1.1 Compare and contrast different types of social engineering techniques. Flashcards
Social engineering
is a form of attack that exploits human nature and human behavior. The
result of a successful social engineering attack is information leakage or the attacker being
granted logical or physical access to a secure environment.
Phishing
is a form of social engineering attack based on the concept of fishing for
information. Phishing can be waged using any communication means, including
face-to-face interactions and over the phone.
Smishing
SMS phishing or smishing is a social engineering attack that occurs over or through standard text messaging services or apps.
Vishing
Vishing is phishing done over any telephony or voice communication system. This includes
traditional phone lines, Voice-over-IP (VoIP) services, and mobile phones.
Spam
Spam is any type of email that is undesired and/or unsolicited. The primary countermeasures against spam are an email filter or rule and antivirus (AV)
scanners. If a message is received from one of the listed spam sources, the email filter blocks
or discards it.
Spam over instant messaging(SPIM)
Spam over instant messaging (SPIM) is the transmission of unwanted communications over
any messaging system that is supported by or occurs over the Internet.
Spear phishing
Spear phishing is a more targeted form of phishing where the message is crafted and directed
specifically to a group of individuals. Often, attackers will first compromise an online or
digital business to steal their customer database.
Dumpster diving
Dumpster diving is the act of digging through trash, discarded equipment, or abandoned
locations to obtain information about a target organization or individual. Just about
anything that is of any minor internal value or sensitivity could make social engineering
attacks easier or more effective.
Shoulder surfing
Shoulder surfing occurs when someone is able to watch a user’s keyboard or view their
display.
Pharming
Pharming is the malicious redirection of a valid website’s URL or IP address to a fake
website that hosts a false version of the original, valid site.
Tailgating
Tailgating occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker but without their knowledge. An attacker may be able to sneak in
behind a valid worker before the door closes.
Eliciting information
Eliciting information is the activity of gathering or collecting information from systems or
people.
Whaling
Whaling is a form of spear phishing that targets specific high-value individuals, such as the
CEO or other C-level executives, administrators, or high-net-worth clients. Often the goal
of a whaling attack is to steal credentials from the high-level target or to use that target to
steal funds or redirect resources to the benefit of the attacker.
Prepending
Prepending is the adding of a term, expression, or phrase to the beginning or header of
a communication.
Identity fraud
Identity theft is the act of stealing someone’s identity. This can refer to the initial act of
information gathering or elicitation where usernames, passwords, credit card numbers,
Social Security numbers, and other related, relevant, and personal facts are obtained by
the attacker.
Invoice scams
Invoice scams are a social engineering attack that often attempts to steal funds from an
organization or individuals through the presentation of a false invoice often followed
by strong inducements to pay
Credential harvesting
Credential harvesting is the activity of collecting and stealing account credentials. Some
hackers will distribute or share harvested credentials with other hacker.
Reconnaissance
Reconnaissance is collecting information about a target, often for the purposes of planning
an attack against that target
Hoax
A hoax is a form of social engineering designed to convince targets to perform an action
that will cause harm or reduce their IT security.
Impersonation
Impersonation is the act of taking on the identity of someone else to use their access or
authority. Impersonation can also be known as masquerading, spoofing, and even identity fraud.
Watering hole attack
A watering hole attack is a form of targeted attack against a region, a group, or an organization. The attacker observes the target’s habits to discover a common resource that one or
more members of the target frequent.
Typosquatting
Typosquatting is a practice employed to take advantage of when a user mistypes the
domain name or IP address of an intended resource.
Pretexting
A pretext is a false statement crafted to sound believable to convince you to act or respond.
Influence campaigns
Influence campaigns are social engineering attacks that attempt to guide, adjust, or change
public opinion. (Fake News)
Hybrid warfare
Nations no longer limit their attacks against their real or perceived enemies using traditional, kinetic weaponry.
Social media
Social media has become a weapon in the hands of nation-states as they wage elements of
hybrid warfare against their targets.
