Social engineering focuses on people as the attack vector, using psychological manipulation techniques to trick people into performing certain actions or into divulging confidential information. Within the Web context, social engineering attacks are generally aimed at gaining control over the user’s account, financial information, or identity information. Social engineering is part of human nature and has existed long before the Web. However, due to the Web’s distributed nature, social engineering attacks have become easier and more widespread. One of the most common examples is phishing, where unsuspecting users are tricked into entering sensitive information, such as their credentials or credit card information, into a fraudulent authentication form. PhishTank, an anti-phishing initiative, collects about 20,000 valid phishing Web sites per month. Another target of social engineering attacks are companies that manage the users’ accounts, resulting in compromised Twitter accounts, wiped Apple devices, etc.
The goal of a social engineering attack is to gain access to confidential information, which allows the attacker to escalate the attack, for example by taking control over the user’s online accounts, by charging fraudulent transactions to the user’s credit cards, or by committing identity theft by impersonating the user. In the context of this dissertation, the focus lies on the theft of credentials, subsequently used to authenticate to service in the user’s name. Especially in the modern, interconnected Web, compromise of one account often allows the escalation towards other accounts, and the victim’s entire online presence. Attackers employ social engineering techniques to trick victims into willingly surrendering their credentials. For example in a phishing attack, the attacker capitalizes on a user’s inability of distinguishing a legitimate page from one that looks legitimate but is actually fraudulent. By luring the user to the fraudulent page, for example with a carefully crafted “urgent” email message, the user is tricked into entering his credentials, causing them to be sent to the attacker.
A recent evolution towards limiting the impact of credential theft through social engineering is the use of multi-factor authentication. In a multi-factor authentication process, the application no longer depends on a single piece of knowledge, such as a set of credentials, but requires additional factors, such as a token sent to a user’s phone by text message, a token generated by a dedicated device, a smart card, biometric information, etc. Multi-factor authentication makes the traditional credentials less valuable, since one of the additional authentication factors is an out-of-band device, beyond the control of an attacker. However, introducing additional authentication factors also introduces additional concerns. For example, if the user’s smartphone acts as a second factor in the authentication process, a problem arises when the phone is stolen since it provides both the browser, with potentially stored credentials and the out-of-band device.
Similarly, biometrics are often considered a viable alternative to password authentication, but they possess different characteristics compared to traditional credentials. For example, fingerprints are left behind everywhere, and the readers can easily be fooled. Additionally, the amount of biometric information is limited (i.e. 10 fingerprints), and revocation is rather difficult. In addition to multi-factor authentication, major sites further improve their authentication procedures with additional security checks when logging in from an untrusted device, similar to anomaly-based prevention of credit card fraud. Microsoft, Facebook, and Google allow you to register trusted computers, from where a traditional username/password-based authentication can be used. All other machines will require two-factor authentication with a verification code.
Attackers have been trying to convince users to voluntarily give up their credentials for at least the last 19 years. Several studies have been conducted, trying to identify why users fall victim to phishing attacks and various solutions have been suggested, such as the use of per-site “page-skinning”, security toolbars, images, trusted password windows, use of past-activity knowledge, and automatic analysis of the content within a page. Finally, users can also install client-side countermeasures to protect themselves against phishing and tab-nabbing.
In practice, stolen credentials and financial information are valuable assets, as illustrated by the high demand on underground markets. To prevent credential abuse, major Web sites offer strong, multi-factor authentication, in combination with trusted devices, which effectively mitigates most of the risk associated with credential theft. Additionally, the major players such as Google and Facebook, also offer single-sign-on solutions, allowing other sites to benefit from the secure authentication procedures. On the downside, numerous smaller sites still use traditional credentials, and cannot prevent the use of stolen credentials.
Unfortunately, combating phishing in an automated way is difficult, which is why the currently deployed anti-phishing mechanisms in popular browsers are all black-list based. The blacklists themselves are either generated automatically by automated crawlers, searching for phishing pages on the Web or our crowdsourced. Similarly, major corporations and financial institutions employ security firms that manually look for phishing and impersonation pages, allowing a quick flagging and removal process.