Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework

Abstract: The notion that the human user is the weakest link in information security has been strongly, and, we argue, rightly contested in recent years. Here, we take a step further showing that the human user can in fact be the strongest link for detecting attacks that involve deception, such as application masquerading, spearphishing, WiFi evil twin and other types of semantic social engineering. Towards this direction, we have developed a human-as-a-security-sensor framework and a practical implementation in the for… Show more

“…Human users are considered as the weakest link in the information security domain. 9 One of the possible reasons is that human trust each other and share personal information rather quickly. Various research studies tried to propose unique solutions that may be effective in guarding social engineering attacks or helpful in mitigating the danger: (a) One of the research studies aims to verify whether priming through cues and warnings is effective in countering the habit to disclose personal information.…”

“…For online shoppers, 89.8% of them gave away information regarding their purchase and 91.4% shared the name of the online shop from where they usually buy. Further, multivariate analysis showed that priming and warnings alone are not effective in mitigating human's tendency to disclose information online 2 ; (b) Another study, 9 Heartfield et al proposed a concept that human can be used as a security sensor. The basic idea was to create a prototype application which will be installed on participant's windows platform.…”

“…Need & greed attack 16,27 In need and greed attack, the attacker first gathers information of the needs and greed for the victim and further uses this information to collect formation needed Direct approach 16,27 In this type of attack, an attacker directly approaches the victim to get the desired information Distraction approach 2,16 In this type of attack, an attacker involves in an activity to redirect victim's attention File masquerading 9 In File masquerading attack infected file is placed in the trusted folder. The victim when opens the folder will trust and execute the file without any fear…”

“…Phishing 3,8,9,[13][14][15][16]25 In phishing, an attacker tries to obtain personal or confidential information such as usernames, passwords, and credit card details or secret organizational information in electronic communication Spear phishing 1,2,4,9,15,24 Spear phishing is a type of phishing attack, which focuses on targeting specific person or organization instead of an unknown target. For example, to get specific information from Bob.…”

“…For example, attacker pretending to be a police officier or income tax officier Pretexting 8,16,25,27 In this type of attack, a fictional or hypothetical situation is created to get the desired information or data. For example, Victim has not paid income tax for his/her income for last many years Water holing 1,4,9,16,21,25 In this type of attack, attacker infects the most frequent website visited by the victim. For example, a victim is daily opening website related to cricket.…”

Contemplating social engineering studies and attack scenarios: A review study

“…Human users are considered as the weakest link in the information security domain. 9 One of the possible reasons is that human trust each other and share personal information rather quickly. Various research studies tried to propose unique solutions that may be effective in guarding social engineering attacks or helpful in mitigating the danger: (a) One of the research studies aims to verify whether priming through cues and warnings is effective in countering the habit to disclose personal information.…”

“…For online shoppers, 89.8% of them gave away information regarding their purchase and 91.4% shared the name of the online shop from where they usually buy. Further, multivariate analysis showed that priming and warnings alone are not effective in mitigating human's tendency to disclose information online 2 ; (b) Another study, 9 Heartfield et al proposed a concept that human can be used as a security sensor. The basic idea was to create a prototype application which will be installed on participant's windows platform.…”

“…Need & greed attack 16,27 In need and greed attack, the attacker first gathers information of the needs and greed for the victim and further uses this information to collect formation needed Direct approach 16,27 In this type of attack, an attacker directly approaches the victim to get the desired information Distraction approach 2,16 In this type of attack, an attacker involves in an activity to redirect victim's attention File masquerading 9 In File masquerading attack infected file is placed in the trusted folder. The victim when opens the folder will trust and execute the file without any fear…”

“…Phishing 3,8,9,[13][14][15][16]25 In phishing, an attacker tries to obtain personal or confidential information such as usernames, passwords, and credit card details or secret organizational information in electronic communication Spear phishing 1,2,4,9,15,24 Spear phishing is a type of phishing attack, which focuses on targeting specific person or organization instead of an unknown target. For example, to get specific information from Bob.…”

“…For example, attacker pretending to be a police officier or income tax officier Pretexting 8,16,25,27 In this type of attack, a fictional or hypothetical situation is created to get the desired information or data. For example, Victim has not paid income tax for his/her income for last many years Water holing 1,4,9,16,21,25 In this type of attack, attacker infects the most frequent website visited by the victim. For example, a victim is daily opening website related to cricket.…”

Contemplating social engineering studies and attack scenarios: A review study

Understanding and deciphering of social engineering attack scenarios

Enhanced social engineering framework mitigating against social engineering attacks in higher education