ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

Automated Social Engineering Tools - Overview

and Comparison with Respect to Capabilities and
Detectability
Dominik Dana Sebastian Schrittwieser Peter Kieseberg
St. Pölten UAS University of Vienna St. Pölten UAS
St. Pölten, Austria Vienna, Austria St. Pölten, Austria
email: is191805@fhstp.ac.at email: Sebastian.Schrittwieser@univie.ac.at email: Peter.Kieseberg@fhstp.ac.at

Abstract—The manual effort required by social engineers, to rely on a large collection of publicly available information on
obtain information about people and organizations that are in the Internet about people and organizations. From the social
their interest, is sometimes very high. They therefore strive to engineers’ point of view, the attacks need to be automated, in
automate processes as much as possible. With a few menu entries
and selections, it is already possible to export email addresses order to reach many victims and they should behave human-
from social media profiles, as well as to send friend requests like, so that more victims fall for them [5]. Automation is
and phishing messages to a large number of people. This paper especially interesting in the reconnaissance phase, as e.g., in
presents the extent to which processes in a Social Engineering the context of an initial information gathering phase, known
attack can already be automated and the tools that can be used users would have to be searched for manually for hours on
to do so. The possibilities and reliability of the freely available
tools were evaluated and compared in a practical application. various platforms and social media channels. this task can
The clustering of the tools is based on the phases of a technical already be performed by proprietary search engines, across
Social Engineering model, derived from the most common Social hundreds of platforms, with just a few mouse clicks. It’s a
Engineering frameworks. similar story with creating phishing messages, or phishing
Index Terms—Automated Social Engineering, Social Engineer- sites. Instead of designing websites yourself, that are used for
ing Frameworks, Social Engineering Models, Technical Social
Engineering. water-holing or phishing attacks, or instead of sending out a
high number of phishing messages via email yourself, a few
menu selections or clicks in the respective tools are enough.
I. I NTRODUCTION
Social Engineering (SE) is an emerging threat that has
evolved along with networking and social media and has This paper describes current automation possibilities which
attracted increasing attention in recent years. While fraud can be used for Social Engineering. The structure of this
existed long before, the widespread use of social media paper, after a brief introduction and analysis of related work
and cyberspace provides fertile ground for traditional fraud, in Section II, it is divided into three main sections, where
as more and more personal information is shared but little relevant legal and ethical aspects for the work are considered
awareness and measures are in place to protect it [1]. (Section III), a comparative analysis of Social Engineering
Especially the widespread and constantly available Social phase models and frameworks (Section IV), and the applica-
Networking Sites (SNS), are a playground to carry out tion of the Social Engineering tools themselves (Section V) is
various forms of phishing attacks [2]. There are advanced conducted. Section VI provides a conclusion and suggestions
phishing attacks, that spread through sharing SNS posts for future work, including answers to these research questions:
that can lead to information leakage [2], but also targeted
attacks, where users working for a specific company are
identified and contacted through SNSs and their confidential
information is stolen, e.g., via direct messages [3]. Last but • RQ1: To what extent are freely available Social Engineer-
not least, habituation effects also lead to various links being ing supporting tools already automated and what does this
clicked, posts being copied, liked, shared and pasted, which mean in terms of Social Engineering?
ultimately promotes Social Engineering [2]. However, Social • RQ2: Which phases of Social Engineering can be handled
Engineering requires a great deal of time spent cultivating with the tools?
relationships, building trust, and then exploiting users to • RQ3: How do the different tools interact with each other,
obtain classified information [4]. The tools used for this are there tool suites that start and accompany a complete
purpose are, in terms of basic information retrieval, mostly Social Engineering process?
located in the Open Source Intelligence (OSINT) area and • RQ4: How reliable are the results of the tools?

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 1

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

II. R ELATED W ORK by changing, replacing, or deleting parts of messages, is

individually controllable and the chance, for example, to click
A. Techniques and tools
on links, which are inserted, or changed by Honeybot, is
In addition to the literature by Kevin Mitnick [1] and greatly increased, compared to other chat bots. The project
Christopher Hadnagy [2], publications by Jeremiah Tala- ”Social Network Automated Phishing with Reconnaissance”
mantes [5] and Peter Kim [6] were analyzed, in which the first (SNAP R) on the other hand, interacts with users on the
tools from the OSINT domain and the first automated tools, Twitter platform and sends a machine-generated tweet to its
including the Social Engineering Toolkit (SET) and Maltego, targets, which mostly contains a shortlink. Broken English and
were already mentioned. Christopher Handnagy additionally shortlinks are accepted on Twitter due to the character limit,
describes in [7] the Social Engineering pyramid as another which is why the authors see SNAP R as an extension to SET
Social Engineering phase model. An important distinction to automatically distribute phishing messages to a larger target
into the attack categories ”Computer Based” and ”Human group. The ASE bot, Honeybot and additionally the Koobface
Based” within Social Engineering, is made by Wang et al. bot, spreading as malware through the Facebook social media
in [8], similarly in Hussain Aldawood and Geoffrey Skinner’s platform, are also cited as automated Social Engineering tools
work [9]. In their paper, Wang et al. also state that technical in a study by Priya Kaul and Deepak Sharma [17].
attacks are becoming increasingly difficult and therefore Social
Engineering attacks are on the rise. Furthermore, they assumed C. Trust factors as the basis for automation functionality
the most important attack media to be e-mail, websites and The trust factors that enable Social Engineering to be
the telephone. Bilikis Banire et al. also describe in [10], that successful, are described by Yuki Kano and Tatsuo Nakajima
these also represent the most common attack methods from after an experiment [18]. The fact that people are more likely
which phishing, vishing and smishing attacks result. In [9], it to open suspicious links in messages from Facebook friends
is also concluded that virtual communities, after personal data than from, e.g., their bank is also addressed by Aron Stern
is often stored in these platforms, are the largest source of at Kaspersky [19]. The latter go on to state that it is also
Social Engineering attacks, as little technological know-how widespread to clone unrestricted Facebook profiles and send
is needed once trust has been established with the victims (see friend requests to friends of this original profile. The goal is to
also the study from Kenya [11]). Other techniques and tools, use the cloned profile to send convincing phishing messages
especially from the OSINT domain and people-search engines, or to get the Facebook friends to click on phishing links.
are described in [12]. However, their main area of application
extends to the USA, as application within the EU, due to the D. Alternative Frameworks
General Data Protection Regulation, is not possible due to the In addition to the classical frameworks and Social Engineer-
personal nature of the data collection without consent. ing models, presented in a subsequent section, models such as
the one described by Tong Wu et al. in [3], consisting of Social
B. Advanced attacks and automations Engineering sessions (SES) and Social Engineering dialogues
A definition of automation is simplistically and naively (SED) and the models in [20], which are still in early stages of
made in [13] as systems that take over the execution of tasks development represent alternative approaches for new Social
from humans and thereby simply reduce the amount of work, Engineering models.
or attention, that humans need to devote to these tasks. Wang
et al. state in [14], that the wide adoption and availability of III. L EGAL AND ETHICAL ASPECTS
SNSs, the Internet of Things (IoT), industrial Internet, and mo- When compiling and searching for information in the con-
bile devices, have created greater attack surfaces for Social En- text of Social Engineering, data and information from and
gineering. The reason behind this is that due to huge amounts about specific individuals are used. This also holds true for the
of data generated by their use and that people in today’s world experiments conducted in this study. While malicious attackers
share more information about their own personal identities, will not care about legal or ethical issues regarding private data
activities, relationships, locations, and personal interests, as retrieval, this had, of course, been an issue during our research.
well as their work and work environments on social media Data and information that can be traced back to individuals
combined with the availability of Social Engineering tools, is considered as personal data in the current version of the
facilitates large-scale Social Engineering attacks. Automated General Data Protection Regulation (GDPR), under Article
tools, mentioned by Wang et al. in [14], in addition to ways 4 [21], the processing of which is considered to be lawful
to bypass phishing and deep learning detection, include the if there is consent for processing for one or more specific
automated chat bots of Markus Huber (ASE bot) [15], Tobias purposes and these are processed appropriately for the purpose
Lauinger et al. (Honeybot) [16], amongst others. According and in accordance with the principle of data minimization [21]
to their own statements, compared to the ASE bot, Honeybot and appropriate protective measures have also been taken
moves one step further, by not having humans communicate by the processor for the required storage period. Even if
directly with a bot, but instead initiating a conversation be- information about individuals and institutions can be found
tween two real people, with Honeybot acting as a ”Bot in the freely on the Internet, from an ethical point of view, it cannot
Middle”, interposed in between. The behavior of Honeybot and should not be assumed that this information is also freely

