Date of Award
Engineering and Applied Science - Computer Science
Krishna Phani Kumar Vadrevu
Vassil R Roussev
Syed Adeel Ahmed
Most cybersecurity attacks begin with a social engineering attack component that exploits human fallibilities. Hence, it is very important to study the prevailing defense mechanisms against such attacks. Unfortunately, not much is known about the effectiveness of these defense mechanisms. This dissertation attempts to fill this knowledge gap by adopting a two-fold approach that conducts a holistic analysis of social engineering attacks.
In the first fold, we focused on phishing attacks, which remain a predominant class of social engineering attacks despite two decades of their existence. Entities such as Google and Microsoft deploy enormous Anti-Phishing Entity systems (APEs) to enable automatic and manual visits to billions of candidate phishing websites globally. We developed a novel, low-cost framework named PhishPrint to evaluate APEs. Our framework found several flaws in APEs of 22 companies which enable attackers to easily deploy evasive phishing sites that can blindside them. These flaws include a lack of network diversity as well as exposure to crawler artifacts. One significant flaw that affected every entity we analyzed was the lack of browser fingerprint diversity. We then continued our efforts in this direction by enhancing PhishPrint to enable it to differentiate between automated and human visits. Using this, we evaluated the weaknesses of the very expensive human-driven components of 5 APEs. Our analysis again revealed a significant lack of diversity in their infrastructure thus exposing them to practical evasive attacks. We revealed all these weaknesses as well as suitable remediation measures for affected entities prompting several bug reports as well as monetary rewards.
In the second fold, we focused our attention on emerging social engineering attacks and their defense mechanisms. We chose cryptocurrency scams that run rampant on social media networks such as Twitter as an example of such emerging attacks. In order to evaluate the effectiveness of Twitter’s defense mechanisms, we developed a novel system named HoneyTweets that periodically posts messages on Twitter as bait to attract social engineering attackers. We then deployed HoneyTweets over a 3-week period and conducted extensive analysis of the collected attacks to reveal several attack mechanisms that remain out of the scope of Twitter’s existing defenses. Our analysis also resulted in the collection of thousands of ensuing attack points such as e-mail accounts, Instagram handles, and externally hosted web pages built by attackers for the purpose of accomplishing the next stages of attacks.
Our work thus presents multiple evaluation frameworks which can be used for continuous evaluation of existing social engineering defenses in future.
Acharya, Bhupendra, "Analyzing the Robustness of Prevalent Social Engineering Defense Mechanisms" (2022). University of New Orleans Theses and Dissertations. 3042.
Available for download on Tuesday, December 16, 2025