1.1 - Compare and contrast different types of social engineering techniques. Flashcards
Compare and contrast different types of social engineering techniques.
Social Engineering
- Used to extract info usually by tricking ppl
- Precursor to more advanced attacks
- Successful b/c relies on emotions
Principles of influence/Reasons for effectiveness
(just the list, no description)
- Authority
- Intimidation
- Consensus/Social proof
- Scarcity
- Familiarity/Liking
- Trust
- Urgency
Principles of influence - Authority
- Perceived by job titles, uniforms, badges, symbols, expertise
- Feel obligated to comply
- Trust authoritative symbols
- EX: Flashing red lights would prompt you to pull over
Principles of influence - Intimidation
- Authority plays to sense of duty
- Negative impact if you don’t comply
- Plays on fear of getting in trouble, fired, etc
- EX: If you don’t help, payroll won’t be processed
Principles of influence - Consensus/Social Proof
- “Safety in numbers”
- Ppl often believe what others around them believe
- Ambiguous requests/situations likely acted on b/c believe others are doing the same
- Convince based on what’s normally expected
- EX: Robert already complied with this
Principles of influence - Scarcity
- Want/value something more if we believe it’s less available
- More impulsive if we believe it’s the last one
- Spur someone to act quickly on request without thinking
- EX: Must make change before time expires
Principles of influence - Urgency
- Works along with scarcity
- Act quickly, don’t think
- Used to gain support
- EX: Consequence will occur unless you take this action right now
Principles of influence - Familiarity/Liking
- Common friends, someone you know
- Comply with requests from ppl they like/have common ground
- “Liking” leads to trust
- You’ll be helpful b/c you want to be liked
- Effective b/c of desire to establish + maintain social relationships
- EX: Might use humor or connect through shared interests, past events, institutions
Principles of influence - Trust
- Trust ppl with assigned authority/specific expertise
- Trust follows liking
- Trust the consensus
- Established + played out in idea of reciprocation
- EX: I’m from IT and here to help
Pretexting
- using made up scenario 2 justify why perp is approaching someone
- used as part of impersonation efforts 2 make perp believable
- Trap = set b4 attack
- Perp is character in situation they create
- Where you work, bank, fam + friends, etc
- Lying to get info
- EX: Congrats! You qualify for 0% interest rates
Prevention
- vic can ask q’s
- vic can require verification
Impersonation
- Use some details from recon
- Often used with a pretext or invented scenario
- Perp assumes character/appearance of someone else
- Attack vic as someone from higher rank
- EX: You can trust me, I’m with your help desk
Recon
- Uses public info sources to first do recon of the target
- EX: LinkedIN, company website, etc.
Eliciting info
- Extracting info from vic/hacking the human
- Can directly/indirectly lead to sensitive data loss
- Might not be immediate consequences but cumulative effect combined could have dire consequences
- Often seen with vishing (easier to get info over phone)
- Vic doesn’t realize it’s happening
Identity fraud
- Persons personal info used without authorization to deceive/commit a crime
Credit card fraud
- Open account in your name or use CC info
Bank fraud
- Gains access to your account or opens new account
Loan fraud
- Your info is used for loan or lease
Government benefits fraud
- Obtains benefits on your behalf
Impersonation protection
- Don’t volunteer info
- Don’t disclose personal details
- Always verify before revealing info (call back/3rd parties)
- Encourage verification
- Ongoing user awareness + education is important
Phishing protection
- Use security technologies, techniques at client side, server side, and enterprise level
- Always check URL
- Usually something not right with spelling, fonts, graphics
- Prepending
- Best defense = user education
Phishing protection (prepending)
- Orgs add notification in email subject line that an email is external
- Ideally users shouldn’t be able to directly access email attachments from within the email app
Spear phishing
- Targeted version of phishing
- Targets specific individual whereas phishing involves mass emailing
- Makes attack more believable since it’s targeted
Whaling
- Spear phishing that goes after high profile targets (CEO, CFO, etc.)
- Execs have direct access to corporate bank account
Vishing
- Voice phishing (phone or voicemail)
- Fake/spoofed caller ID to appear as from a trusted org
- Tries to get them to enter account details
- Fake security checks or bank account
Smishing
- SMS phishing
- Phishing over text messaging
- Spoofing used here
- Forwards links or asks for personal info
Pharming
- Doesn’t require vic being tricked into clicking a link
- Redirects legit website to bogus one
- Poisoned DNS server/client vulnerabilities
- DNS cache poisoning
- Harvest large groups of ppl, collect access creds
- Creds typically aggregated then monetized
- Challenging for anti-malware software to stop b/c appears legit to user
Credential harvesting
- Captures usernames/passwords
- Collects login creds
- Vic has no idea since everything happens in the background
- Typically creds gathered are aggregated and then monetized
- EX: Vic receives email with malicious MS word doc -> opening it runs a macro -> macro downloads credential harvesting malware
Invoice scams
- Researches/finds out who pays the bills then crafts emails requesting payment
- Hopes that vic follows standard process for invoice payments without giving it much through
- EX: Fake invoice scam from spoofed version of CEOs email address
Advance fee scam
- Large sum of money promised
- Vic asked to make small payment first to complete the transaction
- Vic never sees the large return
Watering hole attacks
- Determines sites vics/vic groups frequently use (industry related site, etc).
