Types of soc eng

Question 1

Physical social engineering attacks

Answer 1

Tailgating
Shoulder surfing
Dumpster diving

Question 2

Virtual social engineering attacks

Answer 2

Phishing
Spear phishing
Whaling
Vishing
Hoax
Watering hole attack
(Pharming)

Question 3

Social engineering

Answer 3

an attempt by an attacker to convince someone to provide info or perform an action they normally woudn’t

(such as providing their password or clicking on a malicious link)

Often trying to gain access to the IT infrastructure or the phisical facility.

Question 4

Phishing

Answer 4

Commonly used to try to trick users into giving up personal information (such as user
accounts and passwords), click a malicious link, or open a malicious attachment

Question 5

Spear phishing

Answer 5

targets specific groups of users

Question 6

Whaling

Answer 6

targets high-level executives

Question 7

Vishing

Answer 7

Voice-phishing, phone based

Question 8

Smishing

Answer 8

uses sms(text) messaging on mobile

Question 9

SPAM

Answer 9

Unsolicited email, generally considered an irritant

(defeat with strong spam filtering)

Question 10

SPIM

Answer 10

SPAM over instant messaging, considered irritant

(IM and mobile providers providing some protection;
create cryptic usernames and do not list your ID in the IM service public directory)

Question 11

Dumpster diving

Answer 11

Gathering important details (intelligence) from things that people have thrown out in their trash

(Often legal and may target individuals or organisations)

Question 12

Tailgating

Answer 12

when an authorized individual might follow you in through that open door without badging in themselves

Question 13

Eliciting information / elicitation

Answer 13

strategic use of casual conversation to extract information without the arousing suspicio of the target

(can involve complex cover stories and co-conspirators)

Question 14

Shoulder surfing

Answer 14

a criminal practice where thieves steal your personal data by spying over your shoulder

(can happen anywhere with any device)

Question 15

Pharming

Answer 15

an online scam similar to phishing, where a website’s traffic is manipulated, and confidential information is stolen.

Question 16

Identity fraud / Identity theft

Answer 16

use of another person’s personal information, without authorization, to commit a crime or to deceive or defraud that person or other 3rd party

Question 17

Prepending

Answer 17

adding words or phrases like “safe” to a malicious file or suggesting topics via social engineering to uncover information of interest

Question 18

Invoice scams

Answer 18

fake invoices with a goal of receiving money or by prompting a victim to put their credentials into a fake login screen

Question 19

Credential harvesting

Answer 19

trying to gain access to your usernames and passwords that might be stored on your local computer

(frequent goalof phishing attempts;
countermeasures: email defense, anti-malware, EDR/XDR solutions that will check URLS and block the scripts often used to execute the attack)

Question 20

Reconnaissance

Answer 20

comon and comes in multiple forms: passive, semi-passive and active discovery

Passive discovery - techniques that do not send packets to the target like Google hacking, phone calls, DNS and WHOIS lookups

Semi-passive discovery - touches the target with packets in a non-aggressive fashion to avoid raising alarms of the target

Active discovery - more aggressive techniques likely to be notices by the target, including port scanning and tools like nmap and Metaspoit

Question 21

Hoaxes

Answer 21

intentional falsehoods coming in a variety of forms ranging from virus hoaxes to fake news

(social media)

Question 22

Impersonation

Answer 22

a form of fraud in which attackers pose as a nown or trusted person to dupe the user intosharing sensitive info, transferring money, etc.

Question 23

Watering hole attack

Answer 23

Attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware

Question 24

Typosquatting / URL hijacking

Answer 24

a form of cybersquatting (sitting on sites under someones else’s brand or copyright) targeting users who type an incorrect website address

often employ a drive-by download that can infect a device even if the user does not click anything

Question 25

Pretexting

Answer 25

an attacker tries to convince a victim to give up information of value, or access to a service or system - attacker develops a story, or pretext, in order to fool the victim.

The pretext often leans on establishing authority for the atttacker as someone who should have access to information

(The pretext often includes a character played by the scam artist, and a plausible situation in which that character needs access to info)

Question 26

Influence campaigns

Answer 26

A social engineering attack intended to manipulate the thoughts and minds of large groups of people

Question 27

Hybrid Warfare

Answer 27

Attack using a mixture of conventional and unconventional methods and resources to carry out the campaign

(may even include paid advertising)

Question 28

Social media

Answer 28

May use multiple social platforms everaging multiple/many individuals to amplify the message, influencing credibility.

May involve creating multiple fake accounts to post content and seed the spread.