by Dominik Dana (St. Pölten University of Applied Sciences), Sebastian Schrittwieser (University of Vienna, JRC AsTra), Peter Kieseberg (St. Pölten University of Applied Sciences)
In order to analyse the practical capabilities and limitations of automated social engineering, we conducted a practical study covering more than 140 open-source tools. In order to achieve comparability, we provided an abstract model based on extracting the relevant aspects of the most important attack modelling frameworks.
In recent years, the development of social engineering (SE) techniques has been accompanied by the emergence of a wide range of automated tools. The integration of artificial intelligence (AI) into these tools has further enhanced their capabilities, particularly by reducing the manual effort required to conduct targeted attacks, as attackers can now design personalized attack paths based on information collected about specific individuals. Despite this progress, most available tools remain specialized, addressing only selected tasks rather than the entire attack chain. Furthermore, several different approaches for modelling social engineering have been proposed in the literature, each with its specific advantages; however, this reduces comparability of said tools.
To structure the analysis, a technical social engineering model was developed by synthesizing the commonalities of established frameworks. The study aims to illustrate the degree to which automation in SE attacks is feasible, while also assessing the functionalities and reliability of the tools under investigation.
Automation in social engineering evolves rapidly, while academic approaches and real-world implementations often diverge substantially. Consequently, a purely literature-based approach would not have provided sufficient insight, thus we followed a more practical approach by evaluating 140 different open-source tools within a practical application setting, illustrating the degree to which automation in SE attacks is feasible, and assessing the functionalities and reliability of the tools[1]. More specifically, our research addresses the following research questions (RQs):
- RQ1: To what extent are freely available SE tools already automated, and what are the implications for social engineering?
- RQ2: Which phases of social engineering can be supported by existing tools?
- RQ3: How do different tools interact, and are there tool suites that support the entire SE process?
- RQ4: How reliable are the results produced by these tools?
To answer these questions, a generalized model for social engineering attacks was derived (Figure 1). This model synthesizes the most prominent SE frameworks, including the Cyber Kill Chain, the Social Engineering Cycle, the Social Engineering Lifecycle, the Social Engineering Pyramid, the Social Engineering Attack Framework, the Cycle of Deception, the Social Engineering Attack Spiral, the Session and Dialogue-Based Framework, and the Phase- and Source-Based Model. The generalized model enables consistent mapping and comparison of tool functionalities across heterogeneous frameworks.
![Figure 1: Generalized SE Model – Overview [1].](/images/stories/EN143/dana.png)
Figure 1: Generalized SE Model – Overview [1].
The study showed that freely available SE tools exhibit automation primarily in recurring queries and search operations. Automation capabilities are enhanced when tools rely on application programming interfaces (APIs), as outputs can be further processed automatically. A fully automated end-to-end solution, however, was not identified. Automation is also prevalent in attack execution and preparation, where tools are designed for ease of use. The majority of automation was observed in information retrieval technologies, likely influenced by the strong open-source intelligence (OSINT) community. The analyzed frameworks vary with respect to the number and definition of phases, but overall, reconnaissance and attack-execution phases benefit most from automation. Due to structural differences between frameworks, direct mapping of tools to all models was not feasible. For this reason, the generalized model served as the reference framework for tool classification.
Even though the level of automation is very good in some parts of the SE lifecycle, especially considering reconnaissance, manual intervention remains necessary for record selection, validation, and formatting before data can be processed by subsequent tools. Special tool suites such as Maltego [L1] and Lampyre [L2], which provide extensibility through plugins, cover a large portion of the SE process. While they do not offer complete end-to-end automation, they provide stable and reliable support across multiple phases. Tool reliability often depends strongly on their operational mode. Some tools rely on archived databases or previously crawled and scanned websites, whereas others query live data sources. These differences affect both accuracy and timeliness of results.
The analysis demonstrates that automation is most advanced in the information-gathering phase. This is reflected in the large number of tools available, the rapid release cycle of new applications and updates, and the linguistic diversity of implementations. The study revealed that information retrieval within the European Union has become more challenging since the introduction of the General Data Protection Regulation (GDPR) [2], while many web-based retrieval applications continue to provide results predominantly for the United States.
Most free-to-use tools impose query limits, restricting large-scale automation, and furthermore, the integration of AI remains relatively immature and falls short of expectations. Current tools thus automate individual tasks effectively but lack seamless integration into a fully automated SE pipeline, but future developments in API access, data integration, and AI-driven contextual analysis may eventually enable end-to-end automation of SE attacks, raising critical implications for both attackers and defenders.
For future work, we will expand these experiments and plan to continuously evaluate new developments in the field. With the advent of LLMs for low budgets, especially the automation of phishing and vishing comes within the reach of non-experts, which will likely change the attacker profiles in these areas.
Links:
[L1] https://www.maltego.com/
[L2] https://lampyre.io/
References:
[1] D. Dana, S. Schrittwieser, P. Kieseberg, “Automated Social Engineering Tools-Overview and Comparison with Respect to Capabilities and Detectability”, ICCGI 2024.
[2] European Parliament and Council, “Regulation (EU) 2016/679 (General Data Protection Regulation),” Official Journal of the European Union, 2016.
Please contact:
Peter Kieseberg
St. Pölten University of Applied Sciences, Austria
