3.1 Attacks & exploits: Social Engineering and Physical Attacks Flashcards
What is Social Engineering?
▪ A broad range of malicious activities accomplished through human interactions
▪ Non-technical attacks
Methods of Influence: what is Authority type of methods of influence when doing social engineering attacks ?
▪ People are more willing to comply with a request when they think it is coming from someone in authority
▪ Use of recognizable brand names like a bank or PayPal could be considered a form of authority:
● CEO or manager
● Important client
● Government agency
● Financial institution
Methods of Influence: what is Urgency type of methods of influence when doing social engineering attacks ?
▪ People are usually in a rush these days and urgency takes advantage of this fact
▪ Approaching deadline, time-based
Methods of Influence: what is Social proof type of methods of influence when doing social engineering attacks?
▪ People are more likely to click on a link through social media or based on seeing others have already clicked on it
▪ Use social proof to make people crave to be part of a social group, experience, or interaction
Methods of Influence: what is Scarcity type of methods of influence when doing social engineering attacks?
▪ Technique that relies on the fear of missing out on a good deal that is only offered in limited quantities or a limited time
▪ Limited supply, quantity-based
Methods of Influence: what is Likeness/Likeability type of methods of influence when doing social engineering attacks?
▪ A technique where the social engineer attempts to find common ground and shared interests with their target
▪ Social engineers are some of the most likeable people you will meet
Methods of Influence: what is Fear type of methods of influence when doing social engineering attacks?
▪ The use of threats or demands to intimidate someone into helping you in the attack
Methods of Influence: what is Example type of methods of influence when doing social engineering attacks?
▪ Click on this email right now because we only have three things left. These will only be on sale for the next 30 minutes. We have 100 people who already bought.
Social Engineering: what is phishing?
▪ A social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source to lure the victim into divulging sensitive information
Social Engineering: what is spear phishing?
▪ Uses the same technology and techniques but is a more targeted version of phishing
▪ During a penetration test, you are most likely to conduct spearphishing and not phishing
Social Engineering: what is whaling?
Focused on key executives within an organization or other key leaders, executives, and managers in the company:
● Busy executives
● Better targeted
● Older and technically challenged executives
Social Engineering: what is vishing?
Occurs when the message is being communicated to the target using the voice functions of a telephone
Social Engineering: what is smishing?
▪ Occurs when the message is being communicated to the target thru text messaging
▪ Short Message Service (SMS): The text message service component on cellphones, smartphones, tablets, and other mobile devices
▪ Multimedia Messaging Service (MMS): A form of text messaging that also allows pictures, sound, or video to be sent using the service
Social Engineering: what is Business Email Compromise (BEC)?
Occurs when an attacker takes over a high-level executive’s email account and orders employees to conduct tasks
Social Engineering: what is pharming?
Tricks users into divulging private information by redirecting a victim to a website controlled by the attacker or penetration tester