2.3.2 Social Engineering Overview
Attack Types
A single hacker trying to exploit a vulnerability will have different attack profile than an organized crime group waging an assault on a network. The following table describes the typical attack type used by each.
Targeted
A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the attackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target. This attack type is typically used by an organized crime group.
Observation
During these interviews and interrogations, the hacker pays attention to every change the target displays. This allows the attacker to discern the target's thoughts and topics that should be investigated further. Every part of the human body can give a clue about what is going on inside the mind. Most people don't realize they give many physical cues, nor do they recognize these cues in others. A skilled observer pays close attention and puts these clues together to confirm another person's thoughts and feelings.
Eavesdropping
Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.
Pretexting, Preloading, and Impersonation
All social engineering techniques involve some pretexting, preloading, and impersonation. The following table describes these steps.
Being a good listener
An attacker may approach a target and carefully listen to what the target has to say, validate any feelings the target expresses, and share similar experiences, which may be real or fabricated. The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds. This leads the target to share more information.
Compliments
An attacker may give a target a compliment about something the target did. The attacker waits for the target to take the bait and elaborate on the subject. Even if the target downplays the skill or ability involved, talking about it might give the attacker valuable information.
Threatening
An attacker may try to intimidate a target with threats to make the target comply with a request. This is especially the case when when moral obligation and innate human trust tactics are not effective.
Moral obligation
An attacker uses moral obligation and a sense of responsibility to exploit the target's willingness to be helpful.
Jason is at home, attempting to access the website for his music store. When he goes to the website, it has a simple form asking for a name, email, and phone number. This is not the music store website. Jason is sure the website has been hacked. How did the attacker accomplish this hack?
DNS cache poisoning
Ron, a hacker, wants to get access to a prestigious law firm he has been watching for a while. June, an administrative assistant at the law firm, is having lunch at the food court around the corner from her office. Ron notices that June has a picture of a dog on her phone. He casually walks by and starts a conversation about dogs. Which phase of the social engineering process is Ron in?
Development phase
Which of the following is a common social engineering attack?
Distributing hoax virus-information emails
Elicitation
Elicitation is a technique used to extract information from a target without arousing suspicion. The following table describes some elicitation tactics.
Compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique?
Elictitation
Hoax
Email hoaxes are often easy to spot because of the bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real.
SMS phishing
In SMS phishing (smishing), the attacker sends a text message with a supposedly urgent topic to trick the victim into taking immediate action. The message usually contains a link that either installs malware on the victim's phone or extracts personal information.
Spear phishing
In spear phishing, an attacker gathers information about the victim, such as the online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.
Which of the following are examples of social engineering attacks? (Select two.)
Shoulder surfing Keylogger
Likeability
Likeability works well because humans tend to do more to please a person they like as opposed to a person they don't like.
Scarcity
Scarcity appeals to the target's greed. If something is in short supply and will not be available, the target is more likely to fall for it.
Social proof
With a social proof technique, the attacker uses social pressure to convince the target that it's okay to share or do something. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too."
Insider
An insider could be a customer, a janitor, or even a security guard; but most of the time, it's an employee. Employees pose one of the biggest threats to any organization. There are many reasons why an employee might become a threat. The employee could: Be motivated by a personal vendetta because they are disgruntled. Want to make money. Be bribed into stealing information. Sometimes, an employee can become a threat actor without even realizing it. This is known as an unintentional threat actor. The employee may create security breaches doing what seems to be harmless day-to-day work. An unintentional threat actor is the most common insider threat.
Opportunistic
An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities. Known vulnerabilities can include old software, exposed ports, poorly secured networks, and default configurations. When a vulnerability is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out. This type of attack is typically used by a single hacker.
Which of the following BEST describes an inside attacker?
An unintentional threat actor. This is the most common threat.
Interview and Interrogation
Another technique social engineers use often is interviews and interrogation. The following table describes some of the most important concepts of conducting a successful interview and interrogation.
Feigning ignorance
Attackers might make a wrong statement and then admit to not knowing much about the subject. The intent is to get the target to not only correct the attacker, but also explain in detail why the attacker is wrong. The explanation might help the attacker learn, or at least have a chance to ask questions without looking suspicious.
Innate human trust
Attackers often exploit a target's natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust.
Nation state
Attacks from nation states have several key components that make them especially powerful. Typically, nation state attacks: Are highly targeted. Identify a target and wage an all-out war. Are extremely motivated. Use the most sophisticated attack techniques of all the attackers. This often includes developing completely new applications and viruses in order to carry out an attack. Are well financed.
An organization's receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. The individual is engaging in which type of social engineering?
Authority
Authority and fear
Authority techniques rely on power to get a target to comply without questioning the attacker. The attacker pretends to be a superior with enough power that the target will comply right away without question. The attacker could also pretend to be there in the name of or upon the request of a superior. Authority is often combined with fear. If an authority figure threatens a target with being fired or demoted, the target is more likely to comply without a second thought.
Common ground and shared interest
Common ground and shared interest work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.
Hacker
Generally speaking, a hacker is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information. Types of hackers include: Those motivated by bragging rights, attention, and the thrill. Hacktivists with a political motive. Script kiddies, who use applications or scripts written by much more talented individuals. A white hat hacker, who tries to help a company see the vulnerabilities that exist in its security. Cybercriminals, who are motivated by significant financial gain. They typically take more risks and use extreme tactics. Corporate spies are a sub-category of cybercriminal.
Ignorance
Ignorance means the target is not educated in social engineering tactics and prevention, so the target doesn't recognize social engineering when it is happening. The attacker knows this and exploits the ignorance.
Having a legitimate reason for approaching someone to ask for sensitive information is called what?
