syssec_red_book

13.5. State of the ArtScammers operating in online social networks have been analyzed byStringhini et al. [364], where the authors observed that the scammers’ socialnetwork usage patterns are distinctive because of their malicious behavior. Thisallowed them to design a system to profile and detect likely-malicious accountswith high confidence. In their work, the authors collaborated with Twitter anddetected and deleted 15,857 spamming accounts. Three years later, Egele etal. [164] improved previous approaches to adapt them to the new techniquesused by the attackers. Indeed, while in the past most of the scamming activityin online social networks used to be carried out through the creation of bogusaccounts created, modern scammers have realized that compromising legitimate,real accounts makes their phishing and social engineering activities evenmore reliable. Egele’s approach copes with this aspect using a combination ofstatistical modeling and anomaly detection to identify accounts that exhibita sudden change in behavior. They tested their approach on a large-scaledataset of more than 1.4 billion publicly-available Twitter messages and on adataset of 106 million Facebook messages. Their approach was able to identifycompromised accounts on both social networks.Recently, Onarlioglu et al. [307] performed a large-scale measurement ofhow real users deal with Internet attacks, including phishing and other socialengineering-basedthreats. Their findings suggest that non-technical users canoften avert relatively simple threats very effectively, although they do so byfollowing their intuition, without actually perceiving the severity of the threat.Another interesting, yet unsurprising, finding is that trick banners that arecommon in file sharing websites and shortened URLs have high success rates ofdeceiving non-technical users, thus posing a severe security risk. Non-technicalusers, and in particular elderly users, have also been targeted through lesssophisticatedyet effective means: the so-called “vishing” (i.e., voice phishing)is the practice of defrauding users through telephone calls. We cannot identifywhen vishing first appeared (probably back in the phreaking era), neither canwe state that this threat has disappeared [3, 55]. Albeit not widespread, dueto its small scalability, vishing, also known as “phone scam” or “419 scam,”has received some attention from researchers. To make this a viable business,modern scammers have begun to take advantage of the customers’ familiaritywith “new technologies” such as Internet-based telephony, text-messages [20],and automated telephone services. The first detailed description of the vishingphenomenon was by Ollmann [305], who provided brief, clear definitions ofthe emerging “*-ishing” practices (e.g., smishing, vishing) and pointed out thecharacteristics of the vishing attack vectors. Maggi [264] was the first to analyzethis phenomenon from user-provided reports of suspected vishing activity. Themajority of vishing activity registered was targeted against US phone users.By analyzing the content of the transcribed phone conversations, the authorfound that keywords such as “credit” and “press” (a key) or “account” are99