1

I041 Shubham Rai, I046 Mrigank Sharma, MBATECH IT, Mukesh Patel School of Technology
Management and Engineering, NMIMS (Deemed-to-be) University, Mumbai,
Reverse Social Engineering
shubham.rai0703@gmail.com, mriganksharma03.22@gmail.com

Abstract— In this era of extensive connectivity through internet, information about every human is freely available in the form mere
data packets. Although this development brings a huge advantaged with it but it also carries its fair share of disadvantages and
threats. One of these threats is Reverse Social Engineering (RSE). RSE is a relatively new form of cyber-attack that is essentially
based on exploiting human psychology to gain unauthorized information. RSE attack is a successor to the social engineering attacks
and proves to be more effective than its predecessor. Moreover, the development of large number of social networking websites and
applications has opened a broad spectrum of opportunities for attackers using RSE. This document discusses the development of
RSE attacks and the ways in which these attacks are used to gain information from unsuspecting users on social networking sites.
This document also discusses the countermeasures that can be taken against RSE attacks.

Index Terms— Attack Profiles, Direct/Mediated, Social Engineering, Targeted/Untargeted

I. INTRODUCTION
In the recent years, data/information has become the most valuable commodity on earth surpassing oil in value, couple this
with the extensive amount of data that is available on the World Wide Web, the internet becomes a honeypot for cyber-attacks.
Social networking sites, especially, have become the new go-to for any/all attackers hoping to acquire unauthorized data. But
with the increasing development of such websites, the security on these websites has also become tighter. Thus traditional
attacks such as phishing, robot attacks etc. are proving to be more and more ineffective. This leaded attackers to try a different
approach, such as, Social Engineering (discussed further in the document). Social Engineering proved to be effective but as and
when the number of such attacks increased, the users become more and more cautious to these attacks which led to its downfall.
But this downfall led to development of a new spectrum of attack called, Reverse Social Engineering attacks.
The basic aim of Reverse Social engineering attack is to get the potential victim to approach the attacker, rather than the
other way around, this makes the victims lower their guard down, thus resulting in higher success rates. What makes Reverse
Social Engineering Attacks easier to implement, is the fact that social networking sites provide the users to look for new friends
that they may already know/ would like to know. For e.g. Facebook suggests user profiles to other users based on the number of
mutual friends they have in common. Moreover, these social networking sites gather and analyze information about their user’s
behavior, likes/dislikes, etc. to provide better user recommendations. Thus by creating appropriate attack profiles, Reverse
Social Engineering helps the attackers to gain the trust of a large number of users to carry out a wide range of attacks such as
identity theft, blackmailing, persuading the victims to click on malicious links, etc. This document discusses three types of
Reverse Social Engineering attacks, namely, recommendation-based, visitor based and demographic based attacks [1].
Effectiveness of these attacks and countermeasures against these attacks are also discussed based on experiments carried out
social networking sites like Bado, Facebook and Friendster [1].

II.SOCIAL ENGINEERING
Learning about the development of Reverse Social Engineering is important to understand its effectiveness and efficiency in
the real world. Reverse Social Engineering is similar to Social Engineering with the exception that in Social Engineering the
attacker approaches the victim. Most online social engineering attacks rely on some form of “pretexting” [2].That is, the
attacker establishes contact with the target, and sends some initial request to bootstrap the attack. This approach, although
effective because it can reach a large number of potential victims, has the downside that Internet users are becoming more and
more suspicious about unsolicited contact requests.

III. REVERSE SOCIAL ENGINEERING ON SOCIAL NETWORKS

Social networking sites are one of the fastest growing platforms in this digital era. Websites like Facebook have achieved
growth rates as high as 3% per week [3]. Moreover these websites are becoming the only way for people to interact and meet
new people. These users also bring with them huge amounts of data that can be used by the attackers in various ways. Reverse
Social Engineering attacks have proven to widely successful on social media because the recommendation system incorporated
by these websites makes it easier for the attackers to reach millions of potential victims quickly. The Reverse Social
Engineering attacks can be classified into two major categories, namely, Targeted/Untargeted and Direct/Mediated. In Targeted
attacks, the attacker focuses on a particular user, whereas, in untargeted attack the main aim is to reach as many users as
possible. In Direct attack, the attacker uses baiting techniques that are visible to the potential victims (like a post about getting
Iphones at 50% off, etc.). In mediated attack, the baits are first stored with a middle man who then propagates it in different
forms. Recommendation based RSE is a type of Target, Mediated attack. Demographic-based is a type of Untargeted, Mediated
attack and Visitor Tracking based RSE is a type of Untargeted, Mediated attack. These novel attacks and their real time
implications are discussed further in this document.


 2

A. Recommendation Based RSE

Recommendation systems in social networks propose relationships between users based on background, or “secondary
knowledge” on users. This knowledge derives from the interactions between registered users, the friend relationships between
them, and other artifacts based on their interaction with the social network. For example, the social networking site might
record the fact that a user has visited a certain profile, a page, a picture, and also log the search terms they have entered. So if
the attacker is able to influence the social network to provide targeted recommendations, the attacker may be able to trick
victims into contacting him/her, rather than the other way around. To influence the recommendation system, the attackers make
a fake profile (discussed in section IV-B) to lure in potential victims or use e-mail addresses of potential victims (discussed in
section IV-A).

B. Demographic Based RSE

Demographic-based systems in social networks allow establishing friendships based on the information in a person’s profile.
Some social networks, especially dating sites, use this technique for connecting users based on same geographical area, same
age group, same preferences, etc. The attack profile created in this case has high probability of appealing to certain users. After
this the attacker simply waits for the victim to initiate contact.

