DOGANA vs. Blackhat 2016: How hot was the SE topic this year?

Written by Nelson Escravana, INOV

During last August’s BlackHat conference, social engineering was undoubtedly one of the hot topics around. Let’s see how the results presented at this venue align with the approach being designed and used on the DOGANA project.

One of the talks we found particularly interesting was by Zinaida Benenson [1], where she approached the topic voicing her concerns on the adequacy and effectiveness of security awareness training as a strategy to address the SE problem as a whole, as well as sharing the result of 2 studies (2013 and 2014) about “pentesting” the human. These are, in fact, some of the conclusion that have also arose from DOGANA so far. 

Her research questions were basically addressing the differences in click rates of Email vs. Facebook attacks, and what are the reasons behind the user’s decision for clicking or not.

The first study targeted about 400 people and consisted of sharing a private picture, asking the potential victim not to share it, while the second targeted about 1200 potential victims sharing party pictures. Both studies were followed by a survey, with interesting results regarding the factors that influenced clicking or not. It is also quite interesting that 85% of the respondents considered that such studies should be carried on again in the future. There are, however, some gaps to be filled on the legal side, namely how these studies were conducted while still complying with Facebook terms of service.

In her briefing, Elie Bursztein [2] described a different type of SE attack, which involved the creation of malicious USB keys, exploiting approaches such as:

  • Pure SE attack – just tricking the victim into executing your malware;
  • Human Interface Device attack – emulate a keyboard to inject specific commands in the victim’s computer.

Besides describing how to setup this type of attacks, the author presents a result of a study where 276 malicious USB keys where dropped, and where about half of them successfully phoned home.

Although dropping USBs is not currently being explored within DOGANA project, the SE aspects are the same with a different delivery vector, which, in fact, might make us consider how this can fit in the DOGANA Framework.

Phone calls are one of the oldest technological SE attack vectors, and thus it comes with no surprise that two of the BlackHat’s briefings addressed the topic. While [3] described how a telephony honeypot tracked a huge number of robocalling and voice phishing calls and also presented a methodology to fingerprint bad actors hiding behind multiple phone numbers. Julien Tabron [4] later depicted the application of Linguistic Forensics to identify phone scammers by the type of sentences used in popular phone scams like the IRS scam. Albeit DOGANA is focused on social driven vulnerability assessment (SDVA), some interesting clues can help us efficiently automate SDVA.

A blunt approach to training and awarding administrative privileges is proposed in [5]. It addresses the limited effectiveness of training in mitigating spear phishing threats, proposing an employee Cyber Risk Index (CRI) based on people’s perception of online safety and habits. This CRI would then be used to identify who gets trained and what type of training, and also used to create a behaviour-based admin authorization system. This risk-based approach is common in US culture, which makes it unclear how this would be accepted in our EU context, but it surely deserves a closer look from the legal & ethical perspective.

Finally, [6] presents SNAP_R a twitter bot that uses a neural network, trained with spear phishing pentesting data, and seeded with topics extracted from timeline posts, from both the target and the users they retweet or follow, learns to tweet phishing posts targeting specific users. With a test population of 90 users and a success rate between 30% and 60%, it shows that there are great results ahead for fully automated phishing attacks.



[1]        Zinaida Benenson, ‘Exploiting Curiosity And Context How To Make People Click On A Dangerous Link Despite Their Security Awareness’, presented at the Blackhat, Las Vegas, US, Aug-2016.

[2]        Elie Bursztein, ‘Does Dropping USB Drives Really Work?’, presented at the Blackhat, Las Vegas, US, Aug-2016.

[3]        Aude Marzuoli, Hassan A. Kingravi, David Dewey, Aaron Dallas, Terry Nelms, Robert Pienta, and Telvis Calhoun, ‘Call me: Gathering threat intelligence on telephony scams to detect fraud’, presented at the Blackhat, Las Vegas, US, 2016.

[4]        Judith Tabron, ‘Language Properties of Phone Scammers: Cyberdefense at the Level of the Human’, presented at the Blackhat, Las Vegas, US, Aug-2016.

[5]        Arun Vishwanath, ‘Blunting The Phisher’s Spear: A risk based approach for defining user training and awarding administrative privileges’, presented at the Blackhat, Las Vegas, US, 2016.

[6]        John Seymour and Philip Tully, ‘Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter’, presented at the Blackhat, Las Vegas, US, 2016.


by Nelson Escravana (INOV)


This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618




The DOGANA phishing videogame

Want to try it?
Read more here and contact us


Phishing: awareness through play

Want to try it?
Read more here and contact us


Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels