ScienceDirect

ScienceDirect
Procedia Computer Science 00 (2021) 000–000
www.elsevier.com/locate/procedia
Procedia online
Available Computer
at Science 00 (2021) 000–000
www.sciencedirect.com
www.elsevier.com/locate/procedia

ScienceDirect
Procedia Computer Science 198 (2022) 656–661

The second International Workshop of Innovation and Technologies

(IWIT 2021)
The second International Workshop
November 1-4, of Innovation
2021, Leuven, and Technologies
Belgium
(IWIT 2021)
November 1-4, 2021, Leuven, Belgium
Overview of Social Engineering Attacks on Social Networks
Overview of Social Engineering Attacks on Social Networks
Kaouthar Chetiouia*, Birom Baha, Abderrahim Ouali Alamia, Ayoub Bahnasseb
a IASSE, ENSA, Sidi Mohamed
Kaouthar Chetioui
Lab*, Birom Baha, Abderrahim
a
Ouali Alami
Ben Abdellah University, a
, Ayoub Bahnasseb
Fez, Morocco
b
ENSAM Casablanca, Hassan II university, Casablanca, Morocco
a
Lab IASSE, ENSA, Sidi Mohamed Ben Abdellah University, Fez, Morocco
b
ENSAM Casablanca, Hassan II university, Casablanca, Morocco

Abstract

Abstract
Social networks have become a trusted communication medium for both personal and professional communication. However,
hackers regularly exploit the trust of the users of social networks for their own gain. This is often done by using phishing attacks.
Social
Phishing networks
emails have become
are both a scama trusted
and a communication
business. Many mediumcompanies, for governments
both personalandandindividuals
professionalhave
communication.
been affectedHowever,
by these
hackers regularly
attacks. The most exploit
powerfulthetool
trustanofattacker
the userscanofuse
social networks
to access this for their ownisgain.
knowledge This
Social is often done
Engineering by using phishing
by manipulating attacks.
a person into
Phishing emails aretoboth
giving information a scam
the social and a business.
engineer. Many
It is superior to companies,
most other formsgovernments andinindividuals
of hacking that it can have
breachbeen
evenaffected
the mostbysecure
these
attacks.
systems,The most
as the powerful
users tool an
themselves areattacker
the most canvulnerable
use to access
partthis knowledge
of the is Social Engineering
system. Research has shown that by manipulating a person
Social Engineering caninto
be
giving automated
easily informationintomany
the social
casesengineer. It is superior
and can therefore to most other
be performed on aforms
largeofscale.
hacking in that
Social it can breach
Engineering even thean
has become most secure
emerging
systems,
threat in as the users
virtual themselvesInformation
communities. are the most vulnerable
security is keyparttoofany
thebusiness’s
system. Research
growth. has shown
This paperthat Social
gives Engineering
an overview of can be
Social
easily automated
Engineering in on
attacks many cases
social and canSocial
networks, therefore be performed
Engineering on aand
principles large scale. Social Engineering has become an emerging
types.
threat in virtual communities. Information security is key to any business’s growth. This paper gives an overview of Social
Engineering attacks on social networks, Social Engineering principles and types.
© 2021 The Authors. Published by Elsevier B.V.
© 2021 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
© 2021 The Authors.
Peer-review Published by Elsevier B.V.
Peer-reviewunder
underresponsibility
responsibilityofofthetheConference
ConferenceProgram
ProgramChairs.
Chairs
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review
Keywords: under
Social responsibility
Engineering; of the
phishing; Conference
social networks; Program
attacks; Chairs.

Keywords: Social Engineering; phishing; social networks; attacks;

* Corresponding author. Tel.: +212 660 401 106;

E-mail address: kaoutharchetioui@gmail.com
* Corresponding author. Tel.: +212 660 401 106;
E-mail address:
1877-0509 kaoutharchetioui@gmail.com
© 2021 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review©under
1877-0509 2021responsibility
The Authors. of the Conference
Published Program
by Elsevier B.V. Chairs.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.

1877-0509 © 2021 The Authors. Published by Elsevier B.V.

