2.3 Social Engineering

Observation

During these interviews and interrogations, the hacker pays attention to every change the target displays. This allows the attacker to discern the target's thoughts and topics that should be investigated further. Every part of the human body can give a clue about what is going on inside the mind. Most people don't realize they give many physical cues, nor do they recognize these cues in others. A skilled observer pays close attention and puts these clues together to confirm another person's thoughts and feelings.

Eavesdropping

Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.

Impersonation

_________________ is pretending to be somebody else and approaching a target to extract information.

Footprinting

____________________ uses social engineering to obtain as much information as possible about an organization.

Hoax

A ____ is a type of malicious email with some type of urgent or alarming message to deceive the target.

Nation state

A _____ _____ is the most organized, well-funded, and dangerous type of threat actor.

White hat hacker

A ______-______-____________ is a professional who helps companies find the vulnerabilities in their security. Also known as an ethical hacker.

Hacktivist

A _____________ is a hacker with a political motive.

Hacker

A catch-all term used to describe any individual who uses technical knowledge to gain unauthorized access to an organization.

Script kiddie

A less-skilled (usually younger) hacker that often relies on automated tools or scripts written by crackers to scan systems at random to find and exploit weaknesses.

Cybercriminal

A person (or team of individuals) who use technology to steal sensitive information for a profit. ________________- are often associated with large organized crime syndicates such as the mafia.

Targeted

A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the attackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target. This attack type is typically used by an organized crime group.

Insider

An _____ is any individual who has authorized access to an organization and either intentionally or unintentionally carries out an attack.

Being a good listener

An attacker may approach a target and carefully listen to what the target has to say, validate any feelings the target expresses, and share similar experiences, which may be real or fabricated. The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds. This leads the target to share more information.

Compliments

An attacker may give a target a compliment about something the target did. The attacker waits for the target to take the bait and elaborate on the subject. Even if the target downplays the skill or ability involved, talking about it might give the attacker valuable information.

Threatening

An attacker may try to intimidate a target with threats to make the target comply with a request. This is especially the case when when moral obligation and innate human trust tactics are not effective.

Moral obligation

An attacker uses ___________-_________ and a sense of responsibility to exploit the target's willingness to be helpful.

Opportunistic

An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities. Known vulnerabilities can include old software, exposed ports, poorly secured networks, and default configurations. When a vulnerability is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out. This type of attack is typically used by a single hacker.

Hybrid warfare

As it refers to technology, hybrid warfare employs political warfare and blends conventional warfare with cyberwarfare. Its goal is to influence others with things such as fake news, diplomacy, lawfare, and foreign electoral intervention. Examples include:

Feigning ignorance

Attackers might make a wrong statement and then admit to not knowing much about the subject. The intent is to get the target to not only correct the attacker, but also explain in detail why the attacker is wrong. The explanation might help the attacker learn, or at least have a chance to ask questions without looking suspicious.

Innate human trust

Attackers often exploit a target's natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust.

Authority and fear

Authority techniques rely on power to get a target to comply without questioning the attacker. The attacker pretends to be a superior with enough power that the target will comply right away without question. The attacker could also pretend to be there in the name of or upon the request of a superior. Authority is often combined with fear. If an authority figure threatens a target with being fired or demoted, the target is more likely to comply without a second thought.

Credential harvesting

Credential harvesting, also known as password harvesting, is the process of gathering the usernames, passwords, email addresses, and other information through breaches and other activities. Hackers can then sell personal and financial data on the dark web, use the information to gain access to a company network for illegal purposes.

Common ground and shared interest

Common ground and shared interest work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.

Hoax

Email hoaxes are often easy to spot because of the bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real.

Impersonation

Impersonation is pretending to be trustworthy and having a legitimate reason for approaching the target to ask for sensitive information or access to protected systems.

SMS phishing

In SMS phishing (smishing), the attacker sends a text message with a supposedly urgent topic to trick the victim into taking immediate action. The message usually contains a link that either installs malware on the victim's phone or extracts personal information.

