1.1 Social Engineering Techniques Flashcards

Threats, Attacks and Vulnerabilities: Compare and Contrast Different Types of Social Engineering Techniques

1
Q

What is Phishing?

A
  • A scam using this social engineering technique targets a large group of recipients with a generic message.
  • Aim: Trick at least the most gullible into acting
  • Ex: Visiting a website and entering PII, responding to an email, responding to a text (Smishing).
  • Relies on: A false sense of trust (contain familiar logos, official looking messages)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Smishing?

A
  • A particular type of phishing that uses text of SMS messaging to scam someone.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Vishing?

A
  • A type of phishing attack that takes place over phone systems, most commonly over VoIP (Voice over IP).
  • Aim: Using tools specific to VoIP systems, hackers can program their autodialers to send a recording from a spoofed VoIP address.
  • Ex: Call may claim to be from a bank and requesting a call back to verify information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Spam?

A
  • A deliberate attempt to email unsolicited advertisements to a large number of recipients.
  • Spam mailing lists are shared among internet spam advertisers
  • Spam consumes space and bandwidth. (Annoying to users and network administrators).
  • Continues to be a prime nuisance and security issue for organizations
  • Ex: Any time you sign your email up to a website/ newsgroup you open yourself up to the possibility of being added to a spam mailing list.
  • Prevention: Many ISPs (Internet Service Providers) and corporate networks use anti-spam mail filters to block incoming spam.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is SPIM?

A
  • Spam over Instance Message (SPIM) is an instance message spam.
  • Similar to the more common spam, it occurs when a user receives unsolicited instance message (including users who are known and in the user’s contact list)
  • SPIM can be targeted and include user information like demographic, age, gender information
  • Prevention: Make sure that only people in their contact list can send them messages. (Many organizations block access to external IM chat)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Spear Phishing?

A
  • A variant of phishing, which is a targeted type of attack that includes information familiar to the user and could appear to be from a trusted source.
  • Much more sophisticated than a phishing attack, b/c the information is targeted at the victim.
  • Aim: Provides a greater inducement for trust from the victim due to its targeted nature.
  • Ex: A company from which the user has purchased something in the past, financial institution, etc could use the target’s name and mailing address (easily stolen or use employee names with whom the individual has interacted before.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Dumpster Diving?

A
  • Requires almost not social skills a tall! Literally, looking through trash / recycling.
  • Prevention: Companies will shred documents so they can’t be put back together.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Shoulder Surfing?

A
  • Looking at someone’s sensitive information on their monitor (possibly over their shoulder or through an unobstructed view)
  • Prevention: Users must examine their surroundings before entering or viewing conficential data. Ensure their monitor isn’t easy to read from a hallway, etc.
  • Ex: Blinds can be installed in the office is near another building or screen filters can be used
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Pharming?

A
  • A technique that misdirects a user to an attacker’s website without the user’s knowledge, generally through manipulation of the DNS (Domain Name Service) on an affected server or the host file on a user’s system.
  • While similar to phishing where a user may click a seemingly legitimate link, it differs in that it installs code on the user’s computer that sends them to the malicious site, even if the URL is entered correctly or chosen from a web browser bookmark.
  • User is tricked into browsing to the attackers website.
  • Like phishing can result in the loss of confidential data and can lead to identity theft as well.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Tailgating?

A
  • A simpler form of social engineering, gaining physical access to an access-controlled facility by closely following an authorized person through the security check point
  • Can also refer to using another user’s access rights on a computer. (Ex: leaving a computer unlocked and going to lunch) Users must be taught to always log out and lock their workstations before leaving their area.
  • Ex: A person might make casual conversation while following someone in or tell them they’ve lost or forgotten their card
  • Prevention: Organizations must have strict access control rules to prevent tailgating so that unauthorized persons aren’t allowed into any secure facility or room and employees should b educated not to let in unknown persons, visitors must be accompanied and must sign in / out.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How to prevent social engineering scams?

A
  • Education is key to provide user education to recognize the warning signs of scams, including any attempt to get financial information such as credit card / bank information over the phone.
  • B/c technological controls alone are not sufficient to protect users.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Hoax?

A
  • Typically some kind of urban legend or sensational fake news that users pass along to others via email b/c they feel it is of interest.
  • Ex: Forward this email to 10 friends for good luck.
  • Ex: Email saying they’re collecting money for a sick individual.
  • Hoaxes are generally harmless, just taking up resources on the network and computers.
  • However, some are phishing attempts that try to get the user to visit the link to a malicious site.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Prepending?

A
  • Adding mentions (@username) to Tweets or social media posts to make them seem more personal and legitimate.
  • Creates higher engagement and can be automated to become almost as efficient as manual spear phishing campaigns.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Identity Fraud?

A
  • When an unauthorized user collects enough personal information about their target to perform forged credit card / banking transactions using the victim’s financial / personal details.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Exam tip! How to combat the problem of dumpster diving.

A
  • The physical security of your facility should include your garbage disposal and recycling operations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Credential Harvesting?

A
  • More than phishing and becoming increasingly common, essentially stealing passwords or exploiting weak passwords.
  • Also known as password harvesting, it’s related to phishing but uses different tactics.
  • Ex: It can take many forms.
17
Q

What is Reconnaissance?

A
  • When the hacker takes time to gather information which can then be leveraged into a social engineering attack.
18
Q

What is Impersonation?

A
  • A person pretends to be someone else and tricks the victim into revealing sensitive information
  • Ex: Social engineer calls a helpdesk operator and claims to be a high level user and depends that they reset their password so that they can complete an important task. The social engineer might have gathered relevant information to make the scam more convincing and get the operator to reset their password.
19
Q

What is a Watering Hole Attack?

A
  • Targeted attack toward a group of specified users.
  • Hackers will infect websites that the targeted users are known to frequent.
  • Goal: Load a malicious payload from the infected sites onto the user’s computer, giving the hacker’s access to the user’s network.
20
Q

What is Typosquatting?

A
  • Hackers register domains with deliberately misspelled names of well-known websites to lure unsuspecting visitors to alternative websites
  • Victims may end up here by mistyping the url or being lured as part of a wider phishing attack.
21
Q

What is Pretexting?

A
  • A technique in which a social engineer creates a story or pretext that employs one or more principles to motivate victims to act contrary to their instincts/ training.
22
Q

Social Engineer Principle: Authority

A
  • A reason why social engineering is effective

- Social engineers often claim a position of authority to intimidate the victim to give them access rights

23
Q

Social Engineer Principle: Intimidation

A
  • A reason why social engineering is effective

- Social engineers can act belligerently if denied

24
Q

Social Engineer Principle: Consensus

A
  • A reason why social engineering is effective
  • AKA Social Proof principle - Try to make a social connection, claiming that another trusted individual can vouch for their authenticity
25
Q

Social Engineer Principle: Scarcity

A
  • A reason why social engineering is effective

- Social engineers can act as if they have little time to verify the victim’s identity.

26
Q

Social Engineer Principle: Familiarity

A
  • A reason why social engineering is effective

- Social engineers can try to seek common interests to create a bond between the social engineer and victim

27
Q

Social Engineer Principle: Trust

A
  • A reason why social engineering is effective
  • May cite professional credentials, known organization information or organization status to create a feeling of confidence
28
Q

Social Engineer Principle: Urgency

A
  • A reason why social engineering is effective

- Social engineers can act as if the situation is urgent.