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 2

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

available for use. However, information can also be interpreted models and frameworks also differ in terms of the number
differently in the wrong circumstances, leading to unintended of phases. Apart from two models, all other models were
and unfavorable outcomes for the individuals concerned. An- designed with fewer than eight phases. M1 is only to a limited
other dilemma is that the OSINT sample is minimized or extent suitable for Social Engineering attacks, since these
selected depending on the needs of the collector [12]. Thus, types of attacks do not necessarily have to pass through all
important sources might indeed be intentionally neglected in phases of the framework. Also, the complete section, in which
order to achieve a particular result. The handling of legal relationships and trust are established, as well as exploited, is
and ethical aspects is quite different in the related work. completely missing. M4 shows five phases and is the only
This ranges from permissions and questionnaires requested model that includes reporting as the final step, for traceability
in advance, to simply conducting experiments. Debriefing and documentation of the process and results. The model M3,
with participants is rarely held. In order not to unknowingly as well as model M2, are limited to a total of only four phases
turn participants into experimental subjects, which has already with similar names. M2 is seen as a good basis in comparison
raised serious ethical concerns [22], own outdated and already with M5, but too simplistic, according to [25], as it leaves too
known leaked data was searched for first tests with the much room for interpretation and does not include a debriefing
tools. When processing the data and information found, an phase, which is intended in M5 to bring the target person back
attempt was made, despite automation, to take into account to a normal emotional state. No matter how many phases the
the principle of data minimization and purpose limitation as respective models and frameworks have, a phase for thorough
far as possible. Attention was paid to emerging and possibly information gathering is required at the beginning of every
disadvantageous combinations of the results. The search and successful Social Engineering attack, since the quality of the
test results were not saved after the application of the different information obtained contributes significantly to the success
tools. In some cases, the tools automatically created log files of the subsequent phases. Based on the compared models and
that contained the results of the search queries. These log frameworks, the technical Social Engineering model (TSE)
files were also deleted at the end of the tests. Screenshots, was designed, shown in Figure 1, which was reduced to only
which were only taken for documentation purposes, had been three common phases, within which automation with tool
strongly anonymized so that no conclusions can be drawn from support is possible.
them.
IV. S OCIAL E NGINEERING MODELS AND FRAMEWORKS
A standardized formulation of a Social Engineering attack,
as well as the sequence and temporal events, allows researchers
to compare different Social Engineering attacks with each
other. Following, we will compare the following most common
phase models and frameworks that divide Social Engineering
attacks into phases: The Cyber Kill Chain (M1) [23], the
Social Engineering Cycle (M2) [1], the Social Engineering Fig. 1. The technical Social Engineering model (TSE)
Lifecycle (M3) [24], the Social Engineering Pyramid (M4) [7],
the Social Engineering Attack Framework (M5) [25], the A corresponding assignment of the phases of the previously
Cycle of Deception (M6) [26], the Social Engineering Attack described phase models and frameworks to the phases of the
Spiral (M7) [27], the Session and Dialogue Based Framework reduced model can be seen in Table I.
(M8) [3], and the Phase based and Source based Model V. T OOL - SUPPORTED AUTOMATION FOR S OCIAL
(M9) [28]. These models differ most clearly in the area of E NGINEERING
representation. With M1, the M4, M8, and M9 represent in While we tackled a lot of different tools during our analysis,
successive process steps, the M2, M3, M5, M6, and M7, we will only be able to give a short outline on the findings
respectively, represent in circuits. The fact that the majority of in this section, grouping the tools according to the previously
the researched frameworks use a circular structure to describe defined TSE model.
Social Engineering attacks, which mostly includes the phases The tools in the information gathering phase are used to
of information gathering, trust exploitation, attack develop- obtain all kinds of information about a (potential) target.
ment, and target fulfillment, is also already described in [3]. Included in this phase are also tools used in reconnaissance
The circular form provides the possibility of representing and OSINT, as well as social media intelligence (SOCMINT).
the repetition of previous phases when more information is Still, as this is not an analysis of OSINT tools, we did not
needed, or the goal is not achieved in a single phase [1]. M6 further dive into the extreme amount of apps there. We divided
does not provide the opportunity to return to a single previous the tools into (i) web-based and (ii) locally installed tools.
phase, but provides a sequence of several cycles spherically
on top of each other, which makes this framework seem to A. Web based tools for Information Gathering
be very complex at first sight, especially in combination with 1) Searching for user data: Google Dorks are pre-defined
the inclusion of risks as a three-dimensional component. The searches that can be executed using the Google Programmable

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 3

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

TABLE I
P HASE A SSIGNMENT

Model Information Gathering Attack Preparation Attack Execution

M1 Reconnaissance Weaponization, Delivery Exploitation, Installation, Command & Con-
trol, Action on Objectives
M2 Research Developing Rapport and Trust, Exploiting Utilize Information
Trust
M3 Investigation Hook Play
M4 Information Gathering Attack Planning Perform Attacks
M5 Information Gathering Preparation Exploit Relationship
M6 Map & Bond Execution
M7 Recon Relationship Building, Attack Scenario Build- Execution, Action on Objectives
ing
M8 Attack Preparation Attack Implementation
M9 Using suitable gates of SNSs to gather infor- Using suitable gates of SNSs to reach the Attack
mation about victim victim

