Every ROSE has its Thorn: The Dark Art of Remote Online Social Engineering

Conference:  BlackHat USA 2018



The presentation discusses the use of multiple online personas to deceive and manipulate individuals and organizations, and proposes a checklist for detecting and defending against such attacks.
  • Online deception through the use of multiple personas is an insidious technique that requires patience and perseverance on the part of the attacker.
  • Detection methods for these attacks are generally untested and experimental, but offer promise for future development.
  • Defending against these attacks can involve increasing cognitive load and introducing false information to the attacker.
  • Future research should focus on linguistic markers for deception, technical detection of deep fakes, and personal filters and thresholds for susceptibility to social engineering.
  • An anecdote is provided about a district judge in the US who created multiple personas on extremist forums and posed as an al Qaeda affiliate.
  • Tags: cybersecurity, online deception, multiple personas, detection, defense, research.
The presentation provides an example of Shannon Watts Miller, a district judge in the US who created multiple personas on extremist forums and posed as an al Qaeda affiliate. She had a sophisticated setup with distinct styles and ways of speaking for each persona, and would say that profiles were killed in real life when they were no longer required or close to being detected. While this example highlights the risks associated with using these techniques against attackers, it also demonstrates the potential effectiveness of multiple personas in deceiving and manipulating individuals and organizations.


Traditional phishing and social engineering attack techniques are typically well-documented and understood. While such attacks often still succeed, a combination of psychology, awareness campaigns, and technical or physical controls has made significant progress in limiting their effectiveness.In response, attackers are turning to increasingly sophisticated and longer-term efforts involving self-referencing synthetic networks, multiple credible false personae, and highly targeted and detailed reconnaissance. This approach, which I call ROSE (Remote Online Social Engineering), is a variant of catfishing, and is performed with the specific aim of compromising an organisation's network. By building rapport with targeted victims, attackers are able to elicit sensitive information, gather material for extortion, and persuade users to take actions leading to compromises.In this talk, I place ROSE within the context of other false personae activities – trolling, sockpuppetry, bots, catfishing, and others – using detailed case studies, and provide a comprehensive and in-depth methodology of an example ROSE campaign, from target selection and profile building, through to first contact and priming victims, and finally to the pay-off and exit strategies, based on experiences from red team campaigns.I'll discuss three case studies of ROSE attacks in the wild, comparing them to the methodology I developed, and will then discuss the ethical, social, and legal issues involved in ROSE attacks. I'll proceed to cover ROSE from a defender's perspective, examining ways in which specific techniques can be detected and prevented, through technical controls, attribution, linguistic analysis, and responses to specific enquiries. To take this approach one step further, I'll also explore ways in which ROSE techniques could be used for 'offensive defence'.Finally, I'll wrap up by examining future techniques which could be of use during ROSE campaigns or for their detection, and will invite the audience to suggest other ways in which ROSE techniques could be combatted.