Social Engineering Flashcards
Social Egineering
Manipulative strategy exploiting human psychology for unauthorized access to systems, data, or physical spaces
Motivational triggers used by Social Engineers
Familiarity and Likability
Consensus and Social Proof
Authority and Intimidation
Scarcity and Urgency
Social Engineering Techniques
1: Impersonation
Pretending to be someone else
Includes brand impersonation, typo-squatting, and watering hole attacks
2: Pretexting
Creating a fabricated scenario to manipulate targets
Impersonating trusted figures to gain trust
3: Types of Phishing Attacks
Phishing
Vishing
Smishing
Spear Phishing
Whaling
Business Email Compromise
4: Frauds and Scams
Deceptive practices to deceive people into parting with money or valuable information
Identifying and training against frauds and scams
5: Influence Campaigns
Spreading misinformation and disinformation, impacting politics, economics, etc.
6: Other Social Engineering Attacks
Diversion Theft
Hoaxes
Shoulder Surfing
Dumpster Diving
Eavesdropping
Baiting
Piggybacking
Tailgating
Six main types of motivational triggers that social engineers use
1: Authority
Most people are willing to comply and do what you tell them to do if they believe it is coming from somebody who is in a position of authority to make that request
2: Urgency
Compelling sense of immediacy or time-sensitivity that drives individuals to act swiftly or prioritize certain actions
3: Social Proof
Psychological phenomenon where individuals look to the behaviors and actions of others to determine their own decisions or actions in similar situations
4: Scarcity
Psychological pressure people feel when they believe a product, opportunity, or resource is limited or in short supply
5: Likability
Most people want to interact with people they like, and social engineers realize this can be
- Sexual attraction
- Pretending to be a friend
- Common interest
6: Fear
These types of attacks generally are focused on “if you don’t do what I tell you, then this bad thing is going to happen to you”
Four main forms of impersonation used by attackers
1: Impersonation
2: Brand impersonation
3: Typosquatting
4: Watering hole attacks
Impersonation - mitigation
To mitigate against these types of attacks, organizations must provide security awareness training to their employees on a regular basis so that they remain vigilant against future attacks
To protect against brand impersonation, organizations should do the following
Educate their users about these types of threats
Use secure email gateways to filter out phishing emails
Regularly monitor their brand’s online presence to detect any fraudulent activities as soon as they occur
Typosquatting - what is it?
Also known as URL hijacking or cybersquatting
Form of cyber attack where an attacker will register a domain name that is similar to a popular website but contain some kind of common typographical errors
Typosquatting - mitigations
Register common misspellings of their own domain names
Use services that monitor for similar domain registrations
Conduct user security awareness training to educate users about the risks of typosquatting
Watering Hole Attacks
Targeted form of cyber attack where attackers compromise a specific website or service that their target is known to use
The term is a metaphor for a naturally occurring phenomenon
In the world of cybersecurity, the “watering hole” the attacker chooses to utilize will usually be a trusted website or online service
How to mitigate watering hole attacks
Keep their systems and software updated
Use threat intelligence services to stay informed about new threats
Employ advanced malware detection and prevention tools
Different Types of Phishing Attacks
1: Phishing
Sending fraudulent emails that appear to be from reputable sources with the aim of convincing individuals to reveal personal information, such as passwords and credit card numbers
2: Spear Phishing
More targeted form of phishing that is used by cybercriminals who are more tightly focused on a specific group of individuals or organizations
Has a higher success rate
3: Whaling
Form of spear phishing that targets high-profile individuals, like CEOs or CFOs
Attacker isn’t trying to catch the little fish in an organization, but instead they want to catch one of the executives, board members, or higher-level managers in the company since the rewards are potentially much greater
Often used as an initial step to compromise an executive’s account for subsequent attacks within their organization
4: Business Email Compromise (BEC)
Sophisticated type of phishing attack that usually targets businesses by using one of their internal email accounts to get other employees to perform some kind of malicious actions on behalf of the attacker
Taking over a legitimate business email accounts through social engineering or cyber intrusion techniques to conduct unauthorized fund transfers, redirect payments, or steal sensitive information
5: Vishing (Voice Phishing)
Attacker tricks their victims into sharing personal or financial information over the phone
6: Smishing (SMS Phishing)
Involves the use of text messages to trick individuals into providing their personal information
There are some commonly used key indicators that are associated with phishing attacks
1: Urgency
2: Unusual Requests
3: Mismatched URLs
4: Strange Email Addresses
5: Poor Spelling or Grammar
Mitigation for phising attacks
Training
Report suspicious messages to protect your organization from potential phishing attacks
Analyze the threat
Inform all users about the threat
If the phishing email was opened, conduct a quick investigation and triage the user’s system
An organization should revise its security measures for every success phishing attack
Difference between identity fraud and identity theft
In identity fraud, the attacker takes the victim’s credit card number and charges items to the card
In identity theft, the attacker tries to fully assume the identity of their victim