Search Engine for automation as Custom Search Engines ZoomEye [35], Spyse [36] and Chaos [37] seem to be the
(CSEs). Regarding Social Media plattforms, the web applica- most popular. Shodan provides many filter options and requires
tion CheckUsernames [29] allows the parallel search of over a familiarisation period in order to achieve useful results.
300 platforms for user-names and linked profiles. Still, the The search results depend on the time in which Shodan has
search is very limited, only allowing for exact (partial) matches scanned the target system, but contain a high level of detail
without additional intelligence. ReconTool [30] provides sev- about the scanned target system. Despite language barriers,
eral additional features, like e.g., mindmapping information ZoomEye could be used with translation software at the time
for dynamic interaction with the search engine. Even more of the research and the presentation of the search results was
extended functionality is provided by HOPain Tools [31], as very similar to Shodan. Surprisingly, Spyse was only able to
it also allows searching for pics, videos, detailed content like deliver a few results during the application and using identical
postings (also allowing filtering like time frames, location or target systems and is therefore not very suitable for Social
number of likes), as well as bitcoin addresses. Social media Engineering purposes. Chaos was still at an early stage of
platforms can be searched individually or in groups, for many development at the time of the research. On the other hand,
platforms require a respective account. SynapsInt [38] is a freely available tool that also fits into
this categorisation. It provides search results for domains,
2) Technology checks: In order to expand the possibilities
IP addresses, SSL certificates, email addresses, telephone
of pretexts and impersonations for Social Engineering in
numbers and Twitter accounts, as well as searching for ransom
organisations, it can be helpful to examine existing websites
bitcoin addresses and CVE numbers. The results of a scan with
for the technologies used and possible vulnerabilities. The
the same inputs as before quickly delivered correct results,
following tools can be used as an alternative to considerably
a current screenshot of the page, a VirusTotal analysis, the
more expensive systems due to higher licence and operating
last available entry in the Internet archive Wayback Machine,
costs. The result of a scan with BuiltWith [32] shows the
open ports and information on the hosting provider used. In
technologies, plugins and hosting provider used for a website,
addition, all domains that can be reached under the same IP
but also other websites that use the same hosting provider,
address, all subdomains, internal links and related social media
as well as the duration and the respective public IP address
links are listed and checked to see whether it is included in
under which they were accessible. However, the results can
various blocklists. The blacklist check also works with entered
only be viewed to a limited extent in the free version, but
email addresses. The leak check and the Twitter account check
are sufficient for searching for Common Vulnerabilities and
did not work with a private email address that has already been
Exposures (CVE) entries and for developing pretexts. Techno-
leaked many times.
logical information, telephone numbers, email addresses, CVE
vulnerabilities with the corresponding CVE number, public 3) Generate valid email formats: In order to generate the
IP addresses used, open ports, domain names, cybersquatting formats for E-Mail addresses of targets, we had a look at the
domains and much more to determine further attack surfaces search engines Email-Format [39] andHunter.io [40]. Hunter,
and risks of a website can also be found out very conveniently as well as Email-Format, derive patterns for corresponding
with SpiderFoot [33]. The SpiderFoot HX version offers an email address formats from a large number of email addresses
even greater scope and an intuitive, graphical interface that can collected via web scans. Of the target domains entered for
display all this information in the form of a node graph, where testing, around a third did not return any search results.
each node can be selected individually. The scan results were The email address formats derived in both web applications
surprisingly comprehensive and consistently correct in the appear correct, and sample data is also displayed freely in
short time available and in view of the basic version used. Re- both applications, although it is not always up to date. Email
garding the analysis of industrial (IoT) devices, Shodan [34], address format offers, in addition to the identified conventions,

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 4

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

a larger list of representative email addresses, as well as phone search is also offered. IDCrawl offers the option of an
(depending on the payment plan) the option of downloading ”opt-out”, where you can exclude yourself from search results.
them. In comparison to Email Format, Hunter tends to limit the During the test and the search for own findable information,
output, but in addition to more up-to-date data records, it also IDCrawl was only able to verify one search result as correct,
shows the occurrence of the representative email addresses, but the topicality of the result was doubtful, as in this specific
which are used to derive the logics for the email addresses. case the user profile picture did not match and had already
4) Data breaches and data leaks: Regarding searching been replaced some time ago. However, the accuracy of the
data breaches and data leaks, the IntelligenceX platform [41] data is not guaranteed in large quantities at Webmii either, as
retrieves results from Dataleaks, Wikileaks, paste sites and only parts of the information could be considered correct as
even the darknet for search queries, such as email, Bitcoin, well. The majority of the search results were not usable, and
MAC and IP addresses, domains, URLs, telephone numbers, in some cases links to results could not be opened at all.
credit card numbers and much more. IntelligenceX offers a
so-called ”Third Party Search”, in which the search scope can B. Locally installed tools for Information Gathering
be extended again to several search engines (simultaneously 1) Maltego and alternatives: The data mining tool Mal-
via pop-ups) and, for example, Vehicle Identification Numbers tego [46] is one of the best-known tool suites in the OSINT
(VIN) can also be searched for. There are separate search environment and is almost unique in its range of functions.
functions for social media channels, links to OSINT link lists, Depending on the licence and the added plugins, the scope anc
as well as file and encoding tools. The test searches carried capability of the software change. For the tests and the tool
out delivered surprisingly accurate results. A privately used, comparison with a similar tool, the registered, free Community
knowingly leaked email address that was no longer in use was Edition with eight free plugins was used, which provides
found, including the password used at the time of use. For a certain number of credits depending on the query used.
another, still privately used email address, it was possible to With six out of one hundred available credits, it was already
find out in which data breach the email address appeared and possible to find domain information, whois entries, company
which platform was affected by the breach. Valid access data owner data, email addresses, telephone numbers, public IP
was also found for other email addresses in the private sphere; addresses, all plugins used on the website, as well as archived
Reverse image searches from the third-party search category versions of these since 2009. Audit reports from American
with randomly uploaded images from private collections and companies in the same business sector were also found in
quick Google searches, mostly referred to Adobe stock images, the Maltego document cloud. However, these were not related
however; three out of ten uploaded images were found. The to the exemplary target company. As part of the research, a
VIN search was also tested with two different VIN numbers comparable alternative, or supplement, to Maltego could be
from our own stock, but the search yielded no results. found, which, despite critical voices [47], was implemented,
5) Detecting online times: Online times of targets are licensed and tested for comparison: Lampyre [48], which is
especially interesting for targeted attacks. The tool Sleeping- only available on Windows platforms and offers a similar
Time [42] was analysed for the SNS platform Twitter and overview to Maltego’s Transformation Hub in the so-called
successfully used with several Twitter accounts. SleepingTime ”List of requests”. The advantage of the software is that the
analyses the last 1000 tweets of a Twitter account and derives plugins do not have to be installed individually; a selection
an estimated ”sleep schedule” from the time stamps of the (and like Maltego, the entry of a corresponding API key) of
respective tweets, in which the account is least active and the modules to be used, the underlying and desired tasks, as
in use. WhatsApp Monitor [43] is a similar tool that works well as the required parameters, is sufficient for the start.
with browser notifications when a specific WhatsApp contact In direct comparison, Maltego is clearer and more structured
is available online. The use of the tool sounded very interesting to use. Lampyre is simpler in terms of usability, the results are
during the research, but could not be used at the time of the mostly displayed in tabular form and graphical dependencies
tests, as the website was not accessible at the time of the tests. are only possible in isolated cases. Furthermore, it is partially
6) Searching for personal information: Regarding search- unstable, e.g., during the application tests, various result tabs
ing for personal information. Suche nach Personendaten, Web- suddenly stopped responding and could no longer be selected,
mii [44] compiles publicly available information about people meaning that the results could no longer be viewed.
on the Internet and uses it to generate an online score that Of the plugins already included, Lampyre offers a selection
is intended to show the availability of the person. Webmii of search criteria that could not yet be found in Maltego
usually lists the results in four sections. (i) the results list, and vice versa. These included, for example, the search for
containing the names of people who have interacted with the IMEI numbers, WLAN SSIDs or Vehicle Identification Num-
target person on social media channels, (ii) search results from bers (VIN) in Lampyre, while Maltego offers the Wayback
various newspaper articles, (iii) results from various social Machine, Movie Database, Blockchain.info or Google Maps
media channels and (iv) search results obtained via a Google Geocoding, which are regularly updated and expanded in both
CSE. At first glance, IDCrawl [45] offers a wider range of applications. Within Maltego, the origins of the search results
functions, as it can be used to search not only for people’s and the use of the search providers are traceable. At first
names, but also for user names across 17 SNSs. A reverse glance, it is not possible to recognise where Lampyre obtains