- Goal = compromise large environment (company the target works for)
- Infect 3rd party site (site vulnerability, email attachments)
- Infect all visitors but they’re just looking for specific vic
- Looks for opportunities to compromise any of the frequently visited sites based on existing vulnerabilities
- Usually used in conjunction with Zero Day Exploits
Zero day exploit
- Attack against a vulnerability that’s unknown to software + security vendors
- Watering hole attacks often used with zero day exploits
Watering hole attacks prevention
- Defense in depth
- Layered defense
- Firewalls + IPs (stop network traffic before it gets bad)
- Anti-virus/anti-malware signature updates
Typosquatting
- URL hijacking
- Relies on typographic errors users make on internet
- EX: Mistype google.com -> goooogle.com . Since google owns both domain names you’re redirected to the correct domain
- EX: Mistype your bank URL but you’re presented with a site that looks just like the banks and your login creds are recorded
Hoaxes
- Threat doesn’t actually exist
- Actions ppl take in response create the actual threats
- Hoax virus email can consume resources as it’s forwarded on
- Can waste as much time as a regular virus
- Via email, social networks, word of mouth
- Some will take your money but not through electronic means
Gibson 209
Chapple 71
-intentional falsehoods
-social media plays big role
-EX: virus hoaxes, fake news
De-hoaxing
(hoax prevention)
- Believe no one
- Cross reference
- Consider the source
- Spam filters can help
Influence campaigns
- Sway public opinion on political/social issues
- Seek to affect development, actions, behavior of targeting population
- Recently come to include Cyber Warfare
- Internet provides opportunity to widely disseminate info + social media provides opportunity to spread
Hybrid warfare
- Military strategy, wage war non-traditionally
- Influence with a military spin
- Influencing foreign elections, fake news
- Psych, econ, political influence aspects go beyond distraction to achieving greater goals such as;
- Dividing public opinion by exploiting societal vulnerabilities
Cyber warfare
- Attack entity with tech
Tailgating
- Use authorized person to gain unauthorized access to a building
- Appearing to be part of authorized group (clothing, 3rd party legit reason, etc).
- Capitalizing on ppl’s desire to be polite
Tailgating prevention
- Visitor policy
- One scan, one person
- Don’t be afraid to ask who someone is/why they’re there
- Mantrap
Mantrap
- Airlock mechanisms that allow only one person to pass at a time
- Provides entrance control + prevents tailgating
- Employed by many high security facilities
Dumpster diving
- Scavenge for discarded equipment + docs to extract sensitive info
- Impersonate names, use phone #s
- Timing = important (end of month, end of quarter, based on pickup schedule)
- Legal unless local restriction
- Private property, no trespassing may be restricted
- Sources could include; organizational directories, employee manuals, hard drives + other media, printed emails, etc.
Dumpster diving prevention/protection
- Secure your garbage (fence + lock)
- Shred your docs (only goes so far, GOVT burns the good stuff)
- Proper disposal of data + equipment + should be part of orgs security policy
- Require shredding of all physical docs
- Secure erasure of all types of storage media before they may be discarded
Shoulder surfing
- Any method of direct observation to obtain info
- Curiosity, industrial espionage, competitive advantage, etc.
- Airports, flights, hallway facing monitors, coffee shops, ATM, etc.
- Binoculars, telescopes, webcam monitoring, etc.
- Shoulder surfers job might be done after they’ve provided or sold the info to someone with more nefarious goals
Shoulder surfing prevention
- Control your input
- Be aware of your surroundings
- Use privacy filters, screen overlays to prevent someone from seeing the screen at an angle
- Keep monitor out of sight/away from windows + hallways
Spam
- Unsolicited messages (emails, forums, etc)
- Commercial advertising, non commercial proselytizing, phishing attempts
- Issue b/c of security concerns, resource utilization, storage costs, managing the spam
- SPIM -> spam over instant messaging
Identifying spam
- Allowed list
- SMTP standards checking -> blocks what doesn’t follow RFC standards
- rDNS (reverse DNS), blocks email where senders domain doesn’t match IP address
- Tarpitting, intentionally slow down server connection
- Recipient filtering, blocks all email not addressed to valid recipient email address
Mail gateways
- Unsolicited email
- Stop at gateway before reaches user
- On site or cloud based
SPIM
- Spam over instant messaging
Phishing
- Attempt to acquire sensitive info by pretending to be trusted entity via electronic communication (often by text, email, etc)
- Persuade vic to perform actions that provides access to confidential info