C. Visitor Tracking Based RSE

Visitor tracking is a feature provided by some social networks to allow users to track who has visited their online profiles.
The attack in this case involves exploiting the user’s curiosity by visiting their profile page. The notification that the page has
been visited might raise interest, baiting the user to view the attacker’s profile and perhaps take some action.

IV. REAL TIME IMPLICATIONS

To understand the effectiveness of the three RSE attacks mentioned above, they are carried out on three social networking
sites, viz. Facebook, Badoo and Friendster. However, all of the three attacks cannot be carried out on all the three platforms.
The Recommendation Based RSE can only be carried out on Facebook; Visitor Tracking-Based RSE can be carried out on
Badoo and Friendster; whereas Demographic Based RSE can be carried out on all the three social platforms. In [1], the
implications of these attacks are tested by performing experiments in two sets; in the first set no attack profile is created and
only Facebook’s recommendation system is influenced, in the second set five attack profiles are created in each of the three
social networks.
A. Influencing Friend Recommendations on Facebook.
Facebook connects different users by suggesting them the profiles of people they might know. These suggestions are
 3

calculated based on common factors like mutual friends, schools, work, etc. Apart from these attributes, [4] has shown that
Facebook also uses the e-mail address queried by a user to identify a possible connection between tow users. Therefore, if an
attacker gains access to the e-mail address of a victim (e.g., a spammer who has a list of e-mails), by searching for that address,
they can have a fake attacker profile be recommended to the victims. In [1], previously collected data was used; and a large
number of e-mail search queries were performed from a single test account. As a result, the test account received thousands of
messages and friend requests. The number of request increased rapidly as a consequence of the cascading effect that
commenced when the test account started accepting the incoming invitations. The fact that the account had a large number of
friends built up the “reputation” of the profile. In addition, the account started being advertised by Facebook to new people with
whom the profile shared common friends.
B. RSE Using Attack Profiles.
In [1], to carry out the RSE attacks using attack profiles, five attack profiles were created on each of the three platforms.
Each attack profile had different attributes in order to compare which profile characteristics are the most effective. For the
profile pictures, popular pictures from Wikipedia were used. All photos represented an attractive male or female, with the
exception of Profile 5 for which a synthetic cartoon picture was used. The following table shows the characteristics of each of
the five profiles;
Attribute Profile 1 Profile 2 Profile 3 Profile 4 Profile 5
Age 23 23 23 34 23
Sex Male Female Female Female Female
Location New York New York Paris New York New York
Synthetic Picture No No No No Yes

In the second set of the experiment to implement the Recommendation based RSE attack on Facebook an API was used to
accept friend requests on Facebook, fetch user profiles, as well as fetch any private message that may have been sent to the
attack profiles.
To carry out Demographic based RSE attack on Badoo, the attack profiles were created and the incoming connections were
monitored. All messages sent to the attack profiles were recorded; also information regarding which users visited the attack
profiles was recorded.
The Visitor tracking based RSE attack was carried out on Friendster; here, first the target user’s profile was visited, as a
result of which the system showed the victim that someone has visited their profile. If the attacker profile is interesting, the
victim may choose to contact the attacker. Hence, in a second step, the visits and the incoming messages to the attack profiles
were monitored to determine which of the victims came back and initiated contact.

V. EXPERIMENTAL RESULTS
The messages, profile visits, friend requests and other interactions that occurred with the attack profile were analyzed to
determine the most effective attack profiles were determined in [1].
A. For Recommendation Based RSE Attack.
Profiles 2 and 3 were the most successful in terms of the number of friend requests and messages that were received. Both
profiles correspond to attractive females who are interested in friendship. Note that there was no correlation with the location of
the attack profile (i.e., the location did not influence friend requests). Hence, an initial analysis seems to confirm the general
intuition that an attractive female photograph will attract potential victims. In contrast to the other profiles, Profile 5 was the
least effective. In this profile, a cartoon character was used as a photograph rather than a real picture. In comparison, Profile 1
performed only slightly better than Profile 5. This profile contained the photograph of an attractive male.

B. For Demographic Based RSE Attack.

Here, profiles 2 and 3 were again the most popular, and attracted the most visitors (over 2500 each). These profiles also
received the largest number of messages (i.e., more than 2500 each). Because Profile 5 was not using a photograph of a person,
it was removed by Badoo .Once again, Profile 1, the attack profile of a male user, received the fewest visits and friend requests.
C. For Visitor Tracking Based RSE Attack.
In the visitor tracking RSE attack, each of the five attack profiles was used to visit 8,400 different user profiles in Friendster.
The target profiles were tracked by monitoring the number of users who visited the attack profiles and then by counting the
number of users who sent friend requests to the attack profiles. Profile 4 had the highest number of visitors followed by profiles
2 and 3. Profiles 1 and 5 were again the least effective. However, profile 2 received the highest number of friend requests
followed by profile 3 and then by profile 4.
 4

VI. CONCLUSION

A conclusion section reviews the main points of the topic, do not replicate the abstract as the conclusion. A conclusion might

elaborate on the importance of the work or suggest applications and extensions.

REFERENCES
[1] Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu, “Reverse Social Engineering Attacks in Online Social Networks” .In the 8th
international conference on Detection of intrusions and malware, and vulnerability assessment”. Amsterdam, Netherlands — July 07 - 08, 2011, pages 55-74.
[2] Mitnick, K., Simon, W. L., and Wozniak, S. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.
[3] Facebook Statistics. http://www.facebook.com/press/info.php?statistics,2010.
[4] Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., and Kruegel, C. Abusing Social Networks for Automated User Profiling. In Recent Advances in
Intrusion Detection (2010), Springer, pp. 422–441.
5