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 5

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

the results of the transformations if the search provider is test (without nmap scan). A coherent subdomain enumeration
not described in the tasks. In the transformations to the same could be carried out using three different domains, including
target organisation, more search results could be achieved with that of the St. Pölten University of Applied Sciences, with
Maltego with less known data. The reliability of the data Sublist3r [59], Sn0int [60] and Frogy [61], whereby Frogy
was also higher in Maltego; for example, the public company also uses Sublister in the enumerations. Sublister also offers
Facebook account could be found with Maltego, whereas the option of a port scan and a brute force scan, which were
Lampyre returned error messages for these transformations. not performed. Under Sn0Int, the subdomain enumeration is
2) Searching for user and personal data: Regarding search- only a small part of the functionalities. Frogy was still under
ing of account or personal data, CrossLinked [49] allows for development at the time of research and testing. In addition
automated searches in LinkedIn by filtering external search to finding IPs, domains and subdomains, it is also designed
engine results, so-called Search Engine Scraping, thus not to find live websites and login portals. What is particularly
requiring account data for searching. When verifying the interesting about this tool is that it can access the Chaos-
results, it was found that although they were plausible (by database. Another tool suggested in the information retrieval
randomly comparing the results with the online employee communities is ReconSpider [62], which is a tool for the
directory), but the results also included every person who had automated scanning of IP and e-mail addresses, websites,
specified St. Pölten UAS in their LinkedIn profile, not only telephone numbers, DNS and domain information, but also for
employees. When searching for another organisation without searching data breaches. ReconSpider was able to consistently
results, it turned out that links from search engines were also return correct data in the test entries, but occasionally crashed
counted as results. The tools UserReCon [50] and Userrecon- with Python errors when making entries in the menus for
py [51], Nexfil [52], Sherlock [53], Us3R-F1nD3R [54] and whois and domain queries.
Thorndyke [55] promise similar functionalities with search 4) Export data from social media: Regarding the export
scopes spanning several hundred social media platforms. From of data from social media profiles, ReconSpider can display
the own descriptions and command references of these tools, information of Facebook, Twitter and Instagram accounts, but
it is clear that Sherlock is the only application that can process this is limited to the name, number of followers and profile
several search entries as well as prepared lists in one search description and cannot be exported. The tool OSINTGram [63]
run. The tools are very similar in their use and appearance, as on the other hand requires a valid Instagram account to
are the results. In addition to existing social media accounts, be usable. For export, optionally in *.txt and *.json file
the Instagram test account @dominikhatkeininsta could formats, all addresses that can be read from posted image
also be found as a registered user on several platforms accord- material, all texts and comments that have been added to
ing to the search results. As the test account was only created posted images, the number of followers of the target account,
for Instagram, it can be assumed that the search results are not as well as the number of accounts that the target account
valid, except for the Instagram platform. This was confirmed follows, account information, as well as the number of all
when checking the search results for the Twitter and Reddit likes, hashtags, a list of all links of the target account and
platforms. Buster [56] can also find users on social media a list of all accounts that have commented on posts of the
platforms, but the search scope is extended to the generation target account at any time are available. The ”fwersemail”,
of email addresses, which are provided from possible data ”fwingsemail”, ”fwersnumber” and ”fwingsnumber” functions
breaches, pastes and reverse-whois queries. Buster also shows are particularly interesting features for Social Engineering
the sources of results, as the services of Hunter.io, among purposes, each of which creates a list of telephone numbers
others, are used in the background. and email addresses (if specified in the respective accounts)
3) Technology checks: Regarding checking for technology, of the followers and followings. In the test application with
TheHarvester [57] is already pre-installed under Kali Linux the Instagram account of the St. Pölten University of Applied
and offers searches for domain information and Google dorks Sciences, several thousand pieces of data were found. With a
in 38 different search engines. Corresponding API keys are private test account, the consistently correct information could
required for use, and the search results can be limited in scope. be provided in lists within a short time. Sterra [64] also exports
In the test, the search engines did not work properly under follower and following accounts, including their account ID,
version 4.0.3, despite reinstalling the tool; under version 3.2.2, user name, specified name, biography, number of posts and
search results could at least be obtained via Google, although links to the respective account in CSV files. Within the
most of them were not valid. Raccoon [58] is basically an application, it is also possible to compare follower lists with
extension of nmap. The tool is still in the development stage each other and filter them for similarities or differences. As
and the focus is on simplicity. The convenience of using Sterra works directly with Instagram’s API, the reliability of
Raccoon lies in the fact that the parameterisation of the the data is guaranteed. List comparisons can also be carried out
nmap scans is already predefined by the tool. In addition to with the Python tool Insta-Extract [65] and these are simpler
the possibilities of nmap scans and subdomain enumeration, in the application than within Sterra, but not as extensive.
Raccoon should also be able to search cookies, recognise web What works well on the social media platform Instagram in
application firewalls and provide information on CMS, web the test applications also works with two other applications
servers and Whois queries. However, this did not work in the on the Twitter platform. Twi1tter0s1nt [66], also known as

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 6

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

TWINT and twosint, offers pretty much the same functions carriers, so that malicious code can be automatically executed
on the command line that TinfoLeak [67] also offers in a on removable media via the autorun function. This can be done
GUI. These include general searches for user names, searches via an executable file, which is executed via the autorun.inf
for geocoded tweets (if the geolocation data in the tweets file contained on the removable storage device, or via a file
can be read), tweets in a specific time window, filtering for format exploit to bypass any security warnings. TrustSec also
specific terms, but also exporting the number of followers. In provides detailed documentation on SET. SET worked out of
addition to exports in several file formats, TWINT also offers the box and, with the TrustSec documentation, was simple and
to translate tweets directly into other languages using Google reliable.
Translate. A time limit between individual scrapes can also be 2) Recognising tone and emotions in texts: In order to test
set for scraping tweets using the ”min-wait-time” parameter. messages for the effect of emotions, the Tone Analyser [72]
TinfoLeak is easier to use with the graphical user interface, from IBM was tested during the research into automated Social
where the desired operations are simply ticked and provided Engineering tools. The Tone Analyzer can be freely tested
with the corresponding values or data. online in a web form and recognises the emotions and tones
of voice contained in an entered text via machine learning
C. Tools for the attack preparation phase analysis. The Node.js version of the Tone Analyser [73] offers
The attack preparation phase includes those tools that, free analyses and support for several languages and files
depending on the selected attack scenario, are useful for directly for the first 1000 API calls per month after registration
preparing attacks, e.g., for preparing payloads or phishing in the IBM Developer Cloud. To quickly test the analysis, the
messages. following sample texts were entered for analysis:
1) Preparing Payloads: To prepare suitable payloads, al- • Positive emotion: ”Dominik likes doing his master thesis
ready generated and available versions [68] can be used, or all night long :-)”
new ones can be generated. In addition to one of the best- • Negative emotion: ”Dominik does not like doing his
known tools, the Social Engineering Toolkit (SET) [69], the master thesis all night long :-(”
PowerShell script [70] designed by Matt Nelson and Matt Tone Analyzer carried out the analyses with respect to the
Robinson is also suitable for this, which creates an Excel emotions ”Confident”, ”Joy” and ”Sadness” and classified the
document after the run that creates a Meterpreter shell when strength of the expressions in the messages with different
called on the target system. It also persists in the Windows reg- colours. In further tests, with different text fragments, Tone
istry and in the user directory so that it can be executed again Analyser also classified in the direction of ”Analytical” and
when the system is restarted. A connection to the infected ”Tentative”. We did not conduct any further tests, as this work
system can be established via Meterpreter Reverse HTTP is not focusing on the capabilities of emotion detection, but
and HTTPS. The MacroPack tool from Emeric Nasi [71] on the general usability of the tools.
is more up-to-date and has an extended range of functions 3) Bot preparation: Parts of a Social Engineering attack
compared to the PowerShell script and requires a functioning can also be carried out by bots, depending on the target
and registered Office installation on the system on which the and attack scenario selected. Implementations of Twitter bots,
payload is to be integrated into an Office file. The tool also modelled on Realboy [74] or SNAP R [75], for example,
offers the service of code obfuscation so that the malicious can be used in the attack execution phase for the automated
code in the Office markers is not so easily recognisable and it distribution of phishing links. In the attack preparation phase,
supports all Microsoft Office document versions and shortcut corresponding Twitter accounts can be created, filled with
files in the community version. The Pro version offers an content and equipped with a network of followers and fol-
even wider range of functions and can be used on existing lowings to make them more credible. Both bots, Realboy and
Office files. During the tests, the generation of payloads with SNAP R, were not tested and evaluated in this work, as there
the PowerShell script did not work, despite changes in the exists ample recent work analyzing bot preparation for Social
execution guidelines, which originally prevented the execution Engineering.
of the script. For the execution and use of MacroPack, it is
recommended to adjust the Windows security settings, as these D. Tools for the attack execution phase
prevent execution and classify the tool as a serious threat. The The attack execution phase includes all those tools that can
tool Social X, which was supposed to be able to generate directly execute a Social Engineering attack. While research-
Trojans with its own reverse shell and in the form of an *.exe ing the relevant tools, it emerged that the automation of attack
file, unexpectedly failed to install correctly and terminated tools is described almost exclusively in terms of phishing with
after several start attempts. Documentation for the tool was website cloning, mass emails and occasionally the use of bots.
not available at the time of testing and a linked YouTube video 1) Phishing with website cloning: SET offers the possibility
was no longer available. Social X is therefore only mentioned to clone any website into a website with phishing or hosting
as another possibility, as the last commit on GitHub was only multiple attack methods. The cloned page is ready for use as
a few months old and the error could possibly be fixed soon. soon as it is entered, and the user data entered is displayed
SET, which is included in every current installation of Kali- in colour directly on the command line. Zphisher [76] works
Linux, offers the option of automatically manipulating data in a similar way, also with regard to website cloning. Unlike

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 7

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

SET, however, Zphisher only offers ready-made templates for 3) Bot utilization: Another type of automation of Social
phishing pages and does not clone individual pages. This Engineering using bots is the preparation for the use of SM-
is also the case with phishEye [77], although it is the only SRanger [83], which is based on a Telegram bot. SMSRanger
tool listed that also offers the option of cloning websites for sends automated messages to people, in each case on behalf
mobile devices. During the application tests, it was found that of a bank, and asks them to enter OTP codes (One Time
although Blackeye [78] provides a number of templates for Password) in corresponding websites or in an automated call
social media platforms, these could not be tested directly as an via a voice bot using the telephone keypad. The service
error occurred when generating the phishing links and no links contains daily updates, is available in various languages and is
were generated or output for use. SocialFish [79] could also subject to a charge. At the time of research, calls from and to
not be fully tested and evaluated, as module error messages various countries, including German-speaking countries, were
occurred within the main application when the application was also included for USD 425 per month. SMSRanger is con-
started, despite all installed requirements and dependencies. trolled via a Telegram chat. This bot was also not activated for
The documentation for the app is very brief and rudimentary, security, legal and ethical reasons. With Honeybot [16], Tobias
so the error could not be rectified. Cloning the GitHub repos- Lauinger et al. have already shown that conversations between
itory again did not help either. StormBreaker [80] extends the two people can be started and influenced and controlled by the
list of phishing tools mentioned in this subsection with a tool bot-in-the-middle, which can also be used to carry out attacks.
that cannot clone websites like the others mentioned so far, but The Honeybot tool is only mentioned in this section and was
instead generates pages and links with the help of Ngrok with not tested or evaluated in this paper, as this has already been
a maximum of two inputs, which enable access to the camera, done in related work.
microphone and location data of the end devices. The location
VI. C ONCLUSIONS AND F UTURE W ORK
data is returned with a Google Maps link. StormBreaker also
offers an ”OS Password Grabber” function, which is designed A. Conclusion
to transfer the passwords entered. During the tests, there were In order to better understand automation in the area of Social
difficulties with this part of the function, as either the links Engineering and to be able to search for suitable tools and tool
to be sent were not generated or the application did not suites, but also to be able to classify automation in different
respond to inputs. However, the functionality of accessing the phases of Social Engineering, various Social Engineering
microphone, camera and location data of the potential target’s frameworks were analyzed and compared with each other. It
device is only possible if all phishing warnings displayed by was found, that the various models often differ in the number
the current browser generations are ignored when the page is of phases and that classifying automated tools into individual
accessed and authorisation to access the microphone, camera phases in this way is not purposeful. Therefore, a compression
or location is granted accordingly. to common phases of all models was carried out and from
2) Mass mailer: In addition to individual (spear) phishing this, the technical Social Engineering model was derived. Fur-
messages, the Social Engineering toolkit SET can also be used thermore, the individual phases of the described frameworks
to set up the sending of mass emails. The email addresses of from other works were assigned to the phases of the technical
the recipients can be provided via a separate text file, and a Social Engineering model, using phase mapping. A similar
separate mail server or sending via Google Mail (gmail) can be and comparable abstract model could not be found by the
selected for sending. The message content is accepted in both time of writing this paper. For the listing and clustering of the
HTML and plain text formatting. A test mailing with SET was automation-supported Social Engineering tools within section
carried out using our own mail server. As expected, the e-mail V, the individual phases of the technical Social Engineering
message was classified as SPAM and filtered accordingly. In model were used. The clustering of the corresponding tools
many cases it is not clear before sending a message whether it shows that in the information gathering phase there exists a
will be blocked by a mail server or whether it will be delivered lot of diversity and a large number of tools allowing for the
without any problems. In order to check the behaviour of mail most automation possibilities, as there is a large community of
servers when a message is received, a check can be carried interested parties and contributors from the OSINT area. This
out in advance using Phishious [81]. According to its own was shown not only in the short intervals, in which tools and
information, Phishious is the only tool to date that makes it updates to existing tools are published, but also in the linguistic
possible to scan phishing attacks via email. Phishious analyses diversity in which the applications are written. The short
the header data of undeliverable messages and can therefore intervals make it impossible to list and test all of the available
predict whether a message will be delivered or classified as tools. A selection of over 140 tools, written in German or
spam or junk mail. Another mass mailer tool can be seen in English language, were subjected to a practical application
Catero [82]. In addition to the option of cloning websites, and comparison, where it was found that information retrieval
Catero offers various ways of sending automated messages within the European Union has become more difficult since
and can be controlled entirely via the command line interface the introduction of the General Data Protection Regulation,
(CLI). Catero supports sending messages via Twillo accounts and that web applications for information retrieval in particular
for sending SMS messages, sending via LinkedIn accounts and largely only provide results in the states of the USA. There
WebMail services, Google Voice and iMessage. are, in the applications that are available free of charge, often

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 8

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

query limits implemented, that only allow a small number search results. Regarding availability, interesting tools could
of queries within a certain period of time. Registering to be collected during the research phase, but during the testing
receive an API key, shifts the query limits, depending on and application phase a few weeks later, they were no longer
the chosen tariff and tool, but also the up-to-dateness, as available and applicable. The free availability of automated
well as the amount of data provided. Within this work, only Social Engineering tools means, that these tools are available
freely available tools and API keys free of charge were used. to any person, can be used by any person, and thus any
Furthermore, it became apparent that results must be manually person can easily use Social Engineering techniques, without
checked for plausibility and validity before further use, since much effort or in-depth knowledge. Due to the availability of
the results of automated tools, with the exception of those that ready-to-use system environments, pre-configured systems are
read information directly from social media platforms, are not provided, which, with a simplified graphical user interface, can
necessarily correct or appropriate. When using the tools to deliver usable results within a short period of time, even for
gather information from social media platforms, most of the beginners.
platforms require a registered account. When using the tools b) RQ2: The various frameworks and phase models dif-
to prepare for attacks, it has been shown that automation can fer in terms of the number of phases, as well as the processes
be summarized to the preparatory generation and creation of within the phases themselves. Generally speaking, the phases
payloads and bots, as well as support in the formulation of of reconnaissance and the phases, within which attacks take
texts. When using the tools in the attack execution phase, the place, are best served and supported by automation. Due to the
researched and mentioned tools could be summarized into the number of differences between the various Social Engineering
categories ”phishing with website cloning”, ”mass mailers” models, it was not possible to map the automated tools to all
and the ”use of bots”. A completely end-to-end automated models, which is why the abstract technical Social Engineering
software that can map a complete Social Engineering attack model was derived from the other analyzed frameworks.
in all of its phases could not be found. The two tools Maltego c) RQ3: Records must be manually selected, validated,
and SET are, after completion of the tests and comparisons, and formatted for the next tool. Toolsuites, that offer multiple
the most functional and reliable tools. options and whose functionalities can be extended with plu-
gins, such as the mentioned tools Maltego, Lampyre, or also
B. Answering the research questions Spiderfoot HX, can transfer results into new searches most
The research questions posed at the beginning of the paper easily. These tools cannot guide a complete Social Engineering
can thus be answered as follows. process, but they accompany a large part of it very reliably.
a) RQ1: The freely available Social Engineering tools d) RQ4: The results of the tools depend very well on the
are automated in the sense that recurring query and search respective mode of operation itself. While some of the tools, in
work can be performed automatically, thus significantly re- order to deliver search results, make use of searching in archive
ducing manual effort. Searches can be performed via web databases or searching crawled and scanned websites, some
applications, but also locally installed tools. Web applica- tools access live data directly. In free program versions, live
tions shine with simpler operation and fast availability. The data was only analyzed by tools that search across social media
automation possibilities are greater when using the APIs of platforms, for example Tinfoleak or OSINTGram, and required
the search providers and platforms, since the results can be a corresponding user account. Searching crawled pages affects
processed further in an automated manner if the appropriate the reliability and the up-to-dateness of the results.
output is available. A completely automated solution could
not be found and is correspondingly difficult to develop, since C. Future Work
Social Engineering can be very dynamic and the validation As an extending future work, paid API keys of the applica-
and decision as to, whether data and information fit a current tions, offering higher-value subscriptions, can be purchased
target and scenario, must be made manually by the social and the results compared between the premium versions.
engineers themselves. Automation is also already available Under appropriate legal and ethical coverage, extended use
in the execution of attacks and in the corresponding prepa- of the tools, including for awareness and training purposes, is
ration, and the corresponding tools are already very easy conceivable. In the light of the increasing number of phishing
to use. During the application and writing of the paper, it messages, the comparison and use of professional Social
has become evident, that the selection and availability of Engineering tools, such as CanIPhish, GoPhish and SET, in
automated tools for the purpose of information retrieval is the the corporate context is a possibility. From this, organizational
largest. One justification of this can be the availability of a countermeasures, suitable for the respective organization, can
large community from the OSINT domain. Another reason be derived and an anti-Social Engineering framework can be
can be seen in the greater availability of these tools, among designed. In the analysis of free tools, it was found, that search
other things for awareness-raising measures. With regard to platforms, including Hunter.io, Shodan.io, as well as IntelX,
quality, it was stated in the paper that the scope of the search were used in common by some tools. In the context of a
and the number of permitted searches are subject to certain future work, the comparison of which and how many search
limitations, depending on the platform and are only increased engines and databases are used in the background, together
with paid subscriptions. This also affects the reliability of the and whether the results, despite use of same sources, differ.

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 9

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

Also, the development of an automated Social Engineering [26] M. Nohlberg and S. Kowalski, “The cycle of deception: a model of social
application, which can link the applications and results of engineering attacks, defenses and victims,” in Proceedings of the Second
International Symposium on Human Aspects of Information Security &
different Social Engineering tools together, can be initiated. Assurance (HAISA), University of Plymouth, 2008.
[27] A. Cullen and L. Armitage, “The social engineering attack spiral (seas),”
R EFERENCES in 2016 International Conference On Cyber Security And Protection Of
[1] K. D. Mitnick and W. L. Simon, The art of deception: Controlling the Digital Services (Cyber Security), pp. 1–6, IEEE, 2016.
human element of security. John Wiley & Sons, 2003. [28] A. Algarni, Y. Xu, and T. Chan, “Social engineering in social networking
[2] C. Hadnagy, Social engineering: The art of human hacking. John Wiley sites: the art of impersonation,” in 2014 IEEE International Conference
& Sons, 2010. on Services Computing, pp. 797–804, IEEE, 2014.
[3] K. Zheng, T. Wu, X. Wang, B. Wu, and C. Wu, “A session and dialogue- [29] “Checkusernames.” https://checkusernames.com/, Last accessed on Feb.
based social engineering framework,” IEEE Access, vol. 7, pp. 67781– 8, 2024.
67794, 2019. [30] “Recontool.” https://recontool.org/#mindmap, Last accessed on Feb. 8,
[4] E. D. Frauenstein and S. V. Flowerday, “Social network phishing: 2024.
Becoming habituated to clicks and ignorant to threats?,” in 2016 [31] “Hopain tools.” https://osint.hopain.cyou/, Last accessed on Feb. 8, 2024.
Information Security for South Africa (ISSA), pp. 98–105, IEEE, 2016. [32] “Builtwith.” https://builtwith.com/, Last accessed on Feb. 8, 2024.
[5] J. Talamantes, The Social Engineer’s Playbook: A Practical Guide to [33] “Spiderfoot.” https://www.spiderfoot.net, Last accessed on Feb. 8, 2024.
Pretexting. Hexcode Publishing, 2014. [34] “Shodan.” https://www.shodan.io, Last accessed on Feb. 8, 2024.
[6] P. Kim, The hacker playbook 2: practical guide to penetration testing. [35] “Zoomeye.” https://www.zoomeye.org, Last accessed on Feb. 8, 2024.
Secure Planet, LLC, 2015. [36] “Spyse.” https://spyse.com, Last accessed on Feb. 8, 2024.
[7] C. Hadnagy, The Science of Human Hacking. Wiley Publishing Inc., [37] “Chaos.” https://chaos.projectdiscovery.io, Last accessed on Feb. 8,
2018. 2024.
[8] Z. Wang, H. Zhu, P. Liu, and L. Sun, “Social engineering in cyberse- [38] “Synapsint.” https://synapsint.com/index.php, Last accessed on Feb. 8,
curity: a domain ontology and knowledge graph application examples,” 2024.
Cybersecurity, vol. 4, pp. 1–21, 2021. [39] “Email-format.” https://www.email-format.com, Last accessed on Feb.
[9] H. Aldawood and G. Skinner, “An advanced taxonomy for social 8, 2024.
engineering attacks,” International Journal of Computer Applications, [40] “Hunter.io.” https://hunter.io, Last accessed on Feb. 8, 2024.
vol. 177, no. 30, pp. 1–11, 2020. [41] “Intelligencex platform.” https://intelx.io/, Last accessed on Feb. 8, 2024.
[10] B. Banire, D. Al Thani, and Y. Yang, “Investigating the experience [42] “Sleepingtime.” http://sleepingtime.org/, Last accessed on Feb. 8, 2024.
of social engineering victims: Exploratory and user testing study,” [43] “Whatsapp monitor.” https://github.com/rizwansoaib/whatsapp-monitor,
Electronics, vol. 10, no. 21, p. 2709, 2021. Last accessed on Feb. 8, 2024.
[11] J. Obuhuma and S. Zivuku, “Social engineering based cyber-attacks [44] “Webmii.” https://webmii.com/, Last accessed on Feb. 8, 2024.
in kenya,” in 2020 IST-Africa Conference (IST-Africa), pp. 1–9, IEEE, [45] “Idcrawl.” https://www.idcrawl.com/, Last accessed on Feb. 8, 2024.
2020. [46] “Maltego.” https://www.maltego.com, Last accessed on Feb. 8, 2024.
[12] N. A. Hassan and R. Hijazi, Open source intelligence methods and tools. [47] “Be careful what you osint with.”
Springer, 2018. https://keyfindings.blog/2020/03/23/be-careful-what-you-osint-with/,
[13] C. P. Janssen, S. F. Donker, D. P. Brumby, and A. L. Kun, “History Last accessed on Feb. 8, 2024.
and future of human-automation interaction,” International journal of [48] “Lampyre.” https://lampyre.io, Last accessed on Feb. 8, 2024.
human-computer studies, vol. 131, pp. 99–107, 2019. [49] “Crosslinked.” https://github.com/m8r0wn/crosslinked, Last accessed on
[14] Z. Wang, L. Sun, and H. Zhu, “Defining social engineering in cyberse- Feb. 8, 2024.
curity,” IEEE Access, vol. 8, pp. 85094–85115, 2020. [50] “Userrecon.” https://github.com/vijaysahuofficial/UserReCon?
[15] M. Huber, “Automated social engineering, proof of concept,” Royal fbclid=IwAR0NAexz0KEyNDvJSOfSyOzsw9Z0Hc9j7AtB38ZK5AsI-
Institute of Technology Stockholm, 2009. 5vupj46Dh95o-o, Last accessed on Feb. 8, 2024.
[16] T. Lauinger, V. Pankakoski, D. Balzarotti, and E. Kirda, “Honeybot, [51] “Userreconpy.” https://github.com/lucmski/userrecon-py, Last accessed
your man in the middle for automated social engineering.,” in LEET, on Feb. 8, 2024.
pp. 1–8, 2010. [52] “Nexfil.” https://github.com/thewhiteh4t/nexfil?
[17] P. Kaul and D. Sharma, “Study of automated social engineering, its fbclid=IwAR0NAexz0KEyNDvJSOfSyOzsw9Z0Hc9j7AtB38ZK5AsI-
vulnerabilities, threats and suggested countermeasures,” International 5vupj46Dh95o-o, Last accessed on Feb. 8, 2024.
Journal of Computer Applications, vol. 67, no. 7, pp. 13–16, 2013. [53] “Sherlock.” https://sherlock-project.github.io, Last accessed on Feb. 8,
[18] Y. Kano and T. Nakajima, “Trust factors of social engineering attacks 2024.
on social networking services,” in 2021 IEEE 3rd global conference on [54] “Us3r-f1nd3r.” https://github.com/machine1337/userfinder?
life sciences and technologies (LifeTech), pp. 25–28, IEEE, 2021. fbclid=IwAR3sCrgnkLvCUuLHP5VT6X8pVUvfyb8W0DZPenHVDA-
[19] A. Stern, “Social networkers beware: Facebook is a major phishing VTIq3Et3zwMldWL0, Last accessed on Feb. 8, 2024.
portal,” Kaspersky Lab, vol. 23, 2014. [55] “Thorndyke.” https://github.com/rly0nheart/thorndyke?
[20] K. Kikerpill and A. Siibak, “Mazephishing: The covid-19 pandemic as fbclid=IwAR1qnLkHJOC0a-OdlRXk1svN8ypAo6BvuQTrA8L5E4VY
credible social context for social engineering attacks,” Trames: A Journal xbgI4UzVXLUz6PE, Last accessed on Feb. 8, 2024.
of the Humanities and Social Sciences, vol. 25, no. 4, pp. 371–393, 2021. [56] “Buster.” https://github.com/sham00n/buster, Last accessed on Feb. 8,
[21] EUR-Lex, “Regulation (eu) 2016/679 of the european parliament and of 2024.
the council of 27 april 2016 on the protection of natural persons with [57] “The harvester.” https://www.kali.org/tools/theharvester/, Last accessed
regard to the processing of personal data and on the free movement on Feb. 8, 2024.
of such data, and repealing directive 95/46/ec (general data protection [58] “Racoon.” https://github.com/evyatarmeged/Raccoon, Last accessed on
regulation),” 2016. Feb. 8, 2024.
[22] M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa, “Towards automating [59] “Sublist3r.” https://github.com/aboul3la/Sublist3r, Last accessed on Feb.
social engineering using social networking sites,” in 2009 International 8, 2024.
Conference on Computational Science and Engineering, vol. 3, pp. 117– [60] “Sn0int.” https://github.com/kpcyrd/sn0int, Last accessed on Feb. 8,
124, IEEE, 2009. 2024.
[23] “The cyber kill chain.” https://www.lockheedmartin.com/en- [61] “I am the frogy.” https://github.com/iamthefrogy/frogy, Last accessed on
us/capabilities/cyber/cyber-kill-chain.html, Last accessed on Feb. Feb. 8, 2024.
8, 2024. [62] “Recon spider.” https://github.com/bhavsec/reconspider, Last accessed
[24] “What is social engineering.” https://www.imperva.com/learn/application- on Feb. 8, 2024.
security/social-engineering-attack/, Last accessed on Feb. 8, 2024. [63] “Osintgram.” https://github.com/Datalux/Osintgram, Last accessed on
[25] F. Mouton, M. Malan, L. Leenen, and H. S. Venter, “Social engineering Feb. 8, 2024.
attack framework,” in 2014 Information Security for South Africa, pp. 1– [64] “Sterra.” https://github.com/novitae/sterraxcyl, Last accessed on Feb. 8,
9, IEEE, 2014. 2024.

