Traditional phishing and social engineering attack techniques are typically well-documented and understood. While such attacks often still succeed, a combination of psychology, awareness campaigns, and technical or physical controls has made significant progress in limiting their effectiveness.
In response, attackers are turning to increasingly sophisticated and longer-term efforts involving self-referencing synthetic networks, multiple credible false personae, and highly targeted and detailed reconnaissance. This approach, which I call ROSE (Remote Online Social Engineering), is a variant of catfishing, and is performed with the specific aim of compromising an organisation's network. By building rapport with targeted victims, attackers are able to elicit sensitive information, gather material for extortion, and persuade users to take actions leading to compromises.
In this talk, I place ROSE within the context of other false personae activities – trolling, sockpuppetry, bots, catfishing, and others – using detailed case studies, and provide a comprehensive and in-depth methodology of an example ROSE campaign, from target selection and profile building, through to first contact and priming victims, and finally to the pay-off and exit strategies, based on experiences from red team campaigns.
I'll discuss three case studies of ROSE attacks in the wild, comparing them to the methodology I developed, and will then discuss the ethical, social, and legal issues involved in ROSE attacks. I'll proceed to cover ROSE from a defender's perspective, examining ways in which specific techniques can be detected and prevented, through technical controls, attribution, linguistic analysis, and responses to specific enquiries. To take this approach one step further, I'll also explore ways in which ROSE techniques could be used for 'offensive defence'.
Finally, I'll wrap up by examining future techniques which could be of use during ROSE campaigns or for their detection, and will invite the audience to suggest other ways in which ROSE techniques could be combatted.
Matt Wixey leads technical research for the PwC Cyber Security practice in the UK, working closely with the Ethical Hacking team, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D; team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side- channels, and radio security.