If you have email or spend any time at all browsing the internet, you have probably experienced some form of a social engineering hack, which is a fraudulent attempt to get access to personal information—or your money.
Survey scams, scareware and phishing expeditions are some examples of such attempts that can lead to malware and ransomware infections and cause monetary damage to victims.
University of New Orleans computer science professor Phani Vadrevu has been awarded a $1.2 million grant from the National Science Foundation to develop methods to protect users from such web-based social engineering attacks.
The project, which will use artificial intelligence to track and model online attacks, is expected to improve the research community’s understanding of web-based social engineering and make a substantial impact on user protection.
“The NSF grant is focused on developing client-side defenses against all web-based social engineering attacks,” Vadrevu said. “Our goal there is to develop AI-based defenses that can help protect users from such attacks.”
The four-year research project is a collaboration among UNO’s Cyber Center, the University of Georgia and Stonybrook University in New York, Vadrevu said.
To defend against such attacks, Vadrevu’s team plans to develop a comprehensive framework that utilizes multiple advanced machine learning techniques to discover, model and defend against web-based social engineering attacks on both desktop and mobile devices.
Researchers plan to develop targeted web-crawling techniques for automatically harvesting, analyzing and categorizing instances of new social engineering attacks on the internet.
The designed defense systems will track how web pages are delivered to users, monitor how they are executed within the browser and extract visual features, as well as network and web-content metadata.
By learning how the attack models work, the defense systems are expected to be to detect new attacks in real-time on both desktop and mobile devices, researchers said.
“PhishPrint” Another Public Impact Research Project
Vadrevu is also working on an unrelated, but complementary internet-user defense project that has garnered him a monetary “bounty” from Google and recognition from other sectors of the tech industry, including a presentation of the findings at the USENIX Security Symposium. USENIX is a highly selective security conference that publishes cybersecurity research.
Vadrevu’s research is called “PhishPrint: Evading Phishing Detection Crawlers by Prior Profiling.” It is a measurement study that found weaknesses in security crawler systems used by top companies, such as Google, Microsoft and AT&T.
“Right now, I am working on a grant proposal to develop defenses for such weaknesses,” Vadrevu said.
The lead author of the paper, Bhupendra Acharya, is a UNO graduate student whose research work is part of his thesis, Vadrevu said.
Many internet companies use some bots, also called crawlers, to automatically scout websites to find whether they are safe or not, Vadrevu said. These bots then quickly create, in real-time, a block list of "unsafe websites" and notifies the user.
All major web browsers including Chrome, Edge, Safari and email services, such as Outlook, use these website lists to keep users safe. For example, Google's bot service, called Google Safe Browsing, is deployed in over 4 billion devices and is being used by about 2 billion users in the world, Vadrevu said.
However, by capitalizing on the idiosyncrasies of some of the security bots, Vadrevu’s research found new ways to circumvent the security measure.
Vadrevu said researchers were able to easily “fingerprint” bots and use the information to build their own smart phishing websites that would show “safe” content to only the bots of security companies. Meanwhile, the same website would allow the “unsafe” content to be shown to a large percentage of potential human users.
“Our experiments, conducted with due ethical considerations, showed that while regular phishing sites can be detected and shut down by these scouting bots in a couple of hours, our ‘smart’ phishing websites can stay alive indefinitely despite multiple submissions to several popular security bots,” Vadrevu said. “This showed the seriousness of the weaknesses that we discovered in the crawlers.”
UNO researchers found these deficiencies in 23 security bots including those used by Google, Microsoft, AlienVault (from AT&T), PhishTank (from Cisco), Norton and Sophos, Vadrevu said.
As is the custom with security papers, researchers contacted the organizations and gave detailed disclosures of the vulnerabilities discovered.
Google responded with a $5,000 grant from its Vulnerability Reward program for the discovery, Vadrevu said.