Spear phishing

In spear phishing, an attacker gathers information about the victim, such as the online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.

Interview vs interrogation

In the interview phase, the attacker lets the target do the talking while the attacker mostly listens. In this way, the attacker has the chance to learn more about the target and how to best extract information. Then the attacker leads the interview phase into an interrogation phase. It's most effective when done smoothly and naturally, and when the target feels a connection and trusts the attacker. In the interrogation phase, the attacker talks about the target's statements. The attacker is mostly leading the conversation with questions and statements that will flow in the direction the attacker needs to obtain information.

Likeability

Likeability works well because humans tend to do more to please a person they like as opposed to a person they don't like.

Social media

Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information. Also, many attackers use social media to scam users. These scams are designed to entice the user to click a link that brings up a malicious site the attacker controls. Usually, the site requests personal information and sensitive data, such as an email address or credit card number.

Pharming

Pharming involves the attacker executing malicious programs on the target's computer so that any URL traffic redirects to the attacker's malicious website. This attack is also called phishing without a lure. The attacker is then privy to the user's sensitive data, like IDs, passwords, and banking details. Pharming attacks frequently come in the form of malware such as Trojan horses, worms, and similar programs. Pharming is commonly implemented using DNS cache poisoning or host file modification.

Environment

The environment the attacker chooses for conducting an interview and interrogation is essential to setting the mood.

Preloading

Preloading is used to set up a target by influencing the target's thoughts, opinions, and emotions.

Pretexting

Pretexting is conducting research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets.

Scarcity

Scarcity appeals to the target's greed. If something is in short supply and will not be available, the target is more likely to fall for it.

Shoulder surfing

Shoulder surfing involves looking over someone's shoulder while that person works on a computer or reviews documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.

Watering hole attack

The term "watering hole attack" is derived from predators in the natural world who wait for an opportunity to attack their prey near watering holes. A watering hole is a passive computer attack technique in which an attacker anticipates or observes the websites an organization uses often and infects them with malware. Members of the targeted group can then become infected. Hackers could be looking for specific information to narrow their attacks from users that come from a specific IP address. A watering hole attack has five main steps:

Urgency

To create a sense of urgency, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.

Typo squatting

Typo squatting, also called URL hijacking, relies on mistakes, such as typos made by users inputting a website address into a web browser. When a user enters an incorrect website address, the squatter may lead them to any URL.

Misinformation

Using the misinformation tactic, the attacker makes a statement with the wrong details. The attacker's intent is for the target to provide the accurate details that the attacker wants to confirm. The more precise the details given by the attacker, the better the chance that the target will take the bait.

Vishing

Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.

Whaling

Whaling is another form of phishing. It targets senior executives and high-profile victims.

USB and keyloggers

When on site, a social engineer also has the ability to steal data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.

Spam and spim

When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.

Social proof

With a social proof technique, the attacker uses social pressure to convince the target that it's okay to share or do something. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too."

SPIM

____ is similar to spam, but the malicious link is sent to the target over instant messaging instead of email.

Social engineering

__________-________________ is an attack involving human interaction to obtain information or access.

Offering something for very little to nothing

___________-__________-_____-____-_____-__-___________ refers to an attacker promising huge rewards if the target is willing to do a very small favor. The small favor can include sharing what the target thinks is a very trivial piece of information for something the attacker offers.

Preloading

____________ is influencing a target's thoughts, opinions, and emotions before something happens.

SMiShing

____________, or SMS phishing, is doing phishing through an SMS message. In other words, tricking a user to download a virus, Trojan horse, or malware onto a cell phone.

Ignorance

_____________ means the target is not educated in social engineering tactics and prevention, so the target doesn't recognize social engineering when it is happening. The attacker knows this and exploits the ignorance.

Elicitation

______________ is a technique to extract information from a target without arousing suspicion.

Pretexting

_______________ is a fictitious scenario to persuade someone to perform an action or give information.