DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers

TL;DR

This paper investigates social engineering tactics used by attackers targeting software developers during the software supply chain process, highlighting methods to improve threat detection and security measures.

Contribution

It provides a comprehensive overview of social engineering techniques in SSC attacks, combining academic and real-world data to inform threat modeling and security strategies.

Findings

Identifies key social engineering tactics in SSC attacks

Analyzes real-world incidents for practical insights

Offers a systematic overview of manipulative strategies

Abstract

The Software Supply Chain (SSC) has captured considerable attention from attackers seeking to infiltrate systems and undermine organizations. There is evidence indicating that adversaries utilize Social Engineering (SocE) techniques specifically aimed at software developers. That is, they interact with developers at critical steps in the Software Development Life Cycle (SDLC), such as accessing Github repositories, incorporating code dependencies, and obtaining approval for Pull Requests (PR) to introduce malicious code. This paper aims to comprehensively explore the existing and emerging SocE tactics employed by adversaries to trick Software Engineers (SWEs) into delivering malicious software. By analyzing a diverse range of resources, which encompass established academic literature and real-world incidents, the paper systematically presents an overview of these manipulative strategies within the realm of the SSC. Such insights prove highly beneficial for threat modeling and security gap analysis.