Automating social engineering (ASE)

Abstract-- Automated social engineering (ASE) takes the classical social engineering attack one step further and makes it a time efficient and thus cheap attack. ASE is enabled through social networking sites (SNSs) which entail a pool of digitized personal information which make traditional social engineering approaches such as dumpster diving obsolete. We created a proof of concept ASE bot on the basis of Facebook which is one of the biggest SNSs at the time of writing. In order to evaluate the feasibility of ASE attacks on Facebook we conducted two experiments on the basis of our ASE bot implementation. In the first experiment we evaluated the information gathering functionalities of the ASE bot on basis of five Swedish multinational corporations. Although our application on average found more than eight possible targets per organization, the actual number was dependent on the organization's network size in Facebook and the privacy awareness of their employees. In the second experiment we performed a Turing test were twenty test subjects had to decide if they were talking to a real person or to the ASE bot. The test subjects in generally were able to identify the ASE bot with a high probability. Although Facebook has a number of protective measures in place the ASE bot did not get detected or blocked during our experiments simply because it aimed at simulating an average Facebook user. Our results in conclusion showed that ASE bots are feasible from a technical standpoint and that existing chatbots need to be adapted for social networking services.