Some of the disclosed embodiments are generally directed to methods and systems for detecting and responding to social engineering attacks. In particular, social engineering attacks can take many forms such as malicious emails, websites, downloadable content, or other malicious digital media. One factor contributing to this problem is that email and other forms of Internet communications are becoming more ubiquitous as more and more people depend on them for everyday personal and business purposes. Further, the technologies used to implement these forms of communications are also advancing at an incredible speed in terms of their complexity and flexibility. As a result, a situation has emerged in which the user-base is expanding, often with an ever increasing number of non-technically savvy new users. Simultaneously, these users are expanding in size at the same time that the software used by such users is becoming more sophisticated. The increasing gap between a users' technical familiarity with the tools they employ and the intricacies of those same tools presents hackers and other bad actors with the opportunity to exploit a large and unsuspecting user-base.
One common technique that hackers have used to exploit this gap is a social engineering attack. In a social engineering attack, a hacker often seeks to extract information from a user by deceiving the user into believing that he or she is providing information to or taking some action with respect to a trusted party. The social engineering attack thus differs from other hacking attacks in which a hacker may attempt to gain access to a computer or network purely through technological means or without the victim's assistance.
A “phishing” attempt is one example of a social engineering attack. In a phishing attempt, a hacker may send an email that poses as another party, such as a bank or other entity with which the user has an account. The phishing email may use company logos or information about the user to appear legitimate. Images, links, and diction in the email may each or all be of a fraudulent nature. The user might be invited to “log in” or to provide other information to a nefarious website that mimics a legitimate website, for example, by telling the user that he or she usually reset his or her password. When the user logs into the fraudulent website, usually operated by the hacker, the hacker obtains the user's password or other information, which the hacker may then use to log into the user's actual account.
Another example of a social engineering attack is when a user is sent an email inviting the user to click on a link to download content that harbors malware. The term malware generally refers to any kind of program that is designed to perform operations that the owner or user of the computer on which the program resides would not approve of, and may include viruses, worms, Trojan horses, spyware, adware, etc. For example, a user may be sent an email that purports to be from a person or an institution that the user knows. The email invites the user to download a song or movie by providing a link. However, the link may instead point to malware that, once downloaded and executed by the user, installs a Trojan horse, virus, or any other form of malware on the user's computer.
Some related art approaches to protecting users from social engineering attacks have tended to focus on analyzing the email itself for standard patterns and clues as to whether the email may constitute a form of a social engineering attack. However, this approach is of limited value when the email either does not contain one or more of the standard patterns, or may be recognized as malicious only by referencing external information associated with the email that could be constantly changing or evolving. There is therefore a need for methods and systems that are able to evaluate emails, websites, or any other form of analog or digital media using information external to the content of the digital media itself.