1.1 Social Engineering Techniques

Question 1

What is Social Engineering?

Answer 1

Social Engineering is any activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines. The only direct defense against social engineering attacks is user education and awareness training.

Question 2

What is Phishing?

Answer 2

A type of email-based social engineering in which an attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

Question 3

What is Smishing?

Answer 3

SMS phishing or smishing is a social engineering attack that occurs over or through standard text messaging services.

Question 4

What is Vishing?

Answer 4

Vishing is phishing done over any telephony or voice communication system

Question 5

What is SPIM?

Answer 5

Spam over instant messaging (SPIM) is the transmission of unwanted communications over any messaging system that is supported by or occurs over the internet such as instant messaging (IM)

Question 6

What is Spear Phishing?

Answer 6

Spear phishing is a more targeted form of phishing where it’s directed specifically to an individual or organization

Question 7

What Is Spam?

Answer 7

Any type of email that is undesired and/or unsolicited

Question 8

What is Dumpster Diving?

Answer 8

Dumpster Diving is the act of digging through trash to obtain information about a target organization or individual.

Question 9

What is Pretexting?

Answer 9

A pretext is a false statement to sound believable to steal their victims’ personal information.

Question 10

What is Shoulder Surfing?

Answer 10

Shoulder Surfing occurs when someone is able to watch a user’s keyboard or view their display to obtain personal or private information

Question 11

What is Pharming?

Answer 11

Pharming is the malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site

Question 12

What is Tailgating?

Answer 12

Tailgating can be simply described as the passage of unauthorized personnel, either forced or accidental, behind that of an authorized user.

Question 13

What is Eliciting Information?

Answer 13

Eliciting information is where the attacker will try and get to you to provide information; for example, using a false statement in the hope that you will correct the statements.

Question 14

What is Whaling?

Answer 14

A form of spear phishing that targets individuals or organizations known to be extremely wealthy. Target an individual*

Question 15

What is Prepending?

Answer 15

Prepend means to attach content as a prefix. It is often used in different kinds of programming and in automated processes.

Question 16

What is Identity Fraud?

Answer 16

Identity Fraud occurs when that person uses your identity to commit fraud or illegally deceive someone.

Question 17

What are Invoice Scams?

Answer 17

Invoice Scams typically work in one of two ways: through fake invoices with a goal of receiving money or by promoting a victim to put credentials into a fake login screen.

Question 18

What is Credential Harvesting?

Answer 18

The credential harvester attack method is used when you don’t want to specifically get a shell but perform phishing attacks in order to obtain usernames and passwords from the system.

Question 19

What is Active Reconnaissance?

Answer 19

Active Reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities. This may be through automated scanning or manual testing using various tools like ping, traceroute, netcat, etc. This type of recon requires that the attacker interacts with the target.

Question 20

What is Passive Reconnaissance?

Answer 20

Passive Reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. It is gathering the information without alerting the victim. If the victim host is alerted then it drastically increases security against the attack.

Question 21

What are Hoaxes?

Answer 21

An email-based, IM-based, or web-based social engineering attack that is intended to trick the user into performing undesired or unnecessary actions.

Question 22

What is Impersonation?

Answer 22

A type of social engineering in which an attacker pretends to be someone they are not, typically an average user in distress or a help desk representative.

Question 23

What are Watering Hole Attacks?

Answer 23

An attack in which an attacker targets a specific group discovers which websites that group frequents, then injects those sites with malware.

Question 24

What is Typosquatting?

Answer 24

It is known as URL hijacking, a sting site, or a fake URL which is a type of social engineering where threat actors impersonate legitimate domains for malicious purposes such as fraud or malware spreading.

Question 25

What is Hybrid Warfare?

Answer 25

Hybrid Warfare is a military strategy that employs political warfare and blends conventional warfare, irregular warfare, and cyberwarfare with other influencing methods, such as fake news, diplomacy, lawfare, and foreign electoral intervention.

Question 26

What is Social Media?

Answer 26

Social media refers to websites and applications that are designed to allow people to share content quickly, efficiently, and in real-time.

Question 27

Social Engineering Principles - Authority (Reason for effectiveness)

Answer 27

The attacker impersonates others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft.

Question 28

Social Engineering Principles - Intimidation (Reason for effectiveness)

Answer 28

The attacker attempts to intimidate the victim into taking action. Intimidation might be through bullying tactics and is often combined with impersonating someone else.

Question 29

Social Engineering Principles - Consensus (Reason for effectiveness)

Answer 29

The attacker takes advantage of this by creating websites with fake testimonials that promote a product. For example, criminals have setup some websites with dozens of testimonials listing all the benefits of their fake antivirus software (rogueware)

Question 30

Social Engineering Principles - Scarcity (Reason for effectiveness)

Answer 30

Scarcity is often used in social engineering contexts to create a feeling of urgency in a decision-making context. This urgency can often lead to manipulation of the decision-making process, allowing the social engineer to control the information provided to the victim.

Question 31

Social Engineering Principles - Trust (Reason for effectiveness)

Answer 31

In order to influence others, hackers need to build trust. Trust is what makes a potential victim less likely to question the hacker and more likely to provide information to him or her

Question 32

Social Engineering Principles - Familiarity (Reason for effectiveness)

Answer 32

The social engineers attempt to build rapport with the victim to build a relationship before launching the attack

Question 33

Social Engineering Principles - Urgency (Reason for effectiveness)

Answer 33

The hacker may create a false sense of urgency to trick you into taking action before thinking

Question 34

What is Identity Theft?

Answer 34

Identity Theft occurs when someone steals your identity.