survey

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

Authors:
Ryan Heartfield

University of Greenwich, UK

University of Greenwich, UK
View Profile

,
George Loukas

University of Greenwich, UK

University of Greenwich, UK
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 48 Issue 3Article No.: 37pp 1–39https://doi.org/10.1145/2835375

Published:09 December 2015Publication History

ACM Computing Surveys

Abstract

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed websites and scareware to name a few. This article presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial.

References

Z. H. Abdullah, N. I. Udzir, R. Mahmod, and K. Samsudin. 2011. Towards a dynamic file integrity monitor through a security classification. Internal Journal of New Computer Architectures and Their Applications (IJNCAA) 1, 3, 766--779.Google Scholar
S. Abraham and C. S. UnduShobha. 2010. An overview of social engineering malware: Trends, tactics, and implications. Technology in Society 3, 32, 3, 183--196.Google Scholar
S. Abu-Nimeh and S. Nair. 2006. Phishing attacks in a mobile environment. In SMU HACNet Lab Southern Methodist University Dallas.Google Scholar
M. Aburrous, M. A. Hossain, F. Thabatah, and K. Dahal. 2008. Intelligent phishing website detection system using fuzzy techniques. In Proceedings of the 3rd International Conference on Information and Communication Technologies: From Theory to Applications (ICTTA’08). IEEE.Google Scholar
A. Adelsbach, S. Gajek, and J. Schwenk. 2005. Visual spoofing of SSL protected web sites and effective countermeasures. In Information Security Practice and Experience. Springer, Berlin, 204--216. Google ScholarDigital Library
A. Aggarwal, A. Rajadesingan, and P. Kumaraguru. 2012. PhishAri: Automatic realtime phishing detection on twitter. In eCrime Researchers Summit (eCrime). IEEE, 1--12.Google Scholar
P. Agten, W. Joosen, F. Piessens, and N. Nikiforakis. 2015. Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS’15).Google Scholar
A. Algarni, Y. Xu, T. Chan, and Y. C. Tian. 2013. Social engineering in social networking sites: Affect-based model. In Proceedings of the 8th International Conference on Internet Technology and Secured Transactions (ICITST’13). IEEE, 508--515.Google Scholar
S. M. Ali. 2014. Integration of information security essential controls into information technology infrastructure library - A proposed framework. International Journal of Applied 4, 1.Google Scholar
L. Alvisi, A. Clement, A. Epasto, S. Lattanzi, and A. Panconesi. 2013. SoK: The evolution of sybil defense via social networks. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP’13). IEEE, 382--396. Google ScholarDigital Library
B. Anderson and B. Anderson. 2010. Seven Deadliest USB Attacks. Syngress. Google ScholarDigital Library
B. B. Anderson, C. B. Kirwan, J. L. Jenkins, D. Eargle, S. Howard, and A. Vance. 2013. How polymorphic warnings reduce habituation in the braininsights from an fMRI study. In Proceedings of of CHI15. Google ScholarDigital Library
G. N. A. Arachchilage, S. Love, and M. Scott. 2012. Designing a mobile game to teach conceptual knowledge of avoiding phishing attacks. International Journal for e-Learning Security 2, 2, 127--132.Google ScholarCross Ref
Arstechnica. 2014. Phishing scam that penetrated Wall Street just might work against you, too. Retrieved from http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/.Google Scholar
B. Atkins and W. Huang. 2013. A study of social engineering in online frauds. Open Journal of Social Sciences 1, 3, 23--32.Google ScholarCross Ref
T. Bakhshi, M. Papadaki, and S. Furnell. 2009. Social engineering: Assessing vulnerabilities in practice. Information Management and Computer Security 17, 1, 53--63.Google ScholarCross Ref
M. T. Banday, J. A. Qadri, and N. A. Shah. 2009. Study of Botnets and Their Threats to Internet Security. Retrieved from http://sprouts.aisnet.org/594/1/Botnet_Sprotus.pdf.Google Scholar
A. Barth, C. Jackso, C. Reis, and TGC Team. 2008. The Security Architecture of the Chromium Browser. Retrieved from http://seclah.stanford.edu/websec/chromium.Google Scholar
R. Basnet, S. Mukkamala, and A. H. Sung. 2008. Detection of phishing attacks: A machine learning approach. In Soft Computing Applications in Industry. Springer, Berlin, 373--383.Google Scholar
A. Bergholz, J. De Beer, S. Glahn, M. F. Moens, G. Paa, and S. Strobel. 2010. New filtering approaches for phishing email. Journal of Computer Security 18, 1, 7--35. Google ScholarDigital Library
A. Bergholz, J. H. Chang, G. Paa, F. Reichartz, and S. Strobel. 2008. Improved phishing detection using model-based features. In CEAS.Google Scholar
T. Bhardwaj, K. T. Sharma, and M. R. Pandit. 2014. Social engineering prevention by detecting malicious URLs using artificial bee colony algorithm. In Proceedings of the 3rd International Conference on Soft Computing for Problem Solving. Springer, 355--363.Google Scholar
