1.1 Compare and contrast different types of social engineering techniques. Flashcards
What is Phishing?
An attacker posing as a trusted source but attempts to deliver a malicious payload or gather personal or sensitive information from an individual. The email typically claims that the user needs to connect to or log onto a site; this site may look very convincing but it is fake. The link in an email may download malicious software that perform attacks on a system.
What is Smishing?
A smishing attack is a phishing attack that uses SMS instead of email. These are cleverly designed to look like common texts received from vendors.
What is Vishing?
Another form of phishing that is often done over Voice over IP (VoIP). Can be effective if prerecorded and using a spoofed telephone number to convince a target that the message is legitimate.
What is Spam?
It is an unsolicited e-mail, usually advertising a product or service. A small amount of spams are really trying to steal your info.
What is Spam over instant messaging (SPIM)?
It is Spam received over instant messaging instead of email.
What is Spear Phishing?
A form of phishing that is designed to target a certain group or individual instead of a generic email sent to a mass of people. These emails typically use info that is personal to the victims so that this lends credibility to the attacker to persuade them that the email is legit. Another tactic may to spoof a known sender.
What is dumpster diving?
Attackers go dumpster diving for social engineering by trying to find information on a company that gives them further insight into operations, missions, etc. This can be prevented with screening trash.
What is Shoulder Surfing?
When a person inconspicuously looks over a victim’s shoulders to see what they are viewing or typing.
What is Pharming?
In a pharming attack, the user is redirected to a fake site through some other means, such as malware on the computer, host file poisoning, or redirection from a DNS server that has been compromised
What is Tailgating?
When an individual follows an authorized person through a security checkpoint or door to gain access to unauthorized areas. To mitigate, an organization needs to positively identify every individual. Mantraps are used to guard against tailgating.
What is Eliciting Information?
Gathering info through various means. A common was to gather info is through social engineering.
What is Whaling?
A form of phishing that sends an email to a high-value target instead of the masses. These emails are higher stakes because high-value individuals have info that may be considered more critical to attackers.
What is Prepending?
A link that adds an unexpected payload at the beginning.
What is Identity fraud?
It is using someone else’s PII for personal gain.
What is an Invoice Scam?
An attacker submits a fake invoice that mimics that vendor’s invoice in every aspect except the payment destination that is the attacker’s info.
What Credential Harvesting?
Social engineering that focuses on gathering credentials of one or more persons inside an organization. It could serve as a recon tool, or it might be an end in and of itself as a tool for any other type of attack.
What is Reconnaissance?
Every proper attack begins with a recon for weak spots. Social engineering along with passive scanning and researching social media are the first step towards any attack.
What is a Hoax?
A hoax is a lie or false story that leads one or more people to believe something is true that is very much not true. Occasionally, they can be used to carry out serious attacks. These email hoaxes could have a virus attached to it or an attacker could use the email hoax to map out all the associates you have to get an idea of a network.
What is Impersonation?
The attacker impersonates usually someone of higher privileges than the victim or someone that the victims think is a “nobody” that easily slips by unnoticed.
What is a Watering Hole Attack?
A bad actor will research the web-usage patterns of a group of people that are of interest and will infest the sites that the group commonly visits and evidently trusts. These bad actors will then steal information.
What is TypoSquatting/URL hijacking?
Where con artists and scammers buy up domains that differ just slightly with a spelling error that is common amongst users like www.aamazon.com for example. These sites will try to steal information from you. URL hijacking is similar that it will register the same domain name as a legitimate company, but with a different top-level domain.
What is Pretexting?
Same as a phishing attack, but it creates a plausible scenario for the target to grant the desired information.
What are Influence Campaigns?
What bad actors use to spread inaccurate, emotional, and fear-mongering information to cause chaos. The internet has made this so much worse.
What is Hybrid warfare (Influence Campaigns)?
Hybrid Warfare means to use influence campaigns, such as “winning hearts and minds” strategies, as part of conventional warfare.
