Automating social engineering presented at Virus Bulletin 2011

by Alexandru catalin Cosoi (Bitdefender),


Summary : " Social engineering is the act of manipulating people into performing certain actions or divulging specific confidential
information by using social and psychological skills or specific crafted messages rather than by breaking in or using
complicated hacking techniques. For maximum success, socially engineered attacks need to satisfy three important attributes:
credibility, context and background.

While this phenomenon has existed since the invention of language and the success rate is considerable high, there is also
a major drawback that has prevented large-scale usage of this technique. In order to become proficient in all three
important aspects related to social engineering, a considerable amount of research is required, and in most cases it can
only be done by using 'peopleware'. This approach has proved to be very inefficient so far, as the resources involved
surpass by far the return of investment.

However, with the evolution of social networks, the constantly growing smartphone market share and the continuous
interest in natural language processing techniques, automating social engineering is no longer science fiction.

With the appropriate tools and the necessary amount of firepower, an attacker can easily convert information from social
media or data from your mobile device into complex targeted attacks, and all at minimum cost.

In this paper we will describe how these attacks can be automated, identify the necessary tools and the associated costs
implied, along with offering possible solutions to address this problem, based on some eloquent examples of socially
engineered attacks discovered in the past months.

We will also present a live demo of how these attacks are generated and the final output when we blend natural
language processing techniques with social threats. "