A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel, and G. Vigna. 2015. What the app is that? Deception and countermeasures in the Android user interface. In Proceedings of the 36th IEEE Symposium on Security and Privacy. IEEE.Google Scholar
L. Bilge and T. Dumitras. 2012. Before we knew it: An empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, Vol. 10. ACM, 833--944. Google ScholarDigital Library
G. S. Bindra. 2011. Masquerading as a trustworthy entity through portable document file (PDF) format. In Privacy, Security, Risk and Trust (PASSAT). IEEE, 784--789.Google Scholar
T. Blasing, L. Batyuk, A. D. Schmidt, S. A. Camtepe, and S. Albayrak. 2010. An Android application sandbox system for suspicious software detection. In Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 55--62.Google Scholar
A. Boileau. 2006. Hit by a Bus: Physical Access Attacks with Firewire. Retrieved from http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf.Google Scholar
Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu. 2011. The socialbot network: When bots socialize for fame and money. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 93--102. Google ScholarDigital Library
Y. Boshmaf, I. Muslukhov, and K. Beznosov M. Ripeanu. 2012. Key challenges in defending against malicious socialbots. In Proceedings of the 5th USENIX Conference on Large-scale Exploits and Emergent Threats (LEET’12). Google ScholarDigital Library
E. F. Brickell, J. F. Cihula, C. D. Hall, and R. Uhlig. 2011. Method of improving computer security through sandboxing. US Patent No. 7,908,653. (2011).Google Scholar
J. M. Briones, M. A. Coronel, and P. Chavez-Burbano. 2013. Case of study: Identity theft in a university WLAN evil twin and cloned authentication web interface. In Proceedings of the 2013 World Congress on Computer and Information Technology (WCCIT’13). IEEE, 1--4.Google Scholar
A. Calder and S. Watkins. 2010. IT Governance: An International Guide to Data Security and ISO27001/ISO27002. Kogan Page Publishers. Google ScholarDigital Library
A. Calder and S. Watkins. 2014. Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology (NIST) and United States of America. Google ScholarDigital Library
F. Callegati, W. Cerroni, and M. Ramilli. 2009. Man-in-the-middle attack to the HTTPS protocol. IEEE Security and Privacy 7, 1, 78--81. Google ScholarDigital Library
CESG. 2015. Common Cyber Attacks: Reducing the Impact. Retrieved from https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact. pdf.Google Scholar
B. Chaffin. 2014. Someone Targets Hong Kong Protesters Using Jailbroken iPhones with Malware. Retrieved from http://www.macobserver.com/tmo/article/someone-targets-hong-kong-protesters-using-jailbroken-iphones-with-malware.Google Scholar
M. Chandrasekaran, K. Narayanan, and S. Upadhyaya. 2006. Phishing email detection based on structural properties. In Proceedings of the NYS Cyber Security Conference. 1--7.Google Scholar
T. M. Chen. 2003. Trends in viruses and worms. The Internet Protocol Journal 6, 3, 23--33.Google Scholar
N. Chou, R. Ledesma, Y. Teraguchi, and J. C. Mitchell. 2004. Client-side defense against web-based identity theft. In NDSS.Google Scholar
M. Christodorescu and S. Jha. 2004. Testing malware detectors. ACM SIGSOFT Software Engineering Notes 29, 4, 34--44. Google ScholarDigital Library
Chromium. 2015. The Chromium Projects—Sandbox. Retrieved from http://www.chromium.org/developers/design-documents/sandbox.Google Scholar
G. Cluley. 2011. A 419 Scam via Snail Mail. Naked Security. Retrieved December 10th, 2013 from http://nakedsecurity.sophos.com/2011/05/30/a-419-scam-via-snail-mail.Google Scholar
Z. Coburn and G. Marra. 2008. Realboy Believable Twitter Bots. Retrieved from http://ca.olin.edu/2008/realboy/.Google Scholar
C. Colwill. 2009. Human factors in information security: The insider threat: Who can you trust these days? Information Security Technical Report 14, 4, 186--196. Google ScholarDigital Library
Comodo. 2015. Demo of a URL-Bar Spoofing Attack. Retrieved from http://www.contentverification.com/graphic-attacks/demo/.Google Scholar
B. D. Cone, C. E. Irvine, M. F. Thompson, and T. D. Nguyen. 2007. A video game for cyber security training and awareness. Computer and Security 26, 1, 63--72. Google ScholarDigital Library
L. Corrons. 2010. The business of rogueware. In Web Application Security, vol. 72. 7.Google ScholarCross Ref
M. Cova, C. Kruegel, and G. Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th International Conference on World Wide Web. ACM, 281--290. Google ScholarDigital Library
CPNI. 2013. Social Engineering: Understanding the Threat. Retrieved from http://www.cpni.gov.uk/documents/publications/2013/2013065-social-engineering.pdf?epslanguage=en-gb.Google Scholar
Darknet. 2015. EvilAP Defender Detect Evil Twin Attacks. Retrieved from http://www.darknet.org.uk/2015/04/evilap-defender-detect-evil-twin-attacks/.Google Scholar
B. Desmond, J. Richards, R. Allen, and A. G. Lowe-Norris. 2008. Active Directory: Designing, Deploying, and Running Active Directory. O’Reilly Media. Google ScholarDigital Library
R. Dhamija, D. J. Tygar, and M. Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
R. Dhanalakshmi and C. Chellappan. 2010. Detection and recognition of file masquerading for e-mail and data security. In Recent Trends in Network Security and Applications. Springer, Berlin, 253--262.Google Scholar
C. Dhinakaran, J. K. Lee, and D. Nagamalai. 2009. “Reminder: Please update your details”: Phishing trends. In Proceedings of the 1st International Conference on Networks and Communications (NETCOM’09). IEEE, 295--300. Google ScholarDigital Library
C. Dietrich. 2013. Identification and Recognition of Remote-Controlled Malware. Ph.D. Dissertation. Universittsbibliothek Mannheim.Google Scholar
S. Dong-Her, C. Hsiu-Sen, C. Chun-Yuan, and B. Lin. 2011. Internet security: Malicious e-mails detection and protection. Industrial Management and Data Systems 104, 7, 613--623.Google ScholarCross Ref
A. Doupe, M. Egele, B. Caillat, G. Stringhini, G. Yakin, A. Zand, and G. Vigna. 2011. Hit’em where it hurts: A live security exercise on cyber situational awareness. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 51--61. Google ScholarDigital Library
C. E. Drake, J. O. Jonathan, and J. K. Eugene. 2004. Anatomy of a phishing email. In CEAS.Google Scholar
H. Drucker, S. Wu, and V. N. Vapnik. 1999. Support vector machines for spam categorization. IEEE Transactions on Neural Networks 10, 5, 1048--1054. Google ScholarDigital Library
P. Ducklin. 2014. Anatomy of an Android SMS Virus—Watch Out for Text Messages, Even from Your Friends&excl; Retrieved from https://nakedsecurity.sophos.com/2014/06/29/anatomy-of-an-android-sms-virus-watch-out-for-text-messages-even-from-your-friends/.Google Scholar
L. Duflot, Y. A. Perez, and B. Morin. 2011. What if you can’t trust your network card? In Recent Advances in Intrusion Detection. Springer, Berlin 378--397. Google ScholarDigital Library
M. Eeckhaut and N. Vanhecke. 2014. De Standaard: Belgian Professor in Cryptography Hacked. Retrieved from http://www.standaard.be/cnt/dmf20140201_011.Google Scholar
M. Egele, D. Brumley Y. Fratantonio, and C. Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. ACM, 73--84. Google ScholarDigital Library
M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. 2008. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Berlin, 88--106. Google ScholarDigital Library
M. Eminagaoglu, E. Ucar, and S. Eren. 2009. The positive outcomes of information security awareness training in companies A case study. Information Security Technical Report 14, 4, 223--229. Google ScholarDigital Library
D. Emm. 2005. The changing face of malware. In Proceedings of the IWWST.Google Scholar
A. P. Felt and D. Wagner. 2011. Phishing on Mobile Devices. In W2SP.Google Scholar
I. Fette, N. Sadeh, and A. Tomasic. 2007. Learning to detect phishing emails. In Proceedings of the 16th International Conference on World Wide Web. ACM, 649--656. Google ScholarDigital Library
FirstCyberSecurity. 2009. Protecting Your Brand Online and Creating Customer Confidence. Retrieved from http://www.firstcybersecurity.com/main/IPRiskMReview.pdf.Google Scholar
D. Fisher. 2015. Massive, Decades-Long Cyber Espionage Framework Uncovered. Retrieved from http://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080d.Google Scholar
C. Foozy, R. Ahmad, M. Abdollah, R. Yusof, and M. Zaki. 2011. Generic taxonomy of social engineering attack. In Proceedings of the Malaysian Technical Universities International Conference on Engineering and Technology. 527--533.Google Scholar
S. Ford, M. Cova, C. Kruegel, and G. Vigna. 2009. Analyzing and detecting malicious flash advertisements. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'09). IEEE, 363--372. Google ScholarDigital Library
E. D. Frauenstein and R. von Solms. 2013. An enterprise anti-phishing framework. In Information Assurance and Security Education and Training. Springer Berlin Heidelberg, 196--203.Google Scholar
S. Garera, N. Provos, M. Chew, and A. D. Rubin. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM Workshop on Recurring Malcode. ACM, 1. Google ScholarDigital Library
D. Gavrilut, M. Cimpoesu, D. Anton, and L. Ciortuz. 2009. Malware detection using machine learning. In Proceedings of the International Multiconference on Computer Science and Information Technology (IM-CSIT’09). IEEE, 735--741.Google Scholar
A. Gazet. 2010. Comparative analysis of various ransomware virii. Journal in Computer Virology 6, 1, 77--90.Google ScholarCross Ref
J. Giles. 2010. Scareware the inside story. New Scientist , Article 205, 2753, 38--41.Google Scholar
GOVUK. 2015. 10 Steps to Cyber Security. Retrieved from https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary.Google Scholar
C. Greamo and A.Ghosh. 2011. Sandboxing and virtualisation: Modern tools for combating malware. In Security and Privacy,9, 2, 79--82. Google ScholarDigital Library
S. Guillaume, H. Carlo, A. Matthieu, J. Marianne, and M. Romain. 2014. RISK-DET: ICT security awareness aspect combining education and cognitive sciences. In Proceedings of the 9th International Multi-Conference on Computing in the Global Information Technology (ICCGI’14). 51--53.Google Scholar
I. Gulenko. 2013. Social against social engineering: Concept and development of a Facebook application to raise security and risk awareness. Information Management and Computer Security 21, 2, 91--101.Google ScholarCross Ref
T. Halevi, N. Memon, and O. Nov. 2015. Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstact_id=2544742.Google Scholar
M. Hara, A. Yamada, and Y. Miyake. 2009. Visual similarity-based phishing detection without victim site information. In Proceedings of the IEEE Symposium on Computational Intelligence in Cyber Security (CICS’09). IEEE, 30--36.Google Scholar
M. Hasan and N. B. Prajapati. 2009. An attack vector for deception through persuasion used by hackers and crackers. In Proceedings of the 1st International Conference on Networks and Communications (NETCOM’09). IEEE, 254--258. Google ScholarDigital Library
R. Heartfield and G. Loukas. 2013. On the feasibility of automated semantic attacks in the cloud. In Computer and Information Sciences III. Springer, London, 343--351.Google Scholar
G. Hinson. 2008. Social engineer techniques, risks and controls. The EDP Audit, Control and Security Newsletter 37, 4--5, 32--46. Google ScholarDigital Library
J. Hong. 2012. The state of phishing attacks. Communications of the ACM, 55, 1, 74--81. Google ScholarDigital Library
F. Howard and O. Komili. 2010. Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware. Sophos Technical Papers (2010). https://www.sophos.com/medialibrary/PDFs/technical&percnt;20papers/sophosseoinsights.pdf.Google Scholar
H. Huang, S. Zhong, and J. Tan. 2009. Browser-side countermeasures for deceptive phishing attack. In Proceedings of the 5th International Conference on Information Assurance and Security (IAS’09), Vol. 1. IEEE. Google ScholarDigital Library
M. Huber, M. Mulazzani, and E. Weipp. 2010. Who on earth is Mr. Cypher: Automated friend injection attacks on social networking sites. In Security and Privacy Silver Linings in the Cloud. Springer, Berlin, 80--89.Google Scholar
H. Hwang, G. Jung, K. Sohn, and S. Park. 2008. A study on MITM (man in the middle) vulnerability in wireless network using 802.1 X and EAP. In Information Science and Security (ICISS). IEEE, 164--170. Google ScholarDigital Library
Invincea. 2014. Sandboxie. Retrieved from http://www.sandboxie.com/.Google Scholar
ISACA. 2012. COBIT 5 for Information Security. Google ScholarDigital Library
K. Ivaturi and L. Janczewski. 2011. A taxonomy for social engineering attacks. In CONF-IRM Proceedings.Google Scholar
J. R. Jacobs. 2011. Measuring the Effectiveness of the USB Flash Drive as a Vector for Social Engineering Attacks on Commercial and Residential Computer Systems. Master’s thesis. Embry-Riddle Aeronautical University.Google Scholar
T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. 2007. Social phishing. Communications of the ACM 50, 10, 49--51. Google ScholarDigital Library
W. Jansen and T. Grance. 2011. Guidelines on security and privacy in public cloud computing. NIST Special Publication 800 (2011). http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf.Google Scholar
J. Corbetta, L. Invernizzi, C. Kruegel, and G. Vigna. 2014. Eyes of a human, eyes of a program: Leveraging different views of the web for analysis and detection. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’14). Springer, 130--149.Google Scholar
M. E. Johnson, D. McGuire, and N. D. Willey. 2008. The evolution of the peer-to-peer file sharing industry and the security risks for users. In Proceedings of the 41st Annual Hawaii International Conference on System Sciences. IEEE, 383--383. Google ScholarDigital Library
M. Jordan and G. Heather. 2005. The signs, signifiers and semiotics of the successful semantic attack. In Proceedings of the 14th Annual EICAR Conference. 344--364.Google Scholar
A. Kalafut, A. Acharya, and M. Gupta. 2006. A study of malware in peer-to-peer networks. In Proceedings of 6th ACM SIGCOMM Conference on Internet Measurement. ACM, 327--332. Google ScholarDigital Library
KeeLog. 2015. KeeLog Key Grabber Internal Module PS2 2GB. Retrieved from https://www.keelog.com/.Google Scholar
I. Kirlappos and M. A Sasse. 2012. Security education against phishing: A modest proposal for a major rethink. IEEE Security and Privacy Magazine 10, 2, 24--32. Google ScholarDigital Library
A. Konak and M. Bartolacci. 2012. Broadening E-commerce information security education using virtual computing technologies. In Proceedings of the 2012 Networking and Electronic Commerce Research Conference.Google Scholar
B. Krishna. 2011. Malicious emails masquerade as office printer messages. Symantec Connect Blog - Symantec Intelligence.ONLINE. Retrieved from http://www.symantec.com/connect/blogs/malicious-emails-masquerade-office-printer-messages-0.Google Scholar
E. Kritzinger and S. H. von Solms. 2010. Cyber security for home users: A new way of protection through awareness enforcement. Computer and Security 29, 8, 840--847. Google ScholarDigital Library
A. H. Kruger and D. K. Wayne. 2006. A prototype for assessing information security awareness. Computers and Security 25, 4, 289--296. Google ScholarDigital Library
R. Kuipers, E. Starck, and H. Heikkinen. 2010. Smart TV Hacking: Crash Testing Your Home Entertainment. Retrieved from http://www.codenomicon.com/resources/whitepapers/codenomicon-wp-smart-tv- fuzzing.pdf.Google Scholar
P. Kumaraguru. 2009. PhishGuru: A System for Educating Users About Semantic Attacks. Ph.D. Dissertation. Carnegie Mellon University. Google ScholarDigital Library
T. Lauinger, V. Pankakoski, D. alzarotti, and E. Kirda. 2010. Honeybot, your man in the middle for automated social engineering. In Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’10). Google ScholarDigital Library
B. Laurie and A. Laurie. 2003. Serious flaws in Bluetooth security lead to disclosure of personal data. A.L. Digital Ltd. Technical report. http://bluestumbler.org/.Google Scholar
N. Leavitt. 2005. Instant messaging: A new target for hackers. Computer 38, 7, 20--23. Google ScholarDigital Library
J. Lee, L. Bauer, and M. L. Mazurek. 2015. The effectiveness of security images in Internet banking. IEEE Internet Computing 19, 1, 54--62.Google ScholarDigital Library
K. Lee, J. Caverlee, and S. Webb. 2010. The social honeypot project: Protecting online communities from spammers. In Proceedings of the 19th International Conference on World Wide Web. ACM. Google ScholarDigital Library
S. Lee and J. Kim. 2012. WarningBird: Detecting suspicious URLs in Twitter stream. In NDSS.Google Scholar
X. Leroy. 2001. Java bytecode verification: An overview. In Computer Aided Verification. Springer, Berlin. Google ScholarDigital Library
Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang. 2013. Finding the linchpins of the dark web: A study on topologically dedicated hosts on malicious web infrastructures. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP’13). IEEE, 112--126. Google ScholarDigital Library
Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. 2012. Knowing your enemy: Understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
E. Lin, S. Greenberg, E. Trotter, D. Ma, and J. Aycock. 2011. Does domain highlighting help people identify phishing sites? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2075--2084. Google ScholarDigital Library
G. Loukas. 2015. Cyber-Physical Attacks: A Growing Invisible Threat. Butterworth-Heinemann (Elsevier). Google ScholarDigital Library
L. Lu, R. Perdisci, and W. Lee. 2011. Surf: Detecting and measuring search poisoning. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 467--476. Google ScholarDigital Library
L. Lu, V. Yegneswaran, P. Porras, and W. Lee. 2010. Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 440--450. Google ScholarDigital Library
G. Madlmayr, J. Langer, C. Kantner, and J. Scharinger. 2008. NFC devices: Security and privacy. In Availability, Reliability and Security (ARES’08). IEEE, 642--647. Google ScholarDigital Library
M. Mannan and P. C. van Oorschot. 2005. On instant messaging worms, analysis and countermeasures. In Proceedings of the 2005 ACM Workshop on Rapid Malcode. ACM, 2--11. Google ScholarDigital Library
C. Marforio, F. Aurelien, and S. Capkun. 2011. Application Collusion Attack on the Permission-based Security Model and Its Implications for Modern Smartphone Systems. Report 724. Technical Report.Google Scholar
N. P. P. Mavromatis and M. A. R. F. Monrose. 2008. All your iframes point to us. In USENIX Security Symposium. USENIX, 1--16. Google ScholarDigital Library
K. F. McCrohan, K. Engel, and J. W. Harvey. 2010. Influence of awareness and training on cyber security. Journal of Internet Commerce 9, 1, 23--41.Google ScholarCross Ref
Microsoft. 2007. The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control. Retrieved from https://msdn.microsoft.com/en-us/library/aa905330.aspx.Google Scholar
M. Wu, R. C. Miller, and S. L. Garfinkel. 2006. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 601--610. Google ScholarDigital Library
K. Mitnick and W. L. Simon. 2001. The Art of Deception: Controlling the Human Element of Security. Wiley. Google ScholarDigital Library
S. Motiee, K. Hawkey, and K. Beznosov. 2010. Do windows users follow the principle of least privilege?: investigating user account control practices. In Proceedings of the 6th Symposium on Usable Privacy and Security. ACM. Google ScholarDigital Library
Mozilla Firefox. 2015. Mozilla Wiki—Security/Sandbox. Retrieved from https://wiki.mozilla.org/Security/Sandbox.Google Scholar
H. Xu, N. Wang, and J. Grossklags. 2011. Third-party apps on Facebook: Privacy and the illusion of control. In Proceedings of the 5th ACM Symposium on Computer Human Interaction for Management of Information Technology. ACM. Google ScholarDigital Library
