Automating social engineering

Alexandru Catalin Cosoi BitDefender
Daniel Dichiu BitDefender

  download slides (PDF)

Social engineering is the act of manipulating people into performing certain actions or divulging specific confidential information by using social and psychological skills or specific crafted messages rather than by breaking in or using complicated hacking techniques. For maximum success, socially engineered attacks need to satisfy three important attributes: credibility, context and background.

While this phenomenon has existed since the invention of language and the success rate is considerable high, there is also a major drawback that has prevented large-scale usage of this technique. In order to become proficient in all three important aspects related to social engineering, a considerable amount of research is required, and in most cases it can only be done by using 'peopleware'. This approach has proved to be very inefficient so far, as the resources involved surpass by far the return of investment.

However, with the evolution of social networks, the constantly growing smartphone market share and the continuous interest in natural language processing techniques, automating social engineering is no longer science fiction.

With the appropriate tools and the necessary amount of firepower, an attacker can easily convert information from social media or data from your mobile device into complex targeted attacks, and all at minimum cost.

In this paper we will describe how these attacks can be automated, identify the necessary tools and the associated costs implied, along with offering possible solutions to address this problem, based on some eloquent examples of socially engineered attacks discovered in the past months.

We will also present a live demo of how these attacks are generated and the final output when we blend natural language processing techniques with social threats.