Chapter 1.1 - Social Engineering Flashcards
Compare and contrast different types of social engineering techniques
Phishing
Social Engineering with a touch of spoofing
Usually by mail, text, etc.
Usually something wrong with the URL
Smishing (SMS Phishing)
Done by text message
Forwards links or asks for personal information
Examples: fake check, phone code verification, boss/ CEO
Vishing (Voice Phishing)
Done over the phone or voicemail
Caller ID spoofing is common
Examples: fake security checks or bank updates
Spam
Unsolicited messages
Examples: emails or forums
Mail Gateways
A filter that identifies spam and throws it away
Spam Over Instant Messaging (SPIM)
Unsolicited messages over instant messaging
Spear Phishing
Targeted phishing with inside information
Whaling
Spear phishing/ targeting the higher ups of a company
Have a ton of information for a bigger catch
Dumpster Diving
Physically going through a dumpster to find important details (for an attack) people/ companies have thrown out
Shoulder Surfing
Physically peeking over someone’s shoulder to look at their screen to try and steal information
Pharming
Redirecting a legit website to a bogus site
Harvest large group of people instead of just one person
Tailgating
Use an authorized person to gain unauthorized access to a building
Eliciting Information
Extracting information from the victim
Often used with vishing
Prepending
Add onto the beginning of a fake URL
Example: “https://pprofessormesser.com”
Prepending
Add onto the beginning of a fake URL
Example: “https://pprofessormesser.com”
Invoice Scams
Sending a fake invoice to the person/ department paying the bills at a company and the attacker ends up with the payment details
Credential Harvesting
Attackers collecting login credentials
Opening a document that runs a macro to start harvesting
Called password harvesting
Reconnaissance
Gather information on the victim
Usually background information
Examples: social media, corporate website
Hoax
A threat that doesn’t actually exist but seems like it COULD be real
Impersonation
Attacker pretends to be someone they are not
Uses details from reconnaissance
Watering Hole Attack
Strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware
Eventually, some member of the targeted group will become infected
Typosquatting
A type of URL hijacking
Purposely misspelling an URL
Example: “https:professormessor.com”
Pretexting
Lying to a victim to get information
Example: “Hi, we are calling from Visa regarding…”
Influence Campaigns
Sway public opinion on political and social issues
Influence Campaigns - Hybrid Warfare
A military strategy that can influence elections and fake news
Usually called cyberwarfare
Attack an entity with technology
Influence Campaigns - Social Media
Amplifying fake content on social media used by millions of people
Social Engineering Principles - Authority
The social engineer is in charge
Example: “I am calling from the off of the CEO…”
Social Engineering Principles - Intimidation
Things will be bad if you do not do this
Example: “If you don’t help me…”
Social Engineering Principles - Consensus/ Social Proof
Convince the victim based on what’s normally expected
Example: “Your co-worker, Jill, did this for me…”
Social Engineering Principles - Scarcity
The situation will not be this way for long
Example: Must make the change before time expires
Social Engineering Principles - Familiarity/ Liking
Someone you know, we have common friends
Social Engineering Principles - Trust
Someone who is safe
Example: “I am from IT, I am here to help”
Social Engineering Principles - Urgency
Paired with scarcity
Example: Act quickly, don’t think
Social Engineering Principles
Common methods used to increase social engineering for attacks
Defending Waterhole Attack
Defense in depth
Firewalls and IPS
Anti-virus/ anti-malware signature updates
