Ir al contenido

Documat

Un experimento para crear conciencia en las personas acerca de los ataques de Ingeniería Social

  • Benavides-Astudillo, Eduardo ; Fuertes-Díaz, Walter [1] Árbol académico ; Sánchez-Gordon, Sandra [1]
    1. [1] Escuela Politécnica Nacional

      Escuela Politécnica Nacional

      Quito, Ecuador

  • Localización: Revista Ciencia UNEMI, ISSN-e 2528-7737, ISSN 1390-4272, Vol. 13, Nº. 32, 2020 (Ejemplar dedicado a: Enero-Abril), págs. 27-40
  • Idioma: español
  • DOI: 10.29076/issn.2528-7737vol13iss32.2020pp27-40p
  • Títulos paralelos:
    • An Experiment to Create Awareness in People concerning Social Engineering Attacks
  • Enlaces
  • Resumen
    • español

      La Ingeniería Social es la técnica que permite obtener información confidencial de los usuarios, de manera fraudulenta, con la finalidad de usarla en contra de ellos mismos, o de las organizaciones en las que laboran.  Este estudio presenta un experimento enfocado a crear conciencia acerca de las consecuencias de este tipo de ataque, mediante la ejecución de un ataque controlado a personas de confianza. Para lograrlo, se han llevado a cabo un conjunto de engaños y actividades, que los atacantes usan comúnmente para obtener información sensible, incentivando la curiosidad de los contactos de las redes sociales para que visiten un blog personal con información ficticia. A más de esta interacción humana, se ha instalado un complemento oculto y no deseado, para recolectar información del usuario tales como: su dirección IP, país de origen, sistema operativo y tipo de navegador. Con la información recolectada, se realizó un ataque de escaneo a los puertos 80 (Web server) y 22 (SSH Server), para encontrar más información sensible. Posteriormente, se muestran los resultados a las víctimas. Además, luego del ataque se realizó una encuesta a los usuarios acerca de su conocimiento de Phishing y de Ingeniería Social.  Los resultados muestran que únicamente el 2% de las personas, sospecharon o preguntaron acerca del verdadero motivo para visitar el Blog. Más aún, demuestra que las personas que visitaron el blog, no tienen conocimiento y conciencia de cómo se puede vulnerar información sensible de una forma relativamente sencilla.

    • English

      Social Engineering is the technique of obtaining confidential information from users, in a fraudulent way, with the purpose of using it against themselves, or against the organizations where they work. This study presents an experiment focused on raising awareness about the consequences of this type of attack, by executing a controlled attack on trustworthy people. To accomplish this, we have carried out a set of activities or tricks that attackers use to obtain information, inspiring the curiosity of social network contacts to visit a personal blog with fictitious information. In addition to this human interaction, a hidden plug-in has been installed to collect user information such as his IP address, country, operative system, and browser type. With the information collected, a pentesting attack has been done to ports 80 and 22, in order to collect more information. Finally, the results were shown to the victims. In addition, after the attack, users were surveyed about their knowledge of Phishing or Social Engineering. The results demonstrate that only 2% of people suspected or asked about the real reason to visit the Blog. Furthermore, it reveals that the people, who visited the blog, don not have any knowledge and awareness of how to steal sensitive information in a relatively simple way.