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 10

ICCGI 2024 : The Nineteenth International Multi-Conference on Computing in the Global Information Technology

[65] “Insta extract.” https://github.com/JavideSs/insta-extract, Last accessed

on Feb. 8, 2024.
[66] “Tw1tteros!nt.” https://github.com/falkensmz/tw1tter0s1nt, Last ac-
cessed on Feb. 8, 2024.
[67] “Tinfoleak.” https://github.com/vaguileradiaz/tinfoleak, Last accessed on
Feb. 8, 2024.
[68] “Rubber ducky.” https://github.com/hak5darren/USB-Rubber-
Ducky/wiki/Payloads, Last accessed on Feb. 8, 2024.
[69] “The social engineering toolkit.” https://www.trustedsec.com/tools/the-
social-engineer-toolkit-set, Last accessed on Feb. 8, 2024.
[70] “Powershell script.” https://github.com/enigma0x3/Generate-Macro,
Last accessed on Feb. 8, 2024.
[71] “Macropac.” https://github.com/sevagas/macro pac, Last accessed on
Feb. 8, 2024.
[72] “Toneanalyzer.” https://tone-analyzer-demo.ng.bluemix.net/, Last ac-
cessed on Feb. 8, 2024.
[73] “Toneanalyzer.” https://github.com/watson-developer-cloud/tone-
analyzer-nodejs, Last accessed on Feb. 8, 2024.
[74] “Realboy.” http://ca.olin.edu/2008/realboy, Last accessed on Feb. 8,
2024.
[75] “Snap r.” https://github.com/zerofox-oss/SNAP R, Last accessed on
Feb. 8, 2024.
[76] “Zphisher.” https://github.com/htr-tech/zphisher, Last accessed on Feb.
8, 2024.
[77] “phisheye.” https://github.com/sky9262/phishEye?
fbclid=IwAR1hdh rgxK24YB4gi 2FYtY4D7Qrxt05WPwU2ZKGa1g
XCh7ln7MF0RfmyI, Last accessed on Feb. 8, 2024.
[78] “Blackeyeq.” https://github.com/An0nUD4Y/blackeye, Last accessed on
Feb. 8, 2024.
[79] “Socialphish.” https://github.com/UndeadSec/SocialFish, Last accessed
on Feb. 8, 2024.
[80] “Stormbreaker.” https://github.com/ultrasecurity/Storm-Breaker?
fbclid=IwAR2HX8B5RRQ2f-yRlWndAjxZM1PKfZxVZq-GM-
9C f317IFWGjdAVhcRHaY, Last accessed on Feb. 8, 2024.
[81] “Phishious.” https://github.com/Rices/Phishious?
fbclid=IwAR2OhR2kRNkAyyGS7skSzOwlRPEWDcxzFwzohAFuj coi
QFlMdq7t9wlh k, Last accessed on Feb. 8, 2024.
[82] “Catero.” GitHub - Section9Labs/Catero: Catero - Social Engineering
Framework, Last accessed on Feb. 8, 2024.
[83] “Smsranger.” https://smsranger.io/, Last accessed on Feb. 8, 2024.

Copyright (c) IARIA, 2024. ISBN: 978-1-68558-130-5 11