B. C. Neuman and T. Ts’o. 1994. Kerberos: An authentication service for computer networks. Communications Magazine 32, 9, 33--38. Google ScholarDigital Library
A. Neupane, N. Saxena, K. Kuruvilla, M. Georgescu, and R. Kana. 2014. Neural signatures of user-centered security: An fMRI study of phishing, and malware warnings. In Proceedings of the Network and Distributed System Security Symposium. 1--16.Google Scholar
K. Nohl and J. Lehl. 2014. BadUSBOn accessories that turn evil. In Black Hat USA.Google Scholar
H. Orman. 2009. The compleat story of phish. IEEE Internet Computing 17, 1, 87--91. Google ScholarDigital Library
Qubes OS. 2015. Qubes OS Project. Retrieved from https://www.qubes-os.org/.Google Scholar
A. Acquisti, L. F. Cranor, J. Hong, P. Kumaraguru, Y. Rhee, and E. Nunge. 2007. Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
Pierluigi Paganini. 2014. Phishing goes mobile with cloned banking app into Google Play. Retrieved from http://securityaffairs.co/wordpress/26134/cyber-crime/phishing-goes-mobile-cloned-banking-app-google-play.html.Google Scholar
R. T. Peltier. 2013. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. CRC Press.Google Scholar
D. S. Peterson, M. Bishop, and R. Pandey. 2002. A flexible containment mechanism for executing untrusted code. In Proceedings of the 11th USENIX Security Symposium. IEEE, 207--225. Google ScholarDigital Library
L. Phifer. 2000. Top Ten Wi-Fi Security Threats. Retrieved from http://www.esecurityplanet.com/views/article.php/3869221/Top-Ten-WiFi-Security-Threats.htm.Google Scholar
A. Podhradsky, R. DOvidio, P. Engebretson, and C. Casey. 2013. Xbox 360 hoaxes, social engineering, and gamertag exploits. In Proceedings of the 2013 46th Hawaii International Conference on System Sciences (HICSS’13). IEEE, 3239--3250. Google ScholarDigital Library
BufferZone Pro. 2014. BufferZone-Pro. Retrieved from http://www.trustware.com/BufferZone-Pro/.Google Scholar
N. Provos, M. A. Rajab, and P. Mavrommatis. 2009. Cybercrime 2.0: When the cloud turns dark. Communications of the ACM 52, 4, 42--47. Google ScholarDigital Library
A. Raskin. 2011. Tabnabbing: A new type of phishing attack. Retrieved from http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/.Google Scholar
V. Raskin, J. M. Taylor, and C. F. Hempelmann. 2010. Ontological semantic technology for detecting insider threat and social engineering. In Proceedings of the 2010 Workshop on New Security Paradigms. ACM. Google ScholarDigital Library
G. W. Romney, J. K. Jones, B. L. Rogers, and P. MacCabe. 2005. IT security education is enhanced by analyzing Honeynet data. In Proceedings of the 6th International Conference on Information Technology Based Higher Education and Training (ITHET’05). IEEE.Google Scholar
I. Rouf, R. Miller, H. Mustafa, T. Taylor, S. Oh, W. Xu, M. Gruteser, W. Trappe, and I. Seskar. 2010. Security and privacy vulnerabilities of in-car wireless networks: A tire pressure monitoring system case study. In Proceedings of the 19th USENIX Security Symposium. Google ScholarDigital Library
RSA. 2012. Lions at the Watering Hole the VOHO Affair. Retrieved from https://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/.Google Scholar
M. Ruskov, P. Ekblom, and M. A. Sasse. 2014. Towards a simulation of information security behaviour in organisations. In Cyberpatterns. Springer International Publishing, 177--184.Google Scholar
M. B. Salem and S. J. Stolfo. 2011. Modeling user search behavior for masquerade detection. In Recent Advances in Intrusion Detection. Springer Berlin Heidelberg. Google ScholarDigital Library
H. Sandouka, A. J. Cullen, and I. Mann. 2009. Social engineering detection using neural networks. In Proceedings of the International Conference on CyberWorlds (CW’09). IEEE, 273--278. Google ScholarDigital Library
G. Schaff, C. Harpes, R. Martin, and M. Junger. 2013. An Application to Estimate the Cyber-risk Detection Skill of Mobile Device Users (IDEA). Retrieved from http://doc.utwente.nl/87117/1/SCHAFF_itrust-scientific_article_GSC_(3).pdf.Google Scholar
S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. 2007. The emperor’s new security indicators. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 51--65. Google ScholarDigital Library
B. Schneier. 2000. Inside risks: Semantic network attacks. Communications of the ACM 43, 12, 168. Google ScholarDigital Library
B. Schneier. 2011. Secrets and Lies: Digital Security in a Networked World. Wiley.Google ScholarDigital Library
C. Seifert, J. W. Stokes, C. Colcernian, J. C. Platt, and L. Lu. 2013. Robust scareware image detection. In 2013 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2920--2924.Google Scholar
K. Selvaraj and N. F. Gutierrez. 2010. The rise of PDF malware. Symantec Security Response. (2010).Google Scholar
SensePost. 2014. Snoopy. Retrieved from https://github.com/sensepost/Snoopy.Google Scholar
V. Sharma. 2011. An analytical survey of recent worm attacks. In IJCSNS(11), Vol. 11, 99--103.Google Scholar
