Security Pro Ch4
Nigerian scam
A Nigerian scam, also known as a 419 scam, involves e-mail which requests a small amount of money to help transfer funds from a foreign country. For your assistance, you are to receive a reward for a much larger amount of money that will be sent to you at a later date.
Rock Phish kit
A Rock Phish kit is a fake Web site that can be set up which imitates a real Web site (such as banks, PayPal®, eBay®, and Amazon®). Phishing e-mails direct you to the fake Web site to enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection.
Phishing
A phishing scam is an e-mail pretending to be from a trusted organization, asking to verify personal information or send money. • A fraudulent message (that appears to be legitimate) is sent to a target. • The message requests that the target visit a fraudulent Web site (which also appears to be legitimate). Graphics, links, and Web sites look almost identical to legitimate requests and Web sites they are trying to represent. • The fraudulent Web site requests that the victim provide sensitive information such as the account number and password. Common scams include: Rock Phish, Nigerian scams, Spear Phishing, Whaling, and Vishing.
Active social engineering
Active social engineering involves direct interaction with users, asking them to reveal information or take actions.
Authority
Authority social engineering entails an attacker either lying about having authority or using their high status in a company to force victims to perform actions or to give information that exceed their authorization level.
Caller ID spoofing
Caller ID spoofing causes the telephone network to display a number on the recipient's caller ID display that would imply that a call is coming from a legitimate source.
Commitment
Commitment social engineering entails convincing someone to buy into an overall idea, then demanding or including further specifics that were not presented up front.
Dumpster diving
Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.
Eavesdropping
Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics.
Friendship
Friendship social engineering entails an attacker using the premise of a friendship as a reason to "help them out" or do something that the victim is not authorized to do.
Hoax e-mails
Hoax e-mails prey on e-mail recipients who are fearful and believe most information if it is presented in a professional manner. Usually these hoax messages instruct the reader to delete key system files or download Trojan horses.
Masquerading
Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Masquerading is more passive compared to impersonating.
Passive social engineering
Passive social engineering takes advantage of the unintentional actions of others to gather information or gain access to a secure facility.
Persuasive
Persuasive social engineering entails an attacker convincing a person to give them information or access that they shouldn't.
Tailgating and Piggybacking
Piggybacking and tailgating refer to an attacker entering a secured building by following an authorized employee through a secure door and not providing identification. Piggybacking usually implies consent of the authorized employee; whereas tailgating implies no consent of the authorized employee.
Pretexting
Pretexting is the use of a fictitious scenario to persuade someone to perform an action or give information for which they are not authorized. Pretexting usually requires the attacker to perform research to create a believable scenario.
Reciprocity
Reciprocity social engineering entails an attacker "gifting" something of lesser or equal value to what they expect in return.
Scarcity
Scarcity social engineering entails an attacker presenting an item as "a limited-time" or "scarce quantity" offer to increase sales.
Shoulder surfing
Shoulder surfing involves looking over the shoulder of someone working on a computer.
Social engineering
Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity.
Social validation
Social validation entails an attacker using peer pressure to coerce someone else to bend rules or give information they shouldn't.
Spear phishing
Spear phishing is targeted at gaining access to information that will allow the attacker to gain commercial advantage or commit fraud. Spear phishing frequently involves sending seemingly genuine e-mails to all employees or members of specific teams. Attackers gather information about the victim, such as identifying which online banks they use. They then send phishing e-mails for the specific bank.
Spyware/Adware
Spyware and adware are pop-up advertisements that can have malicious objectives such as: • Tricking users into unknowingly downloading malware. • Gathering information about the user and sending it to a third party for commercial gain.
Countermeasure
The most effective countermeasure for social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately. • Train employees to: o Protect information by: Securely disposing of sensitive documents, disks, and devices. Protecting sensitive information on a computer from prying eyes. Protecting sensitive information from prying ears. o Implement online security by: Verifying the validity of Web sites Verifying requests for privileged information are authorized. Use bookmarked links instead of links in e-mails to go to Web sites. Double checking e-mail information or instructions with a reputable third party antivirus software vendor before implementing recommendations. Never opening a suspicious e-mail attachment. o Determine the value for types of information, such as dial-in numbers, user names, passwords, network addresses, etc. The greater the value, the higher the security around those items should be maintained. o Not allow others to use the employee's identification to enter a secure facility. o Demand proof of identity over the phone and in person. • Implement strong identity verification methods to gain access to a secure building.
Vishing
Vishing is similar to phishing but instead of an e-mail, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.
Whaling
Whaling is another form of phishing that is targeted to senior executives and high profile victims.
Attackers use the following methods to appear legitimate:
o Assuming a position of authority (boss or network administrator) o Bribery o Forgery o Flattery o Using a disguise o Placing a critical time frame on an action
To protect against phishing:
• Check the actual link destination within e-mails to verify that they go to the correct URL and not a spoofed one. • Do not click on links in e-mails. Instead, type the real bank URL into the browser. • Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. • Implement phishing protections within your browser.
There are seven main types of social engineering attacks:
• Persuasive • Reciprocity • Social validation • Commitment • Scarcity • Friendship • Authority