  • Referencias bibliográficas
    • Aksu, D., Turgut, Z., Üstebay, S., & Aydin, M. A. (2019). Phishing analysis of websites using classification techniques. In Lecture Notes...
    • Bahnsen, A. C., Bohorquez, E. C., Villegas, S., Vargas, J., & Gonzalez, F. A. (2017). Classifying phishing URLs using recurrent neural...
    • Basnet, R., Mukkamala, S., & Sung, A. H. (2008). Detection of Phishing Attacks: A Machine Learning Approach. In Soft Computing Applications...
    • Benavides, E., Fuertes, W., Sanchez, S., & Sanchez, M. (2019). Classification of Phishing Attack Solutions by Employing Deep Learning...
    • Chen, W., Zhang, W., & Su, Y. (2018). Phishing detection research based on LSTM recurrent neural network. In Communications in Computer...
    • Epishkina, A., & Zapechnikov, S. (2016). A syllabus on data mining and machine learning with applications to cybersecurity. In 2016 Third...
    • Feroz, M. N., & Mengel, S. (2015). Phishing URL Detection Using URL Ranking. In 2015 IEEE International Congress on Big Data (pp. 635–638)....
    • Hajgude, J, & Ragha, L. (2012). #x201C;Phish mail guard: Phishing mail detection technique by using textual and URL analysis #x201D; In...
    • Hajgude, Jayshree, & Ragha, L. (2012). “Phish mail guard: Phishing mail detection technique by using textual and URL analysis.” In 2012...
    • Hawanna, V. R., Kulkarni, V. Y., & Rane, R. A. (2016). A novel algorithm to detect phishing URLs. In 2016 International Conference on...
    • Jiang, J., Chen, J., Choo, K.-K. R., Liu, C., Liu, K., Yu, M., & Wang, Y. (2018). A Deep Learning Based Online Malicious URL and DNS Detection...
    • Li, X., Geng, G., Yan, Z., Chen, Y., & Lee, X. (2016). Phishing detection based on newly registered domains. In 2016 IEEE International...
    • Marchal, S., Armano, G., Grondahl, T., Saari, K., Singh, N., & Asokan, N. (2017). Off-the-Hook: An Efficient and Usable Client-Side Phishing...
    • Marchal, S., Francois, J., State, R., & Engel, T. (2014). PhishStorm: Detecting Phishing With Streaming Analytics. IEEE Transactions on...
    • Pereira, M., Coleman, S., Yu, B., DeCock, M., & Nascimento, A. (2018). Dictionary Extraction and Detection of Algorithmically Generated...
    • Rao, R. S., & Pais, A. R. (2018). Detection of phishing websites using an efficient feature-based machine learning framework. Neural Computing...
    • Rodríguez, G. E., Benavides, D. E., Torres, J., Flores, P., & Fuertes, W. (2018). Cookie scout: An analytic model for prevention of cross-site...
    • Saxe, J., & Berlin, K. (2017). eXpose: A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs, File...
    • Shima, K., Miyamoto, D., Abe, H., Ishihara, T., Okada, K., Sekiya, Y., … Doi, Y. (2018). Classification of URL bitstreams using Bag of Bytes....
    • Spaulding, J., & Mohaisen, A. (2018). Defending internet of things against malicious domain names using D-FENS. In Proceedings - 2018...
    • Sur, C. (2018). DeepSeq: learning browsing log data based personalized security vulnerabilities and counter intelligent measures. Journal...
    • Vanhoenshoven, F., Napoles, G., Falcon, R., Vanhoof, K., & Koppen, M. (2016). Detecting malicious URLs using machine learning techniques....
    • Vazhayil, A., Vinayakumar, R., & Soman, K. (2018). Comparative Study of the Detection of Malicious URLs Using Shallow and Deep Networks....
    • Vrbančič, G., Fister, I., & Podgorelec, V. (2018). Swarm Intelligence Approaches for Parameter Setting of Deep Learning Neural Network....
    • Williams, N., & Li, S. (2017). Simulating Human Detection of Phishing Websites: An Investigation into the Applicability of the ACT-R Cognitive...
    • Woodbridge, J., Anderson, H. S., Ahuja, A., & Grant, D. (2018). Detecting homoglyph attacks with a siamese neural network. In Proceedings...
    • Yi, P., Guan, Y., Zou, F., Yao, Y., Wang, W., & Zhu, T. (2018). Web Phishing Detection Using a Deep Learning Framework. Wireless Communications...
    • Yuan, X. (2017). PhD Forum: Deep Learning-Based Real-Time Malware Detection with Multi-Stage Analysis. In 2017 IEEE International Conference...
    • Zhang, Jiahua, & Li, X. (2017). Phishing Detection Method Based on Borderline-Smote Deep Belief Network (pp. 45–53). Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_5
    • Zhang, Jianyi, Pan, Y., Wang, Z., & Liu, B. (2016). URL Based Gateway Side Phishing Detection Method. In 2016 IEEE Trustcom/BigDataSE/ISPA...
    • Zhang, X., Zeng, Y., Jin, X. B., Yan, Z. W., & Geng, G. G. (2018). Boosting the phishing detection performance by semantic analysis. In...
    • Zhao, J., Wang, N., Ma, Q., & Cheng, Z. (2019). Classifying Malicious URLs Using Gated Recurrent Neural Networks (pp. 385–394). Springer,...
    • Zou Futai, Gang Yuxiang, Pei Bei, Pan Li, & Li Linsen. (2016). Web Phishing detection based on graph mining. In 2016 2nd IEEE International...
Fundación Dialnet

Mi Documat

Opciones de artículo

Opciones de compartir

Opciones de entorno