S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. 2010. Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 373--382. Google ScholarDigital Library
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti L. F. Cranor, J. Hong, and E. Nunge. 2007. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security. ACM, 88--99. Google ScholarDigital Library
S. Shin, J. Jung, and H. Balakrishnan. 2006. Malware prevalence in the KaZaA file-sharing network. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. ACM. Google ScholarDigital Library
P. Singhal and N. Raul. 2012. Malware detection module using machine learning algorithms to assist in centralized security in enterprise networks. International Journal of Network Security Its Applications 4, 1, 6 pages.Google ScholarCross Ref
SocialEngineer. 2013. The Power of the Uniform in Social Engineering. Naked Security. Retrieved June 22, 2013 from https://www.social-engineer.com/the-power-of-the-uniform-in-social-engineering/.Google Scholar
Y. Song, C. Yang, and G. Gu. 2010. Who is peeping at your passwords at Starbucks? To catch an evil twin access point. In Proceedings of the 2010 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’10). IEEE, 323--332.Google Scholar
A. Sood and R. Enbody. 2014. Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. Google ScholarDigital Library
K. E. Stewart, J. W. Humphries, and T. R. Andel. 2009. Developing a virtualization platform for courses in networking, systems administration and cyber security education. In Proceedings of the 2009 Spring Simulation Multiconference. Society for Computer Simulation International. Google ScholarDigital Library
G. Stringhini, C. Kruegel, and G. Vigna. 2013. Shady paths: Leveraging surfing crowds to detect malicious web pages. In Proceedings of the 2013 ACM SIGSAC conference on Computer and communications security. ACM, 133--144. Google ScholarDigital Library
G. Stringhini and O. Thonnard. 2015. That Aint You: Blocking spearphishing through behavioral modelling. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 78--97.Google Scholar
D. Sullivan. 2008. What Is Search Engine Spam? The Video Edition, url =. (2008).Google Scholar
Symantec. 2014. Trojan.Ransomcrypt.I. (2014). http://www.symantec.com/security_response/writeup.jsp?docid=2014-051514-5659-99Google Scholar
J. Szurdi, B. Kocso, G. Cseh, J. Spring, M. Felegyhazi, and C. Kanich. 2014. The long tail of typosquatting domain names. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14). USENIX, 191--206. Google ScholarDigital Library
M. Tavallaee, N. Stakhanova, and A. A. Ghorbani. 2010. Toward credible evaluation of anomaly-based intrusion-detection methods. In IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews 40, 5, 516--524. Google ScholarDigital Library
P. Tetri and J. Vuorinen. 2013. Dissecting social engineering. Behaviour and Information Technology 32, 10, 1014--1023. Google ScholarDigital Library
K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song. 2011. Design and evaluation of a real-time URL spam filtering service. In Proceedings of the IEEE Symposium on Security and Privacy (SP’11). IEEE, 447--462. Google ScholarDigital Library
P. Thompson. 2007. Deception as a semantic attack. Chapman and Hall/CRC, Chapter 2.2, 125--144.Google Scholar
TrendMicro. 2014. Malaysia Airlines Flight 370 News Used To Spread Online Threats. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/malaysia-airlines-flight-370-news-used-to-spread-online-threats/.Google Scholar
B. Turner, D. Lundell, J. Zamora, and C. Calderon. 2010. Microsoft Forefront Identity Manager 2010 Technical Overview. Technical Report. Retrieved from http://download.microsoft.com/download/0/8/4/0846D14C-B2D5-4BEA-9061-311BBF5BB76B/FIM&precnt;202010&precnt;20Technical&precnt;20Overview.docx.Google Scholar
US-CERT. 2015. Lenovo Computers Vulnerable to HTTPS Spoofing. Retrieved from https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing.Google Scholar
I. Burke, W. A. Labuschagne, N. Veerasamy, and M. M. Eloff. 2011. Design of cyber security awareness game utilizing a social media framework. In Information Security South Africa (ISSA). IEEE.Google Scholar
Webroot. 2013. Webroot Real-Time Anti-Phishing Service. Retrieved from http://www.webroot.com/shared/pdf/WAP-Anti-Phishing-102013.pdf.Google Scholar
G. Xiang, J. Hong, C. P. Rose, and L. Cranor. 2011. CANTINA+: A feature-rich machine learning framework for detecting phishing web sites. ACM Transactions on Information and System Security (TISSEC) 14, 2, Article 21. Google ScholarDigital Library
H. Xiao and B. Zhao. 2013. Analysis on sandbox technology of adobe reader X. In Proceedings of the 5th International Conference on Computational and Information Sciences (ICCIS’13). IEEE. Google ScholarDigital Library
K. P. Yee. 2005. Guidelines and Strategies for Secure Interaction Design. Chapter 13, 247--273. Retrieved from http://sid.toolness.org/ch13yee.pdf.Google Scholar

