Date of Award

12-2022

Degree Type

Dissertation

Degree Name

Ph.D.

Degree Program

Engineering and Applied Science - Computer Science

Department

Computer Science

Major Professor

Krishna Phani Kumar Vadrevu

Second Advisor

Vassil R Roussev

Third Advisor

Mahdi Abdelguerfi

Fourth Advisor

Syed Adeel Ahmed

Fifth Advisor

Luca Pezzo

Abstract

Most cybersecurity attacks begin with a social engineering attack component that exploits human fallibilities. Hence, it is very important to study the prevailing defense mechanisms against such attacks. Unfortunately, not much is known about the effectiveness of these defense mechanisms. This dissertation attempts to fill this knowledge gap by adopting a two-fold approach that conducts a holistic analysis of social engineering attacks.

In the first fold, we focused on phishing attacks, which remain a predominant class of social engineering attacks despite two decades of their existence. Entities such as Google and Microsoft deploy enormous Anti-Phishing Entity systems (APEs) to enable automatic and manual visits to billions of candidate phishing websites globally. We developed a novel, low-cost framework named PhishPrint to evaluate APEs. Our framework found several flaws in APEs of 22 companies which enable attackers to easily deploy evasive phishing sites that can blindside them. These flaws include a lack of network diversity as well as exposure to crawler artifacts. One significant flaw that affected every entity we analyzed was the lack of browser fingerprint diversity. We then continued our efforts in this direction by enhancing PhishPrint to enable it to differentiate between automated and human visits. Using this, we evaluated the weaknesses of the very expensive human-driven components of 5 APEs. Our analysis again revealed a significant lack of diversity in their infrastructure thus exposing them to practical evasive attacks. We revealed all these weaknesses as well as suitable remediation measures for affected entities prompting several bug reports as well as monetary rewards.

In the second fold, we focused our attention on emerging social engineering attacks and their defense mechanisms. We chose cryptocurrency scams that run rampant on social media networks such as Twitter as an example of such emerging attacks. In order to evaluate the effectiveness of Twitter’s defense mechanisms, we developed a novel system named HoneyTweets that periodically posts messages on Twitter as bait to attract social engineering attackers. We then deployed HoneyTweets over a 3-week period and conducted extensive analysis of the collected attacks to reveal several attack mechanisms that remain out of the scope of Twitter’s existing defenses. Our analysis also resulted in the collection of thousands of ensuing attack points such as e-mail accounts, Instagram handles, and externally hosted web pages built by attackers for the purpose of accomplishing the next stages of attacks.

Our work thus presents multiple evaluation frameworks which can be used for continuous evaluation of existing social engineering defenses in future.

Rights

The University of New Orleans and its agents retain the non-exclusive license to archive and make accessible this dissertation or thesis in whole or in part in all forms of media, now or hereafter known. The author retains all other ownership rights to the copyright of the thesis or dissertation.

Available for download on Tuesday, December 16, 2025

Share

COinS