Cyber security research: The dark art of Remote Online Social Engineering
In 2018, we conducted research on an emerging attack vector: threat actors using so-called ‘catfishing’ techniques to target organisations. This means attackers create false personae online, spend considerable time and effort to make them look legitimate (even by creating a synthetic network of profiles), and target specific individuals at organisations by customising their approach. It’s often used as an alternative to mass phishing or spearphishing attacks, or for particularly sensitive or valuable targets.
This research was conducted by Matt Wixey, PwC UK’s Cyber Security R&D lead, and involved:
- Examining the methodology of the attack.
- Analysing case studies where the attack has been used.
- Developing a checklist to detect false personae.
- Investigating various countermeasures.
Our approach
To place Remote Online Social Engineering (ROSE) into context, we began by examining and comparing different types of online deception. We then analysed several case studies and developed a flowchart of possible attack methodologies, examining attacker motivations for each step, and, importantly, things defenders could do at each point to frustrate the attacker.
We then delved deeper into the psychological and behavioural reasons why this attack works – the fact that it is long-term, and is designed to build trust and rapport with targeted individuals, can mean it succeeds where more traditional attacks, such as mass phishing, can fail. We also produced a checklist with specific advice and things to look for in online profiles which could suggest they’re fake.
Finally, we investigated some countermeasures, and focused on one in-depth: the use of linguistic analysis to detect deception. When people lie, their behaviours and words often change, and there are several indicators which, if collated and analysed, could indicate the possibility of deception. It’s not a silver bullet, of course, but other studies suggest it’s promising, and it’s something we’re going to look at in more detail going forwards.
The results
We discovered that ROSE is an attack which often succeeds, simply because more preparation, thought, and customisation go into it, which can make targeted individuals more susceptible and likely to engage. ROSE wouldn’t be suitable for every threat actor, as it requires a lot of time investment from the attacker’s side, but would certainly be worth it for certain scenarios.
Find out more
For more information, you can watch the Black Hat USA 2018 talk and download the slides
Contact us
