Home > Research > Publications & Outputs > Panning for gold

Electronic data

  • servs_redux

    Rights statement: This is the author’s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 69, 2017 DOI: 10.1016/j.cose.2016.12.013

    Accepted author manuscript, 352 KB, PDF document

    Available under license: CC BY-NC-ND: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License

Links

Text available via DOI:

View graph of relations

Panning for gold: automatically analysing online social engineering attack surfaces

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Published

Standard

Panning for gold: automatically analysing online social engineering attack surfaces. / Edwards, Matthew; Larson, Robert; Green, Benjamin et al.
In: Computers and Security, Vol. 69, 08.2017, p. 18-34.

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Harvard

APA

Vancouver

Edwards M, Larson R, Green B, Rashid A, Baron A. Panning for gold: automatically analysing online social engineering attack surfaces. Computers and Security. 2017 Aug;69:18-34. Epub 2016 Dec 29. doi: 10.1016/j.cose.2016.12.013

Author

Edwards, Matthew ; Larson, Robert ; Green, Benjamin et al. / Panning for gold : automatically analysing online social engineering attack surfaces. In: Computers and Security. 2017 ; Vol. 69. pp. 18-34.

Bibtex

@article{498cab84411c4348bca7c02e972cebf1,
title = "Panning for gold: automatically analysing online social engineering attack surfaces",
abstract = "The process of social engineering targets people rather than IT infrastructure. Attackers use deceptive ploys to create compelling behavioural and cosmetic hooks, which in turn lead a target to disclose sensitive information or to interact with a malicious payload. The creation of such hooks requires background information on targets. Individuals are increasingly releasing information about themselves online, particularly on social networks. Though existing research has demonstrated the social engineering risks posed by such open source intelligence, this has been accomplished either through resource-intensive manual analysis or via interactive information harvesting techniques. As manual analysis of large-scale online information is impractical, and interactive methods risk alerting the target, alternatives are desirable. In this paper, we demonstrate that key information pertinent to social engineering attacks on organisations can be passively harvested on a large-scale in an automated fashion. We address two key problems. We demonstrate that it is possible to automatically identify employees of an organisation using only information which is visible to a remote attacker as a member of the public. Secondly, we show that, once identified, employee profiles can be linked across multiple online social networks to harvest additional information pertinent to successful social engineering attacks. We further demonstrate our approach through analysis of the social engineering attack surface of real critical infrastructure organisations. Based on our analysis we propose a set of countermeasures including an automated social engineering vulnerability scanner that organisations can use to analyse their exposure to potential social engineering attacks arising from open source intelligence.",
keywords = "Social Engineering, Vulnerability Analysis, Open Source Intelligence, Social Networks, Competitive Intelligence",
author = "Matthew Edwards and Robert Larson and Benjamin Green and Awais Rashid and Alistair Baron",
note = "This is the author{\textquoteright}s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 69, 2017 DOI: 10.1016/j.cose.2016.12.013",
year = "2017",
month = aug,
doi = "10.1016/j.cose.2016.12.013",
language = "English",
volume = "69",
pages = "18--34",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Ltd",

}

RIS

TY - JOUR

T1 - Panning for gold

T2 - automatically analysing online social engineering attack surfaces

AU - Edwards, Matthew

AU - Larson, Robert

AU - Green, Benjamin

AU - Rashid, Awais

AU - Baron, Alistair

N1 - This is the author’s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 69, 2017 DOI: 10.1016/j.cose.2016.12.013

PY - 2017/8

Y1 - 2017/8

N2 - The process of social engineering targets people rather than IT infrastructure. Attackers use deceptive ploys to create compelling behavioural and cosmetic hooks, which in turn lead a target to disclose sensitive information or to interact with a malicious payload. The creation of such hooks requires background information on targets. Individuals are increasingly releasing information about themselves online, particularly on social networks. Though existing research has demonstrated the social engineering risks posed by such open source intelligence, this has been accomplished either through resource-intensive manual analysis or via interactive information harvesting techniques. As manual analysis of large-scale online information is impractical, and interactive methods risk alerting the target, alternatives are desirable. In this paper, we demonstrate that key information pertinent to social engineering attacks on organisations can be passively harvested on a large-scale in an automated fashion. We address two key problems. We demonstrate that it is possible to automatically identify employees of an organisation using only information which is visible to a remote attacker as a member of the public. Secondly, we show that, once identified, employee profiles can be linked across multiple online social networks to harvest additional information pertinent to successful social engineering attacks. We further demonstrate our approach through analysis of the social engineering attack surface of real critical infrastructure organisations. Based on our analysis we propose a set of countermeasures including an automated social engineering vulnerability scanner that organisations can use to analyse their exposure to potential social engineering attacks arising from open source intelligence.

AB - The process of social engineering targets people rather than IT infrastructure. Attackers use deceptive ploys to create compelling behavioural and cosmetic hooks, which in turn lead a target to disclose sensitive information or to interact with a malicious payload. The creation of such hooks requires background information on targets. Individuals are increasingly releasing information about themselves online, particularly on social networks. Though existing research has demonstrated the social engineering risks posed by such open source intelligence, this has been accomplished either through resource-intensive manual analysis or via interactive information harvesting techniques. As manual analysis of large-scale online information is impractical, and interactive methods risk alerting the target, alternatives are desirable. In this paper, we demonstrate that key information pertinent to social engineering attacks on organisations can be passively harvested on a large-scale in an automated fashion. We address two key problems. We demonstrate that it is possible to automatically identify employees of an organisation using only information which is visible to a remote attacker as a member of the public. Secondly, we show that, once identified, employee profiles can be linked across multiple online social networks to harvest additional information pertinent to successful social engineering attacks. We further demonstrate our approach through analysis of the social engineering attack surface of real critical infrastructure organisations. Based on our analysis we propose a set of countermeasures including an automated social engineering vulnerability scanner that organisations can use to analyse their exposure to potential social engineering attacks arising from open source intelligence.

KW - Social Engineering

KW - Vulnerability Analysis

KW - Open Source Intelligence

KW - Social Networks

KW - Competitive Intelligence

U2 - 10.1016/j.cose.2016.12.013

DO - 10.1016/j.cose.2016.12.013

M3 - Journal article

VL - 69

SP - 18

EP - 34

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -