1.0 Attacks, Threats, and Vulnerabilities

Question 1

How can familiarity/liking be used in social engineering?

Answer 1

Familiarity/Liking:
Some people have the sort of natural charisma that allows them to persuade others to do as they request. One of the basic tools of a social engineer is simply to be affable and likable, and to present the requests they make as completely reasonable and unobjectionable. This approach is relatively low-risk as even if the request is refused, it is less likely to cause suspicion and the social engineer may be able to move on to a different target without being detected.

Question 2

How can consensus/social proof be used in social engineering?

Answer 2

The principle of consensus or social proof refers to the fact that without an explicit instruction to behave in a certain way, many people will act just as they think others would act. A social engineering attack can use this instinct either to persuade the target that to refuse a request would be odd (“That’s not something anyone else has ever said no to”) or to exploit polite behavior to slip into a building while someone holds the door for them. As another example, an attacker may be able to fool a user into believing that a malicious website is actually legitimate by posting numerous fake reviews and testimonials praising the site. The victim, believing many different people have judged the site acceptable, takes this as evidence of the site’s legitimacy and places their trust in it.

Question 3

How can authority and intimidation be used in social engineering?

Answer 3

Many people find it difficult to refuse a request by someone they perceive as superior in rank or expertise. Social engineers can try to exploit this behavior to intimidate their target by pretending to be a senior executive. An attack might be launched by impersonating someone who would often be deferred to, such as a police officer, judge, or doctor. Another technique is using spurious technical arguments and jargon.

Question 4

How can scarcity and urgency be used in social engineering?

Answer 4

Often also deployed by salespeople, creating a false sense of scarcity or urgency can disturb people’s ordinary decision-making process. The social engineer can try to pressure his or her target by demanding a quick response.

Question 5

How can trust be used in social engineering?

Answer 5

Making a convincing impersonation and establishing a trust with the target usually depends on the attacker obtaining privileged information about the organization. For example, where the attacker impersonates a member of the organization’s IT support team, the attack will be more effective with identity details of the person being impersonated and the target.

Question 6

What is dumpster diving?

Answer 6

Dumpster diving refers to combing through an organization’s (or individual’s) garbage to try to find useful documents (or even files stored on discarded removable media).

Question 7

What is tailgaiting and Piggy Backing?

Answer 7

Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. Piggy backing is a similar situation, but means that the attacker enters a secure area with an employee’s permission. For instance, an attacker might impersonate a member of the cleaning crew and request that an employee hold the door open while they bring in a cleaning cart or mop bucket.

Question 8

What is pretexting?

Answer 8

The classic impersonation attack is for the social engineer to phone into a department, claim they have to adjust something on the user’s system remotely, and get the user to reveal their password. This specific attack is also referred to as pretexting.

Question 9

What is a lunchtime attack?

Answer 9

Lunchtime attacks—most authentication methods are dependent on the physical security of the workstation. If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system. This is often described as a lunchtime attack. Most operating systems are set to activate a password-protected screen saver after a defined period of no keyboard or mouse activity. Users should also be trained to lock or log off the workstation whenever they leave it unattended.

Question 10

How can credential databases be used for social engineering?

Answer 10

Credential databases—account details from previous attacks are widely available (haveibeenpwned.com). An attacker can try to match a target in one of these databases and hope that they have reused a password. The attacker could also leverage third-party sites for impersonation. For example, rather than using a work account, they could gain control of a social media account.

Question 11

What is phishing?

Answer 11

Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector.

Question 12

What is spear phishing?

Answer 12

Spear phishing—a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack. Each phishing message is tailored to address a specific target user.

Question 13

What is whaling?

Answer 13

Whaling—a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other “big fish”). Upper management may also be more vulnerable to ordinary phishing attacks because of their reluctance to learn basic security procedures.

Question 14

What is vishing?

Answer 14

Vishing—a phishing attack conducted through a voice channel (telephone or VoIP, for instance). For example, targets could be called by someone purporting to represent their bank asking them to verify a recent credit card transaction and requesting their security details. It can be much more difficult for someone to refuse a request made in a phone call compared to one made in an email.

Question 15

What is SMiShing?

Answer 15

SMiShing—this refers to using short message service (SMS) text communications as the vector.

Question 16

What is spam and SPIM?

Answer 16

Unsolicited email, or spam, is used as the vector for many attacks. Threat actors harvest email addresses from marketing lists or databases of historic privacy breaches, or might try to target every email address at a certain company. Mass mail attacks could also be perpetrated over any type of instant messaging or Internet messaging service (SPIM).

Question 17

How are hoaxes used?

Answer 17

Hoaxes, such as security alerts or chain emails, are another common social engineering technique, often combined with phishing attacks. An email alert or web pop-up will claim to have identified some sort of security problem, such as virus infection, and offer a tool to fix the problem. The tool of course will be some sort of Trojan application.

Question 18

What is pharming?

Answer 18

Pharming is a passive means of redirecting users from a legitimate website to a malicious one.

Question 19

What is typosquatting?

Answer 19

Rather than redirection, a threat actor might use typosquatting. This means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference. These are also referred to as cousin, lookalike, or doppelganger domains.

Question 20

What is a watering hole attack?

Answer 20

A watering hole attack is another passive technique where the threat actor does not have to risk communicating directly with the target. It relies on the circumstance that a group of targets may use an unsecure third-party website.

Question 21

What is credential harvesting?

Answer 21

Within the general realm of phishing and pharming, credential harvesting is a campaign specifically designed to steal account credentials. The attacker may have more interest in selling the database of captured logins than trying to exploit them directly. Such attacks will use an alarming message such as “Your account is being used to host child pornography” or “There is a problem with your account storage” and a link to a pharming site embroidered with the logos of a legitimate service provider, such as Google, Microsoft, Facebook, or Twitter. Attacks using malvertising or scripts injected into shopping cart code are also popular (csoonline.com/article/3400381/what-is-magecart-how-this-hacker-group-steals-payment-card-data.html).

Question 22

What is an influence campaign?

Answer 22

An influence campaign is a major program launched by an adversary with a high level of capability, such as a nation-state actor, terrorist group, or hacktivist group. The goal of an influence campaign is to shift public opinion on some topic.

Question 23

How does social media perpetuate influence campaigns?

Answer 23

Diplomatic activity and election meddling by foreign security services has a very long history and well-established tactics. Modern campaigns can use social media to ensure wide distribution of hoaxes and invented stories. Actors can use AI-assisted bots and armies of people to open or hack accounts and repeat or reinforce messages that support the campaign’s aims. Apart from destabilizing the host country generally, influence campaigns might affect private companies because they become caught up within a fake story. It is important for companies to closely monitor references to them on social media and take steps to correct or remove false or misleading posts. When an influence campaign is detected, companies operating in critical industries—utilities, election management, transportation—should enter a heightened state of alert.

Question 24

What is prepending?

Answer 24

A phishing or hoax email can be made more convincing by prepending. In an offensive sense, prepending means adding text that appears to have been generated by the mail system. For example, an attacker may add “RE:” to the subject line to make it appear as though the message is a reply or may add something like “MAILSAFE: PASSED” to make it appear as though a message has been scanned and accepted by some security software.