Social Engineering Social Engineering

How many people accept being subjected to a social driven vulnerability assessment?

Written by Enrico Frumento, CEFRIEL


At a certain point, during the social engineering vulnerability assessment, the penetration tester and the company have to debrief the deceived persons, to share the results of the tests and transforms the whole experience in a positive one, also somehow delivering an awareness experience to the persons. Since the beginning of the field-tests we have had the wish to understand how many people would have accepted of being “victimized” by an SDVA test, even if it was for good...

Read more

 

Technological evolution towards the future of Social Engineering

Written by Davide Andreoletti, SUPSI and Nathan Weiss, IAI ELTA Systems

The DOGANA project has allowed the participant researchers to reach a deep understanding of the current Social Engineering landscape. As the project is approaching its end, we believe it is time to write an article about our expectations regarding the future of this huge field. As an interdisciplinary topic grounded in both computer science and social studies, the evolution of Social Engineering is influenced by many different factors: societal changes, advancements of psychological disciplines and, clearly, the evolution of technologies are some key elements that are transforming the way people perform (respectively, defend from) a social engineering attack.
In this article, we focus on the latter factor...

Read more

 

Attacks based on the personality

Written by Enrico Frumento, CEFRIEL

The abuse of the human layer of security is today probably the most used attack strategy (i.e. social engineering) and the one that most of the times decrees the successfulness of a cyber-attack. According to ProofPoint (a leading cybersecurity company), Human Factor Report 2018 “human vulnerabilities are more dangerous to modern organisations than software flaws”.

Recently a new wave of attack strategies started to emerge, thanks to the evolutions of the social engineering 2.0. As published in a recent blog post, among the unique characteristics of the social engineering 2.0 one is special: the high automation of advanced social engineering attacks against a large number of victims. This trend makes the social engineering 2.0 a modern mass targeting attack strategy, able at the same time to focus on and mould the attacks on single victims.

Read more

 

f(human): ENISA’s report on Cyber Security Culture and the human (f)actor

Written by Danaja Fabčič Povše, KU LEUVEN

Social engineering is on the rise, and organisations need to respond to it appropriately. The human is usually the weakest (f)actor in maintaining security, this is why smart hackers target humans, not machines. This blogpost examines the new ENISA guidelines on Cyber Security Culture in organisations in the light of the upcoming GDPR and the NIS Directive...

Article originally written for www.law.kuleuven.be.

Read more

 

Estimates of the number of Social Engineering based cyber-attacks into private or government organizations

Written by Enrico Frumento, CEFRIEL

Today, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% involves targeting users through social engineering (source KnowBe4), i.e. an approach in which attacks use humans as channels to reach their target. Hacking attempts focused on human vulnerabilities in a system instead of lapses in software or hardware.

This is an improving trend, the “Phishing activity trends report. Unifying the global response to Cybercrime”, periodically released by the Anti Phishing Working Group (APWG)...

Read more

 

Which are the limits of a SDVA?

Written by Enrico Frumento, CEFRIEL

Today most of the companies are increasingly doing simulated phishing campaigns to test or train the vulnerability of their human layer of security, in other words, how easily their employees are falling into the threat of phishing. When the DOGANA project started, two years ago, the market was almost inexistent. Today instead, we assist to a growing number of companies offering simulated phishing frameworks, not considering the several companies that are doing simulated phishing tests on their own, without the help of any framework.
The market of simulated phishing and efficient training for the mitigation of the human layer of security is rapidly growing in the US, because of several big acquisitions.

Read more

 

Social Engineering to the extreme: the Cambridge Analytica case

Written by Davide Andreoletti, SUPSI and Enrico Frumento, CEFRIEL

In our post about Privacy Issues in Social Media, we highlighted how our data-driven world is built on the acceptance of a compromise: the value of services offered over the Internet comes at the price of users’ privacy. In fact, the more it is known about users, the higher will be the quality of the offered services. As an example, let us think how much valuable can be a service that suggests the most attended events within a given area. The more users make their location available to the service engine, the more attractive and valuable the service itself will become. Without users allowing to expose this information, that not few people consider a sensitive one, the service inevitably performs poorly.
Online Social Networks have turn to be revolutionary platforms also because of their role of intermediary between users and third business-oriented parties. Such entities perform analysis over users’ data in order to run business campaigns and, in exchange, foster the economy growth of the Social Network itself, thus contributing to realize one of the initial dreams of Internet pioneers: develop a digital network where information are freely accessible for the welfare and the economic growth of the entire society...

Read more

 

Protect the weakest link in a cyber-security chain – protect the human

Written by Erik Kamenjasevic, KU LEUVEN

In the context of information security, Social Engineering (SE) is a very old concept referring to the ability to obtain information from human sources. It may be defined as a “psychological manipulation of people into performing actions or divulging confidential information”. The SE is used to violate the information security of a company by violating the confidentiality, integrity or availability of its assets. Such violation is exploited through techniques and methods that leverage on the natural human tendency to trust other humans, systems or ICT devices. Traditionally, it has been conducted in a real-life scenario or over the telephone communication. However, this definition may not be relevant anymore nowadays due to the recent developments of the social network and the appearance of some new technologies which allowed to greatly automate most of the SE steps against a large number of targets at the same time...

Article originally written for www.law.kuleuven.be.

Read more

 

Awareness through play: DOGANA cards game

Written by Cyrille Martins, THALES

Advanced persistent threats (APT) usually start with a compromise phase, to penetrate a target organization’s network and gain a foothold in the environment. This phase targets the organization’s individuals, making use of social engineering skills to exploit human vulnerability, gain people trust, and get knowledge on the best way to hit the organization.  But while everybody can be a potential breach for an attacker, everybody cannot be a cybersecurity expert. Then, how to make people aware of this kind of attack and realize the criticality of the slightest information they disclose, in a way that will entertain them and that they will remember?

Photogallery available in this article.

Read more

 

The latest evolution of URL-less phishing attacks through rendezvous algorithms

Written by Enrico Frumento, CEFRIEL

The traditional concept of phishing that most people have, even among the IT Security workers, is an email with some deceptive text or in general a hook, which contains an URL, where the innocent user is driven to. Wherever the text is (into the email body or into an attachment), the threat model is the same: there is a component of the email (i.e., the body or the attachment) that leads to a malicious URL.
Most of the defence anti-phishing instruments are built around this paradigm. The systems that inspects the body of the emails or, the URL filtering instruments integrated into the email clients, are deeply tied to this model of phishing...

Read more

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618

 

      

 

PHISHING WARS
The DOGANA phishing videogame

Want to try it?
Read more here and contact us

 

DOGANA CARDS GAME
Phishing: awareness through play

Want to try it?
Read more here and contact us

 

Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels