Reverse Social Engineering Attacks in Online Social Networks - Essay Example

Reverse Social Engineering Attacks in Online Social Networks Institutional affiliation A social networking structure comprises of nodes that are represented by individuals and is also one of the most widely growing phenomena to date. Social networking sites such as LinkedIn, Facebook and Twitter, which are, being utilized primarily for communication, oriented either upon business related ventures, friendship or to find potential dating partners are growing tremendously in size as they take up new members. Facebook has now reached 500 million users, with LinkedIn having 35 million registered members and XING lagging behind with 6 million users. The alarming amount of personal information of sensitive nature, shared on these sites by users make this web domain a potentially attractive arena for cyber crime. Attackers to bring about a security breach can exploit data such as email addresses, relationship status, educational backgrounds and languages spoken that is available on user’s profile. Attacks on these sites are variants of the conventional ones such as those of spam, malware and phishing, such attacks can be explicitly illustrated when we mention the attacks of the past in which worms infested some one of the biggest social networking sites. In Reverse Social Engineering (RSE) attacks, the perpetrators are not so well known, this is due to the fact that the victim is tricked into contacting the attackers and in building a solid trust relationship and once this launch attack is successful, series of cyber frauds follow, mainly due to leak of sensitive information, involving identity thefts, blackmailing, malicious status updates and others. Real world experiments were then implemented to study the behavior of RSE attacks and the factors influencing them. However, this significant step is a very ethically sensitive domain, questions addressing the justification of carrying out such a study on real users without their knowledge do arise. However, it is inevitable to examine this issue through this method due to the fact that there is no other alternative methodology available. It was made certain the all the sensitive information was cautiously handled and during aggregate analysis, the data was anonymised and no manual inspection was carried out. Since the experiment was conducted in Europe, the legal department of the institution was consulted which is analogous to Institute Review Board (IRB) in the US and they approved of the data handling procedure. In the study, a single account was initiated which performed a large number of email search queries, the profile was then recommended by the site suggestion system to multiple profiles as a potential friend and as a result thousand friend requests were received by the account. This was to show how easy it is to trick users into establishing a trust relationship in the networking sites. In the second set of experiments, five different attack profiles were generated for three social networks. The attackers rely on a form of baiting system in which the victim is lured to contact the attacker itself. Two types of attack exist: Mediated, in which baiting is performed by an intermediate body such as that of Facebook friend suggestion system and secondly, the direct system in which baiting is visible to the targeted user. There are three types of real world RSE attacks. Firstly, the Recommendation-Based Attack in which is of mediated nature and the recommendation system performs the baiting, this attack was launched on Facebook. Secondly, the Demographic Based Attack which is also mediated and relies solely on the incoming contact based on profiles, was carried out on the networking site Badoo.The third type was Visitor Tracking Based RSE performed on Friendster, in this form of attack, the attack profile visits the victims which is visible to the latter, if the profile of the attacker is interesting, the victim may contact the attacker. Five different contact profiles were created to determine which characteristics make profiles effective. The first profile was of a 23 year old male from New York with an attractive male in the profile picture, the second profile was of a 23 year old female from New York with an attractive picture and the third profile picture was again of a 23 year old female from Paris with a pretty profile picture. The fourth profile was of a 35-year-old female from New York with her picture and the fifth profile was of a 23-year-old female from New York with a cartoon as the profile picture. The results for the Recommendation Based RSE on Facebook indicate that among 50,000 profile queried per attack, profile 2 and 3 were most successful and profile 5 the least and 94% messages were sent after the friends request were accepted. Profile 1 attracted users who were interested in men and profile 5 attracted users mostly from amongst the older users. In Demographic-Based RSE in Badoo, profile 1 and 2 were most effective, and profile 5 was actually disabled, 50% of the users sent messages to profile 2 and 3. Most victims were in parallel to the gender and age group of the attack profiles and were single. Profile 1 and 4 received interest from younger and older users respectively. In the Visitor Based RSE, 420,000 users visited per attack profile and a number of them followed it up with friend requests and messages. The inferences derived from these results indicate that attractive female profiles are greatly successful. However, pretexting is essential in order to break the ice between users, which is provided by the Recommendation System in Facebook, and the site Badoo provides it through locations. In order to minimize the affects of RSE, the networking sites should only suggest possible friends when there is a strong connection that exists between them. Secondly, user should be suspicious of any profile that only receives friend requests but never sends any, since it may be an attack profile. CAPTCHA is a tool that builds a bar for the incoming threats and should be regularly used by the members of networking sites. The reasons for the existence of fraud and social engineering attacks and the immediate failure of existing security mechanisms should be addressed through collaboration between criminologists, psychologists, economists and psychologists. The existent framework should be enhanced and improvised to meet the demanding infrastructure and work for a better solution for this dilemma should be initiated. References Irani, D. , Balduzzi, M. , Balzarotti, E.K and Pu, C. Reverse Social Engineering Attacks in Online Social Networks [Research Paper]. Power point slide link “http://www.academia-research.com/filecache/instr/r/e/641870_revsocialeng.pdf”  Read More