2.3 Social Engineering
Hacktivist
A hacktivist is a hacker with a political motive.
Hoax
A hoax is a type of malicious email with some type of urgent or alarming message to deceive the target.
Script kiddie
A less-skilled (usually younger) hacker that often relies on automated tools or scripts written by crackers to scan systems at random to find and exploit weaknesses.
Cybercriminal
A person (or team of individuals) who use technology to steal sensitive information for a profit. Cybercriminals are often associated with large organized crime syndicates such as the mafia.
What are elicitation techniques and how are they effective for social engineering?
A technique used to extract information from a target without arousing suspicion. They are based off the attacker being ignorant or nice allowing people to be in a false sense of security.
White hat hacker
A white hat hacker is a professional who helps companies find the vulnerabilities in their security. Also known as an ethical hacker.
What is social engineering?
An attacker enticing or manipulating people to perform tasks or relay information.
Which of the following BEST describes an inside attacker? - An unintentional threat actor. This is the most common threat. - A good guy who tries to help a company see their vulnerabilities. - An agent who uses their technical knowledge to bypass security. - An attacker with lots of resources and money at their disposal.
An unintentional threat actor. This is the most common threat.
An organization's receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. The individual is engaging in which type of social engineering? - Commitment - Authority - Persuasive - Social validation
Authority
Jason is at home, attempting to access the website for his music store. When he goes to the website, it has a simple form asking for a name, email, and phone number. This is not the music store website. Jason is sure the website has been hacked. How did the attacker accomplish this hack? - DNS cache poisoning - Social networking - Feigning ignorance - Host file modification
DNS cache poisoning
Ron, a hacker, wants to get access to a prestigious law firm he has been watching for a while. June, an administrative assistant at the law firm, is having lunch at the food court around the corner from her office. Ron notices that June has a picture of a dog on her phone. He casually walks by and starts a conversation about dogs. Which phase of the social engineering process is Ron in? - Elicitation phase - Exploitation phase - Development phase - Research phase
Development phase
Which of the following is a common social engineering attack? - Logging on with stolen credentials - Distributing hoax virus-information emails - Distributing false information about an organization's financial status - Using a sniffer to capture network traffic
Distributing hoax virus-information emails
Elicitation
Elicitation is a technique to extract information from a target without arousing suspicion.
How do hackers use interview and interrogation techniques for social engineering?
First they let the person talk and they gather information then they ask questions in a smooth natural way as now they think they are trustworthy.
Having a legitimate reason for approaching someone to ask for sensitive information is called what? - Preloading - Footprinting - Impersonation - Pretexting
Impersonation
Impersonation
Impersonation is pretending to be somebody else and approaching a target to extract information.
Which of the following are examples of social engineering attacks? (Select three.) - War dialing - Impersonation - Port scanning - Keylogging - Shoulder surfing
Impersonation, Keylogging, and
Preloading
Preloading is influencing a target's thoughts, opinions, and emotions before something happens.
Pretexting
Pretexting is a fictitious scenario to persuade someone to perform an action or give information.
SMiShing
SMiShing, or SMS phishing, is doing phishing through an SMS message. In other words, tricking a user to download a virus, Trojan horse, or malware onto a cell phone.
How are attackers different in their motivations and approaches?
The is Authority and Fear like a superior, Social Proof or peer pressure, Scarcity appeals to targets greed, Likeability get people to like them, Urgency needs it now and Common Ground sharing something in common.
How are motivation techniques effective in convincing targets to comply with a hacker's desires?
They prey upon social statuses and your emotions to make you give them data.
Compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique? - Impersonation - Interrogation - Elicitation - Preloading
Elicitation
Footprinting
Footprinting uses social engineering to obtain as much information as possible about an organization.
Social engineers are master manipulators. Which of the following are tactics they might use? - Shoulder surfing, eavesdropping, and keylogging - Moral obligation, ignorance, and threatening - Eavesdropping, ignorance, and threatening - Keylogging, shoulder surfing, and moral obligation
Moral obligation, ignorance, and threatening
What is pretexting and how is it used in social engineering?
Pretexting is conducting research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets. It is used as a base to set up social engineering.
What are the phases of a social engineering attack?
Research, Development, and Exploitation.
SPIM
SPIM is similar to spam, but the malicious link is sent to the target over instant messaging instead of email.
What are some of the most common social engineering techniques?
Shoulder Surfing, Eavesdropping, USB and keyloggers, Spam and Spim and Hoax
Any attack involving human interaction of some kind is referred to as what? - An opportunistic attack - A white hat hacker - Attacker manipulation - Social engineering
Social engineering
Social engineering
Social engineering is an attack involving human interaction to obtain information or access.
