Professional Documents
Culture Documents
I041 Shubham Rai, I046 Mrigank Sharma, MBATECH IT, Mukesh Patel School of Technology
Management and Engineering, NMIMS (Deemed-to-be) University, Mumbai,
Reverse Social Engineering
shubham.rai0703@gmail.com, mriganksharma03.22@gmail.com
Abstract— In this era of extensive connectivity through internet, information about every human is freely available in the form mere
data packets. Although this development brings a huge advantaged with it but it also carries its fair share of disadvantages and
threats. One of these threats is Reverse Social Engineering (RSE). RSE is a relatively new form of cyber-attack that is essentially
based on exploiting human psychology to gain unauthorized information. RSE attack is a successor to the social engineering attacks
and proves to be more effective than its predecessor. Moreover, the development of large number of social networking websites and
applications has opened a broad spectrum of opportunities for attackers using RSE. This document discusses the development of
RSE attacks and the ways in which these attacks are used to gain information from unsuspecting users on social networking sites.
This document also discusses the countermeasures that can be taken against RSE attacks.
I. INTRODUCTION
In the recent years, data/information has become the most valuable commodity on earth surpassing oil in value, couple this
with the extensive amount of data that is available on the World Wide Web, the internet becomes a honeypot for cyber-attacks.
Social networking sites, especially, have become the new go-to for any/all attackers hoping to acquire unauthorized data. But
with the increasing development of such websites, the security on these websites has also become tighter. Thus traditional
attacks such as phishing, robot attacks etc. are proving to be more and more ineffective. This leaded attackers to try a different
approach, such as, Social Engineering (discussed further in the document). Social Engineering proved to be effective but as and
when the number of such attacks increased, the users become more and more cautious to these attacks which led to its downfall.
But this downfall led to development of a new spectrum of attack called, Reverse Social Engineering attacks.
The basic aim of Reverse Social engineering attack is to get the potential victim to approach the attacker, rather than the
other way around, this makes the victims lower their guard down, thus resulting in higher success rates. What makes Reverse
Social Engineering Attacks easier to implement, is the fact that social networking sites provide the users to look for new friends
that they may already know/ would like to know. For e.g. Facebook suggests user profiles to other users based on the number of
mutual friends they have in common. Moreover, these social networking sites gather and analyze information about their user’s
behavior, likes/dislikes, etc. to provide better user recommendations. Thus by creating appropriate attack profiles, Reverse
Social Engineering helps the attackers to gain the trust of a large number of users to carry out a wide range of attacks such as
identity theft, blackmailing, persuading the victims to click on malicious links, etc. This document discusses three types of
Reverse Social Engineering attacks, namely, recommendation-based, visitor based and demographic based attacks [1].
Effectiveness of these attacks and countermeasures against these attacks are also discussed based on experiments carried out
social networking sites like Bado, Facebook and Friendster [1].
II.SOCIAL ENGINEERING
Learning about the development of Reverse Social Engineering is important to understand its effectiveness and efficiency in
the real world. Reverse Social Engineering is similar to Social Engineering with the exception that in Social Engineering the
attacker approaches the victim. Most online social engineering attacks rely on some form of “pretexting” [2].That is, the
attacker establishes contact with the target, and sends some initial request to bootstrap the attack. This approach, although
effective because it can reach a large number of potential victims, has the downside that Internet users are becoming more and
more suspicious about unsolicited contact requests.
2
calculated based on common factors like mutual friends, schools, work, etc. Apart from these attributes, [4] has shown that
Facebook also uses the e-mail address queried by a user to identify a possible connection between tow users. Therefore, if an
attacker gains access to the e-mail address of a victim (e.g., a spammer who has a list of e-mails), by searching for that address,
they can have a fake attacker profile be recommended to the victims. In [1], previously collected data was used; and a large
number of e-mail search queries were performed from a single test account. As a result, the test account received thousands of
messages and friend requests. The number of request increased rapidly as a consequence of the cascading effect that
commenced when the test account started accepting the incoming invitations. The fact that the account had a large number of
friends built up the “reputation” of the profile. In addition, the account started being advertised by Facebook to new people with
whom the profile shared common friends.
B. RSE Using Attack Profiles.
In [1], to carry out the RSE attacks using attack profiles, five attack profiles were created on each of the three platforms.
Each attack profile had different attributes in order to compare which profile characteristics are the most effective. For the
profile pictures, popular pictures from Wikipedia were used. All photos represented an attractive male or female, with the
exception of Profile 5 for which a synthetic cartoon picture was used. The following table shows the characteristics of each of
the five profiles;
Attribute Profile 1 Profile 2 Profile 3 Profile 4 Profile 5
Age 23 23 23 34 23
Sex Male Female Female Female Female
Location New York New York Paris New York New York
Synthetic Picture No No No No Yes
In the second set of the experiment to implement the Recommendation based RSE attack on Facebook an API was used to
accept friend requests on Facebook, fetch user profiles, as well as fetch any private message that may have been sent to the
attack profiles.
To carry out Demographic based RSE attack on Badoo, the attack profiles were created and the incoming connections were
monitored. All messages sent to the attack profiles were recorded; also information regarding which users visited the attack
profiles was recorded.
The Visitor tracking based RSE attack was carried out on Friendster; here, first the target user’s profile was visited, as a
result of which the system showed the victim that someone has visited their profile. If the attacker profile is interesting, the
victim may choose to contact the attacker. Hence, in a second step, the visits and the incoming messages to the attack profiles
were monitored to determine which of the victims came back and initiated contact.
V. EXPERIMENTAL RESULTS
The messages, profile visits, friend requests and other interactions that occurred with the attack profile were analyzed to
determine the most effective attack profiles were determined in [1].
A. For Recommendation Based RSE Attack.
Profiles 2 and 3 were the most successful in terms of the number of friend requests and messages that were received. Both
profiles correspond to attractive females who are interested in friendship. Note that there was no correlation with the location of
the attack profile (i.e., the location did not influence friend requests). Hence, an initial analysis seems to confirm the general
intuition that an attractive female photograph will attract potential victims. In contrast to the other profiles, Profile 5 was the
least effective. In this profile, a cartoon character was used as a photograph rather than a real picture. In comparison, Profile 1
performed only slightly better than Profile 5. This profile contained the photograph of an attractive male.
VI. CONCLUSION
A conclusion section reviews the main points of the topic, do not replicate the abstract as the conclusion. A conclusion might
REFERENCES
[1] Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu, “Reverse Social Engineering Attacks in Online Social Networks” .In the 8th
international conference on Detection of intrusions and malware, and vulnerability assessment”. Amsterdam, Netherlands — July 07 - 08, 2011, pages 55-74.
[2] Mitnick, K., Simon, W. L., and Wozniak, S. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.
[3] Facebook Statistics. http://www.facebook.com/press/info.php?statistics,2010.
[4] Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., and Kruegel, C. Abusing Social Networks for Automated User Profiling. In Recent Advances in
Intrusion Detection (2010), Springer, pp. 422–441.
5