Chapter 4 - Social Engineering and Password Attacks Flashcards
Social Engineering
Social engineering is the practice of manipulating people through a variety of strategies to accomplish desired actions.
What are some of the most common principles that are leveraged to successfully social engineer an individual?
- Authority: Most people will obey someone who appears to be in charge or knowledgeable (manager, government official, etc.)
- Intimidation: Scaring or bullying an individual into taking a desired action (threatening that one will lose their job).
- Consensus-based/Social Proof: Lying and saying that everyone else in a department had already taken an action.
- Scarcity: Make something look more desirable by making it seem like the last one available.
- Familiarity: These attacks rely on the target liking the individual or organization that the attacker is claiming to represent.
- Urgency: Creating a feeling that the action must be taken quickly.
Phishing
Phishing involves sending fraudulent communications that appear to come from a legitimate source.
Whaling
Whaling is phishing that is targeted at senior employees (CEOs, CFOs, etc.).
Vishing
Vishing is phishing accomplished via voice or voicemail messages. Common Vishing scams include requests to help a relative or friend in another country, various tax scams, threats of law enforcement action and requests for a staff member to perform a task for a senior executive.
Smishing
Smishing relies on text messages as part of the phishing scam. Smishing scams frequently attempt to get users to click on a link in a text message.
Misinformation
Misinformation is incorrect information, often resulting from getting facts wrong.
Disinformation
Disinformation is incorrect, inaccurate, or outright false information that is intentionally provided to serve an individual or organization’s goals.
Impersonation
Impersonation is pretending to be someone else (either a specific person or simply a member of some organization).
Business Email Compromise
Business Email Compromise relies on using apparently legitimate email addresses to conduct scams and other attacks. Some common methods for creating emails that appear legitimate include:
- Using compromised accounts
- Sending spoofed emails
- Using common fake but similar domain techniques
- Using malware or other tools
Pretexting
Pretexting is the process of using a made-up scenario to justify why you are approaching an individual. This can often be defeated by asking the attacker questions or requiring verification.
Watering Hole Attacks
Watering Hole Attacks use websites that targets frequent to attack them. Attackers compromise the frequently visited site and use the site to deploy malware to end-user machines.
Brand Impersonation
Brand Impersonation attacks use emails that are intended to appear to be from a legitimate brand, relying on name recognition or even using email templates used by the brand itself.
Typosquatting
Typosquatting attacks use misspelled and slightly off but similar to the legitimate site URLs to conduct Typosquatting attacks. These attacks rely on the fact that some people will mistype URLs and end up on their sites.
Pharming
Pharming, similar to typosquatting, relies either on changing a system’s hosts file or on malware that will change the system’s DNS servers.
