1.1 Social Engineering Techniques Flashcards

1.0 Threats, Attacks, and Vulnerabilities

1
Q

What is Social Engineering?

A

Social Engineering is any activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines. The only direct defense against social engineering attacks is user education and awareness training.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Phishing?

A

A type of email-based social engineering in which an attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Smishing?

A

SMS phishing or smishing is a social engineering attack that occurs over or through standard text messaging services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Vishing?

A

Vishing is phishing done over any telephony or voice communication system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is SPIM?

A

Spam over instant messaging (SPIM) is the transmission of unwanted communications over any messaging system that is supported by or occurs over the internet such as instant messaging (IM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Spear Phishing?

A

Spear phishing is a more targeted form of phishing where it’s directed specifically to an individual or organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What Is Spam?

A

Any type of email that is undesired and/or unsolicited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Dumpster Diving?

A

Dumpster Diving is the act of digging through trash to obtain information about a target organization or individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Pretexting?

A

A pretext is a false statement to sound believable to steal their victims’ personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Shoulder Surfing?

A

Shoulder Surfing occurs when someone is able to watch a user’s keyboard or view their display to obtain personal or private information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Pharming?

A

Pharming is the malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Tailgating?

A

Tailgating can be simply described as the passage of unauthorized personnel, either forced or accidental, behind that of an authorized user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Eliciting Information?

A

Eliciting information is where the attacker will try and get to you to provide information; for example, using a false statement in the hope that you will correct the statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Whaling?

A

A form of spear phishing that targets individuals or organizations known to be extremely wealthy. Target an individual*

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Prepending?

A

Prepend means to attach content as a prefix. It is often used in different kinds of programming and in automated processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Identity Fraud?

A

Identity Fraud occurs when that person uses your identity to commit fraud or illegally deceive someone.

17
Q

What are Invoice Scams?

A

Invoice Scams typically work in one of two ways: through fake invoices with a goal of receiving money or by promoting a victim to put credentials into a fake login screen.

18
Q

What is Credential Harvesting?

A

The credential harvester attack method is used when you don’t want to specifically get a shell but perform phishing attacks in order to obtain usernames and passwords from the system.

19
Q

What is Active Reconnaissance?

A

Active Reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities. This may be through automated scanning or manual testing using various tools like ping, traceroute, netcat, etc. This type of recon requires that the attacker interacts with the target.

20
Q

What is Passive Reconnaissance?

A

Passive Reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. It is gathering the information without alerting the victim. If the victim host is alerted then it drastically increases security against the attack.

21
Q

What are Hoaxes?

A

An email-based, IM-based, or web-based social engineering attack that is intended to trick the user into performing undesired or unnecessary actions.

22
Q

What is Impersonation?

A

A type of social engineering in which an attacker pretends to be someone they are not, typically an average user in distress or a help desk representative.

23
Q

What are Watering Hole Attacks?

A

An attack in which an attacker targets a specific group discovers which websites that group frequents, then injects those sites with malware.

24
Q

What is Typosquatting?

A

It is known as URL hijacking, a sting site, or a fake URL which is a type of social engineering where threat actors impersonate legitimate domains for malicious purposes such as fraud or malware spreading.

25
Q

What is Hybrid Warfare?

A

Hybrid Warfare is a military strategy that employs political warfare and blends conventional warfare, irregular warfare, and cyberwarfare with other influencing methods, such as fake news, diplomacy, lawfare, and foreign electoral intervention.

26
Q

What is Social Media?

A

Social media refers to websites and applications that are designed to allow people to share content quickly, efficiently, and in real-time.

27
Q

Social Engineering Principles - Authority (Reason for effectiveness)

A

The attacker impersonates others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft.

28
Q

Social Engineering Principles - Intimidation (Reason for effectiveness)

A

The attacker attempts to intimidate the victim into taking action. Intimidation might be through bullying tactics and is often combined with impersonating someone else.

29
Q

Social Engineering Principles - Consensus (Reason for effectiveness)

A

The attacker takes advantage of this by creating websites with fake testimonials that promote a product. For example, criminals have setup some websites with dozens of testimonials listing all the benefits of their fake antivirus software (rogueware)

30
Q

Social Engineering Principles - Scarcity (Reason for effectiveness)

A

Scarcity is often used in social engineering contexts to create a feeling of urgency in a decision-making context. This urgency can often lead to manipulation of the decision-making process, allowing the social engineer to control the information provided to the victim.

31
Q

Social Engineering Principles - Trust (Reason for effectiveness)

A

In order to influence others, hackers need to build trust. Trust is what makes a potential victim less likely to question the hacker and more likely to provide information to him or her

32
Q

Social Engineering Principles - Familiarity (Reason for effectiveness)

A

The social engineers attempt to build rapport with the victim to build a relationship before launching the attack

33
Q

Social Engineering Principles - Urgency (Reason for effectiveness)

A

The hacker may create a false sense of urgency to trick you into taking action before thinking

34
Q

What is Identity Theft?

A

Identity Theft occurs when someone steals your identity.