real person
or to the ASE bot. The test subjects in generally were able to identify
the ASE bot with a high probability. Although Facebook has a number of
protective measures in place the ASE bot did not get detected or
blocked during our experiments simply because it aimed at simulating an average Facebook user.
Our results in conclusion showed that ASE bots are feasible from a
technical standpoint and that existing chatbots need to be adapted for
social networking services. |
Publications Towards Automating Social Engineering Using Social Networking Sites, PASSAT2009, Vancouver, CA@article{ 10.1109/CSE.2009.205,
author = {Markus Huber and Stewart Kowalski and Marcus Nohlberg and Simon Tjoa},
title = {Towards Automating Social Engineering Using Social Networking Sites},
journal ={Computational Science and Engineering, IEEE International Conference on},
volume = {3},
year = {2009},
isbn = {978-0-7695-3823-5},
pages = {117-124},
doi = {http://doi.ieeecomputersociety.org/10.1109/CSE.2009.205},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
Automated Social Engineering PoC, Masters thesis, DSV SecLab, SU/KTH Stockholm, Sweden
Automated Social Engineering PoC by Markus Huber is licensed under a Creative Commons Attribution-Noncommercial 3.0 Austria License.
Permissions beyond the scope of this license may be available at http://asebot.nysos.net
@MastersThesis{ ASEthesis09,
title = "Automated Social Engineering, Proof of Concept",
author = "Markus Huber",
school = "DSV SecLab, Stockholm University/Royal Institute of Technology",
month = mar,
year = "2009",
url = "http://asebot.nysos.net"
}
Related WorkTobias Lauinger, Veikko Pankakoski, Davide Balzarotti, Engin Kirda,
Honeybot: Your Man in the Middle for Automated Social Engineering, 3rd
USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San
Jose, April 2010
Nohlberg, M., Kowalski, S. & Huber, M. (2008) Measuring Readiness for Automated Social Engineering.
In Proceedings of the 7th Annual Security Conference. Las Vegas, USA, June 2008.
Contact |
 Updating... ASE_PASSAT09_preprint.pdf (1047k) Markus Donko-Huber, Jul 5, 2009, 11:53 PM thesis_ASE-PoC_MHuber.pdf (1830k) Markus Donko-Huber, Mar 31, 2009, 3:29 PM
|