CFP last date
22 December 2025
Call for Paper
January Edition
IJCA solicits high quality original research papers for the upcoming January edition of the journal. The last date of research paper submission is 22 December 2025

Submit your paper
Know more
The week's pick
Responsive image
A Hybrid Transformer-CNN Framework with Early and Late Fusion for Robust Skin Lesion Classification

Raihan Tanvir
Random Articles
Reseach Article

Exploiting the Human Element: A Multivector Study on USB Attacks, AI-Driven Phishing, and Metadata-based Surveillance

by Allan Munyira, Carrol Donna Kudaro, Collins Katende, Hamuza Senyonga
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 187 - Number 56
Year of Publication: 2025
Authors: Allan Munyira, Carrol Donna Kudaro, Collins Katende, Hamuza Senyonga
10.5120/ijca2025925974

Allan Munyira, Carrol Donna Kudaro, Collins Katende, Hamuza Senyonga . Exploiting the Human Element: A Multivector Study on USB Attacks, AI-Driven Phishing, and Metadata-based Surveillance. International Journal of Computer Applications. 187, 56 ( Nov 2025), 29-44. DOI=10.5120/ijca2025925974

@article{ 10.5120/ijca2025925974,
author = { Allan Munyira, Carrol Donna Kudaro, Collins Katende, Hamuza Senyonga },
title = { Exploiting the Human Element: A Multivector Study on USB Attacks, AI-Driven Phishing, and Metadata-based Surveillance },
journal = { International Journal of Computer Applications },
issue_date = { Nov 2025 },
volume = { 187 },
number = { 56 },
month = { Nov },
year = { 2025 },
issn = { 0975-8887 },
pages = { 29-44 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume187/number56/exploiting-the-human-element-a-multivector-study-on-usb-attacks-ai-driven-phishing-and-metadata-based-surveillance/ },
doi = { 10.5120/ijca2025925974 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2025-11-18T21:11:06.814274+05:30
%A Allan Munyira
%A Carrol Donna Kudaro
%A Collins Katende
%A Hamuza Senyonga
%T Exploiting the Human Element: A Multivector Study on USB Attacks, AI-Driven Phishing, and Metadata-based Surveillance
%J International Journal of Computer Applications
%@ 0975-8887
%V 187
%N 56
%P 29-44
%D 2025
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Cybersecurity violations continue to grow not only because of technical weaknesses but also because of the consistent exploitation of the human factor. This study analyses how the modern adversary abuses the human factor through three coming attack vectors, USB-based exploits, AI-driven phishing and metadata-based surveillance, to execute synchronized multivector campaigns. The study uses a synthesis of secondary data, empirical literature and a large scale simulation comprising 10,000 trials to construct a hypothetical financial institution (ABC Bank) to measure the individual and combined effect of these attack modalities on system resilience. Findings indicate that phishing is the most common vector, with approximately 63 per cent of successful attacks, but USB-based physical attacks, even though less common, significantly increase the likelihood of success when used together with social and informational vectors. Metadata profiling becomes a facilitator of pinpointing and refined targeting, thus boosting the authority and timing of the social-engineering campaigns without malware. The synergistic effect was seen in the simulations to enhance the probability of attack success by 7-8 percentage points more than the summative probabilities and so confirmed the compounded threat of multivector strategies. Comparative defensive modelling has shown that hybrid structures, which include awareness training, USB control mechanisms and anomaly-based detection, decreases the total compromise by more than 50 per cent and the median time to compromise dropped to 60 hours as compared to 28.5. The findings highlight the fact that the success of cybersecurity cannot only depend on technological protection but also adaptive human-oriented protection, behavioural analytics, and continued policy innovation. It is concluded that the future security systems need to move out of the human control phase to partnership and combine cognitive resilience, trust calibration, and machine intelligence to maintain digital integrity in an age of AI-enhanced deception.

References
  1. Jabir, R., J. Le, and C. Nguyen. 2025. “Phishing Attacks in the Age of Generative Artificial Intelligence: A Systematic Review of Human Factors.” AI 6, no. 8 (July): 174. doi: 10.3390/ai6080174.
  2. Khadka, K., and A. B. Ullah. 2025. “Human factors in cybersecurity: an interdisciplinary review and framework proposal.” Int J Inf Secur 24, no. 3 (June): 119. doi: 10.1007/s10207-025-01032-0.
  3. Tischer, M., Z. Durumeric, S. Foster, S. Duan, A. Mori, E. Bursztein, et al. 2016. “Users Really Do Plug in USB Drives They Find.” In Proceedings—2016 IEEE Symposium on Security and Privacy, SP 2016, 306–19. doi: 10.1109/SP.2016.26.
  4. Rohan, R., S. Funilkul, D. Pal, and W. Chutimaskul. 2021. “Understanding of Human Factors in Cybersecurity: A Systematic Literature Review.” In 2021 International Conference on Computational Performance Evaluation (ComPE), 133–40. IEEE. doi: 10.1109/ComPE53109.2021.9752358.
  5. Department of Financial Services. 2020. “Twitter Investigation Report | Department of Financial Services.” New York State. Accessed September 29, 2025. https://www.dfs.ny.gov/Twitter_Report.
  6. Webb, T., K. J. Holyoak, and H. Lu. 2023. “Emergent analogical reasoning in large language models.” Nat Hum Behav 7, no. 9 (July): 1526–41. doi: 10.1038/s41562-023-01659-w.
  7. Ravindranath, R. 2024. “Security and Privacy Considerations of Metadat.” Int J Comput Tech 11, no. 6: 1–5.
  8. Al-Sarawi, S., M. Anbar, R. Abdullah, and A. B. Al Hawari. 2020. “Internet of Things Market Analysis Forecasts, 2020–2030.” In 2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4), 449–53. IEEE. doi: 10.1109/WorldS450073.2020.9210375.
  9. Sicari, S., A. Rizzardi, L. A. Grieco, and A. Coen-Porisini. 2015. “Security, privacy and trust in Internet of Things: The road ahead.” Comput Networks 76 (January): 146–64. doi: 10.1016/j.comnet.2014.11.008.
  10. Roman, R., J. Zhou, and J. Lopez. 2013. “On the features and challenges of security and privacy in distributed internet of things.” Comput Networks 57, no. 10 (July): 2266–79. doi: 10.1016/j.comnet.2012.12.018.
  11. Antonakakis, Manos, et al. 2016. “Understanding the Mirai Botnet.” In This paper is included in the Proceedings of the 26th USENIX Security Symposium, 72. Accessed October 6, 2025. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis.
  12. Nicho, M., and I. Sabry. 2023. “Bypassing Multiple Security Layers Using Malicious USB Human Interface Device.” In Proceedings of the 9th International Conference on Information Systems Security and Privacy, 501–8. SCITEPRESS - Science and Technology Publications. doi: 10.5220/0011677100003405.
  13. Verizon. 2025. 2025 Data Breach Investigations Report. Accessed September 29, 2025. https://www.verizon.com/business/resources/reports/dbir/.
  14. Herrmann, D., and H. Federrath. 2017. “Editorial: 30th IFIP International Information Security Conference (IFIP SEC 2015).” Comput Secur 67 (June): 266. doi: 10.1016/j.cose.2017.04.003.
  15. Sen, Ö., et al. 2025. “Simulation of multi-stage attack and defense mechanisms in smart grids.” Int J Crit Infrastruct Prot 48 (March): 100727. doi: 10.1016/j.ijcip.2024.100727.
  16. Cloudflare. n.d. “Risk grows as multi-vector attacks become the norm.” theNET. Accessed October 2, 2025. https://www.cloudflare.com/the-net/multi-vector-threats/.
  17. Baker, E., and M. Cartier. 2025. “Phishing Trends Report (Updated for 2025).” Hoxhunt. Accessed September 29, 2025. https://hoxhunt.com/guide/phishing-trends-report.
  18. García-Teodoro, P., J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. 2009. “Anomaly-based network intrusion detection: Techniques, systems and challenges.” Comput Secur 28, no. 1–2 (February): 18–28. doi: 10.1016/j.cose.2008.08.003.
