1.1: Compare and contrast different types of social engineering techniques. Flashcards
An attack exploiting human nature and behavior.
Social Engineering
Social engineering, employed to obtain sensitive/private information. Can be any communication means.
Phishing
Phishing occurring over std. text msg service/app
Smishing (SMS phishing)
Phishing done via voice communication system. Includes traditional phone lines, VoIP, and mobile devices.
Vishing
Any type of email unsolicited and/or undesired
Spam
Unwanted communications over a messaging system via internet.
Spam over instant messaging (SPIM)
More targeted form of phishing where message is crafted and directed to a specific group of individuals
Spear phishing
Digging through trash/discarded materials for information on a target
Dumpster diving
When someone is able to watch another user’s display/keyboard
Shoulder surfing
Malicious redirection of a valid URL or IP to a fake website hosting a false version of the original destination.
Pharming
When an unauthorized person enters a facility under authorization of a valid member w/o their knowledge
Tailgating
Activity of gathering info from systems or people
Eliciting information
Form of spear phishing, targeting high-value individuals (CEO, etc.)
Whaling
Where malicious characters or code are added at the beginning of a legitimate file, string, or command.
Prepending
Act of stealing ones identity. Can refer to initial act of info gathering or when stolen info is used to take one’s account.
Identity fraud
Social engineering attack that attempts to steal funds from an org. using a false invoice.
Invoice scams
Activity of gathering and stealing account credentials.
Credential harvesting
Gathering information about a target, generally prior to an engagement/attack
Reconnaissance
A fake warning about a virus or other piece of malicious code.
Hoax
Act of taking on the identity of someone to use their access/authority. Masquerading, spoofing, and identity fraud
Impersonation
Attacker observation of victim habits to discover a common resource that one or more members of the target use, then infecting that resource
Watering hole attack
Using mistypes of intended resources as malicious sources.
URLs and IP address typos leading to a malicious site is an example.
Typosquatting
False statement crafted to sound believable attempting at convincing to act or respond
Pretexting
Collection of info about an individual or org to disclose data publicly.
Doxing
Social engineering attacks attempting to guide, adjust, or change public opinion
Influence campaigns
Convincing the target the actor has authority over them
Authority
Uses authority, confidence, or threat of harm to motivate a victim to follow orders
Intimidation
Taking advantage of people’s tendency to mimic what others are doing, convincing the victim a particular action/response is consistent w/social norms or previous occurrences
Consensus
Convincing the target an object has a higher value based on limited availability.
Scarcity
Appearing to have common contact/relationship w/the target, or assuming the identity of that familiar contact
Familiarity
Building a relationship w/ the victim to convince them to reveal information/perform an action
Trust
The need to act quickly on the basis of a limitation of time
Urgency
