Social Engineering Flashcards
Social Engineering
Manipulative strategy exploiting human psychology for unauthorized access to systems, data, or physical spaces
Motivational triggers
- Familiarity and Likability
- Consensus and social proof
- authority and intimidation
- scarcity and urgency
- Fear
Social Engineering Techniques
- Impersonation (people and brands) - pretend to be someone else
- Pretexting - create a fabricated scenario
Typosquatting (URL Hijacking/Cybersquatting)
Cyber attack where an attacker will register a domain name that is similar to a popular website but contain some kind of common typographical errors
To combat:
- register common misspellings of their own domain names
- use services that monitor for similar domain registrations
- conduct user security awareness training to educate users
Watering Hole Attacks
Targeted form of cyber attack where attackers compromise a specific website or service that their target is know to use
- the “watering hole” the attacker chooses to use will usually be a trusted website or online service
Mitigation:
- keep systems up to date
- use threat intelligence services to stay informed about new threats
- employ advanced malware detection and prevention tools
Pretexting
Gives some amount of information that seems true so that the victim will give more information
Mitigation: training the employees not to fall for pretext and not to fill in the gaps for people when they are calling
Phishing
Sending fraudulent emails that appear to be from reputable sources with
the aim of convincing individuals to reveal personal information
Spear Phishing
More targeted form of phishing that is used by cybercriminals who are
more tightly focused on a specific group of individuals or organizations
- Has a higher success rate
Whaling
Form of spear phishing that targets high-profile individuals, like CEOs or CFOs
- used as an initial step to compromise an executive’s account for subsequent attacks in their organization
Business Email Compromise (BEC)
targets businesses by using one of their internal email accounts to get other employees to perform some kind of malicious actions on behalf of the attacker
Vishing
Attacker tricks their victims into sharing personal or financial information over the phone
Smishing
Involves the use of text messages to trick individuals into providing their personal information
Anti-phishing Campaign
Essential user security awareness training tool that can be used to educate individuals about the risks of phishing and how to best identify potential phishing attempts
- should offer remedial training for users who fell victim to simulated phishing emails
Key indicators of phishing attacks
- Urgency
- Unusual requests
- Mismatched URLs
- Strange email addresses
- Poor spelling or grammar
Mitigation for phishing
- Training
- Report suspicious messages
- analyze the threat
- inform all users about the threat
- Revise security measures for every successful attack
Fraud
Wrongful or criminal deception that is intended to result in financial or personal gain for the attacker
Identity Fraud and Identity Theft
Involves the use of another’s personal information without their authorization to commit a crime or to deceive or defraud that other person or some other third party
Difference:
- Fraud - attacker takes victim credit card number and charges it
- Theft - attacker tries to assume the identity of their victim
Scams
Fraudulent or deceptive act or operation
- most common scam = invoice scam, trick into paying for a fake invoice for a product or service that they did not order
Influence campaigns
Coordinated efforts to affect public perception or behavior towards a particular cause, individual, or group
- a powerful tool for sharing public opinion and behavior
- foster misinformation (no harmful intent, undermines trust, fuels division) and disinformation (harmful intent
Diversion Theft
Involves manipulating a situation or creating a distraction to steal
valuable items or information
Hoaxes
Malicious deception that is often spread through social media, email, or other communication channels
- often paired with phishing attacks and impersonation attacks
- prevent by fact checking and using critical thinking skills
Shoulder Surfing
involves looking over someone’s shoulder to gather personal information
- Includes the use of high powered cameras or closed-circuit television
cameras to steal information from a distance
- To prevent : users must be aware of their surroundings when providing any sensitive information
Eaves dropping
Secretly listening to private conversations
Baiting
Involves leaving a malware-infected physical device, like a USB drive, in a
place where it will be found by a victim, who will then hopefully use the device to unknowingly install malware on their organization’s computer system
prevent: train users to not use devices they find