  19. Axelsson, S. 2000. “The base-rate fallacy and the difficulty of intrusion detection.” ACM Trans Inf Syst Secur 3, no. 3 (August): 186–205. doi: 10.1145/357830.357849.
  20. Ogunsanya, V. A., et al. 2025. “The Role of Artificial Intelligence in Strengthening Privacy and Security in the Era of Cyber Crime and Digital Forensics.” Int J Sci Manag Res 08, no. 05: 177–98. doi: 10.37502/IJSMR.2025.8515.
  21. Pham, H. C., D. D. Pham, L. Brennan, and J. Richardson. 2017. “Information Security and People: A Conundrum for Compliance.” Australas J Inf Syst 21 (January). doi: 10.3127/ajis.v21i0.1321.
  22. Reed, S., et al. 2022. “A Generalist Agent.” November. doi: https://doi.org/10.48550/arXiv.2205.06175.
  23. Wahanani, H., M. Idhom, and D. R. Kurniawan. 2020. “Exploit remote attack test in operating system using arduino micro.” J Phys Conf Ser 1569 (July): 022038. doi: 10.1088/1742-6596/1569/2/022038.
  24. Nicho, M., and I. Sabry. 2023. “Bypassing Multiple Security Layers Using Malicious USB Human Interface Device.” In Proceedings of the 9th International Conference on Information Systems Security and Privacy, 501–8. SCITEPRESS - Science and Technology Publications. doi: 10.5220/0011677100003405. (Note: This is a duplicate of entry
  25. , but maintained in sequence as requested.)
  26. Nasution, S. M., Y. Purwanto, A. Virgono, and M. R. Y. Tambunan. 2015. “Integration of autonomous sender for hidden log data on kleptoware for supporting physical penetration testing.” In 2015 1st International Conference on Wireless and Telematics (ICWT), 1–5. IEEE. doi: 10.1109/ICWT.2015.7449205.
  27. Singh, D., A. K. Biswal, D. Samanta, D. Singh, and H.-N. Lee. 2022. “Juice Jacking: Security Issues and Improvements in USB Technology.” Sustainability 14, no. 2 (January): 939. doi: 10.3390/su14020939.
  28. Cronin, P., X. Gao, H. Wang, and C. Cotton. 2022. “Time-Print: Authenticating USB Flash Drives with Novel Timing Fingerprints.” In 2022 IEEE Symposium on Security and Privacy (SP), 1002–17. IEEE. doi: 10.1109/SP46214.2022.9833595.
  29. Joven, R., and N. K. Choon. 2023. “The Spies Who Loved You: Infected USB Drives to Steal Secrets.” Google Cloud. Accessed October 2, 2025. https://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/.
  30. Nissim, N., R. Yahalom, and Y. Elovici. 2017. “USB-based attacks.” Comput Secur 70 (September): 675–88. doi: 10.1016/j.cose.2017.08.002.
  31. Zhang, R., A. Bello, and J. L. Foster. 2023. “BYOD Security: Using Dual Process Theory to Adapt Effective Security Habits in BYOD.” In Proceedings of the Future Technologies Conference (FTC) 2022, Volume 2. FTC 2022 2022. Lecture Notes in Networks and Systems, 372–86. Springer. doi: 10.1007/978-3-031-18458-1_26.
  32. Neupane, S., I. A. Fernandez, S. Mittal, and S. Rahimi. 2023. “Impacts and Risk of Generative AI Technology on Cyber Defense.” June. http://arxiv.org/abs/2306.13033.
  33. Kolobrodova, A. 2024. “Metadata 102 — What is communications metadata and why do we care about it?” Accessed October 2, 2025. https://freedom.press/digisec/blog/metadata-102/.
  34. Office of the Chief Information Security Officer. 2020. “The FIN7 Cyber Actors Targeting US Businesses through USB Keystroke Injection Attacks |.” OCISO. Accessed October 3, 2025. https://ociso.ucla.edu/news/fin7-cyber-actors-targeting-us-businesses-through-usb-keystroke-injection-attacks?utm_source=chatgpt.com.
  35. Francia, J., D. Hansen, B. Schooley, M. Taylor, S. Murray, and G. Snow. 2025. “Assessing AI vs Human-Authored Spear Phishing SMS Attacks: An Empirical Study.” March. http://arxiv.org/abs/2406.13049.
  36. Perez, B., M. Musolesi, and G. Stringhini. 2018. “You are your Metadata: Identification and Obfuscation of Social Media Users using Metadata Information.” May. http://arxiv.org/abs/1803.10133.
  37. Fakiha, B. S. 2024. “Forensic analysis of bad USB attacks: A methodology for detecting and mitigating malicious USB device activities.” Edelweiss Appl Sci Technol 8, no. 5 (September): 1090–1100. doi: 10.55214/25768484.v8i5.1809.
  38. Li, W., S. Manickam, Y.-W. Chong, Y. He, H. Y. Li, and B. Li. 2025. “ByteBait USB: a robust simulation toolkit for badUSB phishing campaign.” J King Saud Univ Comput Inf Sci 37, no. 5 (July): 91. doi: 10.1007/s44443-025-00067-6.
  39. Alkhalil, Z., C. Hewage, L. Nawaf, and I. Khan. 2021. “Phishing Attacks: A Recent Comprehensive Study and a New Anatomy.” Front Comput Sci 3 (March). doi: 10.3389/fcomp.2021.563060.
  40. Corona, I., G. Giacinto, C. Mazzariello, F. Roli, and C. Sansone. 2009. “Information fusion for computer security: State of the art and open issues.” Inf Fusion 10, no. 4 (October): 274–84. doi: 10.1016/j.inffus.2009.03.001.
  41. Bursztein, E. 2016. “Does dropping usb drives really work?” Black Hat. Accessed October 4, 2025. https://ly.tl/malusb.
  42. Chung, M.-H. (Miles), et al. 2023. “Enhancing cybersecurity situation awareness through visualization: A USB data exfiltration case study.” Heliyon 9, no. 1 (January): e13025. doi: 10.1016/j.heliyon.2023.e13025.
  43. Ribeiro, A. 2021. “USB removable media still acts as an initial attack vector in OT environments.” Industrial Cyber. Accessed October 4, 2025. https://industrialcyber.co/threats-attacks/usb-removable-media-still-acts-as-an-initial-attack-vector-in-ot-environments/?utm_source=chatgpt.com.
  44. Dumitru, R., D. Genkin, A. Wabnitz, and Y. Yarom. 2022. “The Impostor Among US(B): Off-Path Injection Attacks on USB Communications.” November. http://arxiv.org/abs/2211.01109.
  45. Heiding, F., S. Lermen, A. Kao, B. Schneier, and A. Vishwanath. 2024. “Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects.” November. http://arxiv.org/abs/2412.00586.
  46. Shreyas Kumar, Anisha Menezes, Sarthak Giri, and Srujan Kotikela. 2024. “What The Phish! Effects of AI on Phishing Attacks and Defense.” Int Conf AI Res 4, no. 1 (December): 218–26. doi: 10.34190/icair.4.1.3224.
  47. Carroll, F., J. A. Adejobi, and R. Montasari. 2022. “How Good Are We at Detecting a Phishing Attack? Investigating the Evolving Phishing Attack Email and Why It Continues to Successfully Deceive Society.” SN Comput Sci 3, no. 2 (March): 170. doi: 10.1007/s42979-022-01069-1.
  48. Mashinge, R., K. B. Muhwati, K. Magora, and J. Awoleye. 2025. “MITIGATING DEEPFAKE-BASED IMPERSONATION AND SYNTHETIC DATA RISKS IN REMOTE HEALTHCARE SYSTEMS.” Int J Comput Appl 187, no. 41 (September): 27–42. doi: 10.5120/ijca2025925724.
  49. Oner, U., O. Cetin, and E. Savas. 2025. “Human factors in phishing: Understanding susceptibility and resilience.” Comput Stand Interfaces 94 (August): 104014. doi: 10.1016/j.csi.2025.104014.
  50. Abbas, Rianat, Sunday Jacob Nwanyim, Joy Awoleye Adesina, Augustine Udoka Obu, Adetomiwa Adesokan, and Jeremiah Folorunso. 2025. “Secure by design - enhancing software products with AI-Driven security measures.” Comput Sci IT Res J 6, no. 3 (April): 184–200. doi: 10.51594/csitrj.v6i3.1880.
Index Terms

Computer Science
Information Sciences

Keywords

Human-Centric Security USB Keyloggers AI-Driven Phishing Metadata Profiling Multivector Attacks Social Engineering Hybrid Defense Awareness Training Anomaly Detection Behavioral Vulnerabilities Cyber Risk Mitigation Cognitive Bias Exploitation Digital Trust Organizational Resilience

Powered by PhDFocusTM