Impersonation
Impersonation
Impersonation is pretending to be trustworthy and having a legitimate reason for approaching the target to ask for sensitive information or access to protected systems.
Preloading
Preloading is used to set up a target by influencing the target's thoughts, opinions, and emotions.
Exploitation
In the exploitation phase, the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker's purposes in some way. Some examples include disclosing password and username; introducing the attacker to other personnel, thus providing social credibility for the attacker; inserting a USB flash drive with a malicious payload into a organization's computer; opening an infected email attachment; and exposing trade secrets in a discussion. If the exploitation is successful, the only thing left to do is to wrap things up without raising suspicion. Most attackers tie up loose ends, such as erasing digital footprints and ensuring no items or information are left behind for the target to determine that an attack has taken place or identify the attacker. A well-planned and smooth exit strategy is the attacker's goal and final act in the exploitation phase.
Interview vs interrogation
In the interview phase, the attacker lets the target do the talking while the attacker mostly listens. In this way, the attacker has the chance to learn more about the target and how to best extract information. Then the attacker leads the interview phase into an interrogation phase. It's most effective when done smoothly and naturally, and when the target feels a connection and trusts the attacker. In the interrogation phase, the attacker talks about the target's statements. The attacker is mostly leading the conversation with questions and statements that will flow in the direction the attacker needs to obtain information.
Research
In the research phase, the attacker gathers information about the target organization. Attackers use a process called footprinting, which takes advantage of all resources available to gain information. Footprinting includes going through the target organization's official websites and social media; performing dumpster diving; searching sources for employees' names, email addresses, and IDs; going through a tour of the organization; and other kinds of onsite observation. Research may provide information for pretexting. Pretexting is using a fictitious scenario to persuade someone to perform an unauthorized action such as providing server names and login information. Pretexting usually requires the attacker to perform research to create a believable scenario. The more the attacker knows about the organization and the target, the more believable a scenario the attacker can come up with.
Social networking
Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information. Also, many attackers use social media to scam users. These scams are designed to entice the user to click a link that brings up a malicious site the attacker controls. Usually, the site requests personal information and sensitive data, such as an email address or credit card number.
Social engineers are master manipulators. Which of the following are tactics they might use?
Moral obligation, ignorance, and threatening
Offering something for very little to nothing
Offering something for very little to nothing refers to an attacker promising huge rewards if the target is willing to do a very small favor. The small favor can include sharing what the target thinks is a very trivial piece of information for something the attacker offers.
Pretexting
Pretexting is conducting research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets.
Pharming
Pharming involves the attacker executing malicious programs on the target's computer so that any URL traffic redirects to the attacker's malicious website. This attack is also called phishing without a lure. The attacker is then privy to the user's sensitive data, like IDs, passwords, and banking details. Pharming attacks frequently come in the form of malware such as Trojan horses, worms, and similar programs. Pharming is commonly implemented using DNS cache poisoning or host file modification. In DNS cache poisoning, the attacker launches the attack on the chosen DNS server. Then, in the DNS table, the attacker changes the IP address of a legitimate website to a fake website. When the user enters a legitimate URL, the DNS redirects the user to the fake website controlled by the attacker. In host file modification, the attacker sends malicious code as an email attachment. When the user opens the attachment, the malicious code executes and modifies the local hosts file on the user's computer. When the user enters a legitimate URL in the browser, the compromised hosts file redirects the user to the fraudulent website controlled by the attacker. In host file modification, the attacker sends malicious code as an email attachment. When the user opens the attachment, the malicious code executes and modifies the local hosts file on the user's computer. When the user enters a legitimate URL in the browser, the compromised hosts file redirects the user to the fraudulent website controlled by the attacker.
Phishing
Phishing is one of the most successful social engineering attacks. In a phishing attack, the social engineer masquerades as a trustworthy entity in an electronic communication. The following table describes a few variations of phishing attacks.
Shoulder surfing
Shoulder surfing involves looking over someone's shoulder while that person works on a computer or reviews documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.
Any attack involving human interaction of some kind is referred to as what?
Social engineering
Manipulation Tactics
Social engineers are master manipulators. The following table describes some of the most popular tactics they use on targets.
Development
The development phase involves two parts: selecting individual targets within the organization being attacked and forming a relationship with the selected targets. Usually, attackers select people who not only will have access to the desired information or object, but who also show signs of being frustrated, overconfident, arrogant, or somehow easy to extract information from. Once a target is selected, the attacker will start forming a relationship with the target through conversations, emails, shared interests, and so on. The relationship helps build the target's trust in the attacker, allowing the targets to be comfortable, relaxed, and more willing to help.
Environment
The environment the attacker chooses for conducting an interview and interrogation is essential to setting the mood. The location should not be overly noisy or overly crowded. The environment should be a relaxing and stress-free setting that puts the target at ease. The attacker shouldn't sit between the target and the door. The target should never feel trapped in any way. Lighting should be good enough for both parties to see each other clearly. This will allow the attacker to better read the target's micro expressions and movements. It will also inspire trust in the target.
Social Engineering Process
The social engineering process can be divided into three main phases: research, development, and exploitation. The following table describes each phase.
Urgency
To create a sense of urgency, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.
Misinformation
Using the misinformation tactic, the attacker makes a statement with the wrong details. The attacker's intent is for the target to provide the accurate details that the attacker wants to confirm. The more precise the details given by the attacker, the better the chance that the target will take the bait.
Vishing
Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.
Whaling
Whaling is another form of phishing. It targets senior executives and high-profile victims.
USB and keyloggers
When on site, a social engineer also has the ability to stealing data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.
Spam and spim
When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.