This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the Conference Program Chairs
10.1016/j.procs.2021.12.302
 Kaouthar Chetioui et al. / Procedia Computer Science 198 (2022) 656–661 657
2 Author name / Procedia Computer Science 00 (2018) 000–000

1. Introduction

It is well known that the Internet is a global communication system where people all around the world can meet
and talk about almost anything. Communication through social media be it for good or bad reasons has become the
order of the day. The world is so attached to the Internet. Unfortunately, not everyone uses the Internet for good
purposes. There are lots of people who are using social networks to steal personal information, especially through
phishing, so all users of such sites need to be vigilant to protect themselves.
Phishing is a form of attack whereby attackers try to get hold of one’s personal details by misleading them. This
is widespread on the Internet and one normally receives emails instructing him/her to enter his/her personal
information to protect his/her account. This is mostly done through sending an email that contains some enticing
information. This could be for example, through sending an attractive link that seems to come from a trusted source
to lure the victim to provide personal information.
Social networks are becoming a very popular source of information for these phishers. They can easily use all of
the information that is contained in someone’s social networking account to steal the person’s identity. The good
thing is that there are preventive measures that could help mitigate Social Engineering attacks.
The main contributions of this p are the following:
• We discuss Social Engineering attacks on social networks
• We then talk about Social Engineering, its principles and its types

2. Related Works

Katharina Krombholz and Al. talked about a comprehensive and complete overview of Social Engineering
attacks on the knowledge worker, to monitor the state of the art of research in this field, and to provide a
comprehensive taxonomy to categorize Social Engineering attacks and measure their impact [1]. Arif KOYUN and
Al in their article- Social Engineering Attacks gave a complete overview of Social Engineering attacks by discussing
its phases, types, approaches, skills, and detection and prevention methods [2]. Dr. M. Nazreen Banu and Al in their
article- A Comprehensive Study of Phishing Attacks discussed the types of phishing, the theoretical aspects of the
phishing techniques and the categories of anti-phishing techniques [3]. Ana Ferreira and Al in their research paper-
An Analysis of Social Engineering Principles in Effective Phishing talked a lot about the principles of Social
Engineering applied in several phishing emails [4].

3. Overview of Social Engineering and its Principles

3.1. Presentation of Social Engineering attacks

Social Engineering is the art of influencing individuals in order to gain confidential information such as
passwords, addresses, bank details etc. by exploiting human vulnerabilities. Rather than use technological
vulnerabilities, these attacks take advantage of human weaknesses such as feelings, trust, and habits to gain people’s
confidential information or data. Even though this is less advanced than other cyber-attack strategies, Social
Engineering can cause severe harm to the victim [5]. A lot of criminals use Social Engineering tactics because it is
usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For
example, it is much easier to fool someone into giving you their password than it is for you to try hacking their
password (unless the password is really weak).
It was reported that one of the biggest cyber-attacks of the century happened on Yahoo!, where it is believed that
attackers were able to breach its systems in 2014 and make away with the account details of over 500 million users.
It was confirmed by the FBI that Social Engineering was used in the attack to get the attackers past the scrutiny of
the layers upon layers of security tools and systems used to protect such data. This attack on Yahoo!, a giant tech
company, therefore confirms that Social Engineering is more dangerous than its given credit for. It is evident that no
one is secure if one of the oldest email service providers that invests heavily in cyber security tools can be
compromised so easily using this technique [6].
658 Kaouthar Chetioui et al. / Procedia Computer Science 198 (2022) 656–661
Author name / Procedia Computer Science 00 (2018) 000–000 3

3.2. Principles of Social Engineering

Social Engineering scams are focused on how people think, react and behave. Once an attacker knows what
triggers a user’s actions, then they can easily manipulate them. The majority of Social Engineering scams rely on
direct communication between the attacker and the victim. Instead of using brute force methods to break the data,
the attacker would try and convince the user to compromise themselves.

Fig. 1. Typical Social Engineering life cycle.