Index Terms

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

DDoS attacks and defense mechanisms: classification and state-of-the-art

Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
Read More
A new and comprehensive taxonomy of DDoS attacks and defense mechanism
ISP'07: Proceedings of the 6th WSEAS international conference on Information security and privacy

Distributed denial of services (DDoS) is the most important security problem for IT managers. These attacks are very simple organized for intruders and hence so disruptive. Moreover, its serious damage has been increased, the detection and defense of ...
Read More
Social Engineering Attacks During the COVID-19 Pandemic
Abstract
The prevailing conditions surrounding the COVID-19 pandemic has shifted a variety of everyday activities onto platforms on the Internet. This has led to an increase in the number of people present on these platforms and also led to jump in the ...
Read More

Reviews

Reviewer: Eduardo B. Fernandez

Social engineering attacks include a large variety of ways to manipulate and deceive users. A specific type is semantic attacks that deceive rather than directly attack a user. We find here a taxonomy and description of semantic attacks indicating possible defenses. The taxonomy is based on analyzing how an attack handles the three distinct stages of an attack: orchestration, exploitation, and execution. These are well-chosen subgroups that provide a clear picture about the nature of the attacks and allow grouping of all the known attacks of this type. A more general (in scope) threat classification uses threat patterns providing detailed descriptions of how the attacks reach their goals, and it is complementary to the one given here. Four examples illustrate the classification, followed by a table describing 30 attacks that have been found on the web. This is followed by a discussion of defense mechanisms, consisting of organizational and technical aspects. An attack and defense matrix summarizes this information, providing a mapping of defenses against semantic attacks. The paper ends with a section indicating open problems. Overall, this is a very useful paper that provides a clear perspective of what we know about semantic attacks and what we need to study further. Because semantic attacks have many aspects in common with other types of attacks, this paper is highly recommended for anybody doing research on security threats as well as for architects and developers who have to build or evaluate secure systems. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 48, Issue 3
February 2016
619 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2856149
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering/University of Florida/Gainesville
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 December 2015
- Revised: 1 September 2015
- Accepted: 1 September 2015
- Received: 1 September 2014
Published in csur Volume 48, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Computer crime
semantic attacks
social engineering attacks
survey
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 103
  Total Citations
  View Citations
- 4,294
  Total Downloads
- Downloads (Last 12 months)358
- Downloads (Last 6 weeks)42
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

DDoS attacks and defense mechanisms: classification and state-of-the-art

A new and comprehensive taxonomy of DDoS attacks and defense mechanism

Social Engineering Attacks During the COVID-19 Pandemic

Reviews

Access critical reviews of Computing literature here