The following are the steps in a typical Social Engineering life cycle (fig.1):
• Investigation: The attacker will choose a victim, conduct background research on them, and determine an
attack method.
• Hook: The attacker will get closer to the victim by establishing a relationship and gaining trust.
• Play: Once the relationship is developed, the attacker will manipulate the victim and obtain the necessary
information.
• Exit: When the attacker receives the necessary information or the user performs the desired action, the
attacker will end their communication with the victim and move on to a new target.
If a criminal manages to hack or socially engineer one person’s email password, they have access to that person’s
contact list–and because most people use one password everywhere, they probably have access to that person’s
social networking contacts as well. This is why it is advisable to use different passwords for different accounts.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave
messages on all their friend’s social pages, and possibly on the pages of the person friend’s friends.
These messages could take many forms including:
• An email from a friend containing a link that you just have to check out–and because the link comes from a
friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal
can take over your machine and collect your contacts info and deceive them just like you were deceived.
• An email from a friend containing a download of pictures, music, movie, document, etc., that has malicious
software embedded. If you download–which you are likely to do since you think it is from your friend–
you become infected. Now, the criminal has access to your machine, email account, social network
accounts and contacts, and the attack spreads to everyone you know. And on, and on.
• An email from another trusted source using a compelling story or pretext such as urgently ask for your
help, use phishing attempts with a legitimate-seeming background, present a problem that requires you
to "verify" your information by clicking on the displayed link and providing information in their form,
notify you that you’re a ‘winner’ or pose as a boss or coworker.
 Kaouthar Chetioui et al. / Procedia Computer Science 198 (2022) 656–661 659
4 Author name / Procedia Computer Science 00 (2018) 000–000

Security is all about knowing who and what to trust. It is important to know when and when not to take a person
at their word and when the person you are communicating with is who they say they are. The same is true of online
interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide
your information? These are key points to reflect upon in order to mitigate the risks of Social Engineering pitfalls.
Any security professional will tell you agree that the weakest link in the security chain is the human who accepts
a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows,
or if you have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you
trust the person at the gate who says he/she is the pizza delivery guy and you let him/her in without first checking to
see if he/she is legitimate, you will be completely exposed to whatever risk he/she represents [7].

4. Forms of Social Engineering attacks

4.1. Phishing attacks

Phishing attackers will pretend as a trustworthy organization or individual in order to force you to reveal personal
information. This method involves sending spoof emails, making phone calls, or sending SMS randomly to a very
large number of people requesting them to provide their confidential information. To trick people into giving up
passwords and other personal details, their communication will appear to come from a legitimate organization or
body. Whether it’s a direct communication or via a fake website form, anything you share goes directly into a
scammer’s pocket and they could use you.
A very common variant of the phishing scam is Spear Phishing in which the attacker targets particular people or
companies. The attackers then do a background study and customize their messages based on the job titles,
characteristics, and contacts of their victims in order to build trust and make their attack less noticeable [3].

4.2. Baiting

A baiting attack is one in which baits are used to lure the victim by triggering their curiosity. Baits are physical or
non-physical items such as pen drives, CDs with company logos which are used to steal a victim’s confidential
information. An attacker leaves bait in a common area such as parking, bathroom etc. Once a victim picks up the
bait out of curiosity and injects it into a work or home computer, the device will be infected with malware
automatically.
Everyone likes to get free stuff, right? A free download of a popular song, a movie or an app. What could go
wrong?
If the scammers are behind this, then most likely your computer has been compromised as soon as you began that
download. Baiting promises a free good, like a song, in exchange for your information. Once you provide the
sensitive data the hackers are after, the virus is downloaded onto your computer.
Illegal torrents that go around copyright laws and are usually free, are notorious for containing malware and
viruses and are a good example of baiting [7].

4.3. Tailgating

This form of Social Engineering technique doesn’t use the email or another online medium to gain information.
Instead, the hacker gets a close, personal contact with his victim. Tailgating is used to gain access to a secure
building by blending in and making you think that the hacker truly belongs there. At the beginning of the article, we
gave an example of letting someone you don’t know such as a delivery guy into an apartment building or a
workplace.

This is a good example of tailgating. Just imagine a professional-looking woman, with her hands full with purse
and coffee and maybe another bag struggling to pull out her badge (or you are assuming that she is trying to pull out
or find her badge). If she asked you to help and open the door, wouldn’t you graciously help? Of course, you would.
660 Kaouthar Chetioui et al. / Procedia Computer Science 198 (2022) 656–661
Author name / Procedia Computer Science 00 (2018) 000–000 5

Some confidence on the part of the hacker, a good story, small talk and a bit of acting abilities and you are bound
to never even suspect that you just allowed a hacker into the building. She might even put an infected USB drive
into your pocket or interchange it with another one that you had [5].

4.4. Quid Pro Quo

Quid Pro Quo involves a service promise (unlike baiting which promises a good like a movie or an app) in
exchange for sensitive information. The most common Quid Pro Quo scheme is s scammer pretending he is an IT
consultant or a customer support representative calling the employee back. Eventually, he will hit on the employee
that really does have a problem. The “fix” will usually involve revealing sensitive information like a password and
other credentials.
Other less sophisticated Quid Pro Quo plots might involve a workplace contest or a survey [5].

4.5. Vishing

This technique uses the same idea as phishing, just over the phone. Think about the last SPAM call you got,
talking about a cruise you have “won” and the information you need to provide to receive your prize. This is a good
example of vishing. The scammers will ask you for your personal information such as address, date of birth,
financial information, etc. Or, you could receive an email from your “bank” asking you to call the bank’s number to
confirm your identity by entering a password after clicking on an attached link. Of course, you’d be calling the
scammer instead.
One common example is a scam that has been used since at least 2009. A hacker, posing as Microsoft solutions
architect, will call an organization’s employee and inform them that their computer has been infected with a virus.
Then, typically, the employee is directed to download software from “Microsoft’s” website to fix the situation. The
unsuspecting employee doesn’t know that she is actually downloading a malware [7].

4.6. Pretexting

This is another technique that is similar to phishing. Whereas phishing preys on the victim’s fear or urgency to do
something, pretexting capitalizes on human’s desire to trust. The hacker builds a false sense of security and trust
with their victim. Pretexting scam requires a lot of research on the part of a scammer, concocting a story that leaves
little doubt that it’s safe to give them the information requested. Some scammers also use pretexting to gain access
to the organization’s physical location by pretending to be an employee of another branch, an auditor, a consultant
etc.
For instance, upon making research on a large company with multiple locations, a scammer is likely to exploit
the fact that employees from different locations don’t interface with other locations often. Imagine, another
“employee” coming to visit your branch, saying they are CEO’s assistant. They have the right story, say all the right
words, and know all the right facts about the CEO and the company. You have no reason to not believe them.
After all, it’s entirely possible that they are a new hire that you somehow missed an email. They might even have
a badge (fake of course)! So you might not think twice about providing them the financial reports they “need” for
their supposed branch. What just happened here? The scammer has your company’s sensitive financial data and to
make it worse, you have been conned to willingly provide it to them. That’s pretexting [7].

5. Conclusion

In this article, we have given an overview of social engineering attacks on social media, its principles and types.
Unfortunately, we cannot stop these attacks using only security techniques because a social engineer without any
security knowledge can easily attack even a robust security system. Currently, social engineering attacks have
increased dramatically and are causing emotional and financial damage to people and businesses. Information is
 Kaouthar Chetioui et al. / Procedia Computer Science 198 (2022) 656–661 661
6 Author name / Procedia Computer Science 00 (2018) 000–000

vital in our daily lives and businesses and thus needs to be protected from the wrong hands. Therefore, there is a
great need to invest in cybersecurity awareness in order to train people to be more conscious and attentive.

References

[1] Katharina Krombholz, Heidelinde Hobel, Markus Huber and EdgarWeippl. (2015) “Advanced Social Engineering attacks” Journal of
Information Security and Applications 22: 113-122.
[2] Arif KOYUN and Ehssan Al Janabi. (2017) “Social Engineering Attacks” Journal of Multidisciplinary Engineering Science and Technology
(JMEST) 4(6): 7533-7538.
[3] Dr. M. Nazreen Banu and S. Munawara Banu. (2013) “A Comprehensive Study of Phishing Attacks” International Journal of Computer
Science and Information Technologies 4(6): 783-786.
[4] Ana Ferreira and Gabriele Lenzini. (2015) “An Analysis of Social Engineering Principles in Effective Phishing” Workshop on Socio-
Technical Aspects in Security and Trust: 9-16.
[5] Fatima Salahdine and Naima Kaabouch (2019) “Social Engineering Attacks: A survey” Future Internet 11(89)
[6] Dr. Erdal Ozkaya “Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert” 1st Edition, Kindle
Edition.
[7] Venkatesha, S., Reddy, K.R. & Chandavarkar, B.R. (2021) “Social Engineering Attacks During the COVID-19 Pandemic”. SN COMPUT.
SCI. 2, 78