Social Engineering Techniques
What are two targets of phishing attacks?
1) A computer system and access to the information found on it (as is the case when the phishing attempt asks for a user ID and password). 2) Personal information, generally financial, about an individual (in the case of phishing attempts that ask for an individual's banking information).
What are some methods used to increase success of social engineering?
1) Authority 2) Intimidation 3) Consensus 4) Scarcity 5) Familiarity 6) Trust 7) Urgency
What are the two general reasons for social engineering success?
1) The basic desire of most people to be helpful. 2) Individuals normally seek to avoid confrontation and trouble.
Which of the following is/are psychological tools used by social engineers to create false trust with a target? A. Impersonation B. Urgency or scarcity C. Authority D. All of the above
All of the above
Once an organization's security policies have been established, what is the single most effective method of countering potential social engineering attacks?
An active security awareness program
What is reconnaissance?
An adversary will examine the systems they intend to attack, using a wide range of methods.
What is social engineering?
An attack against a user, and typically involves some form of social interaction.
What is a typosquatting attack?
An attack form that involves capitalizing upon common typographical errors. If a user mistypes a URL, then the result should be a 404 error, or "resource not found." But if an attacker has registered the mistyped URL, then the user would land on the attacker's page.
What is smishing?
An attack using Short Message Service (SMS) on victims' cell phones.
What does a contractor/outside party impersonation attack look like?
An attacker dresses in the same uniform as an outside contractor who regularly cleans the building, waters the plants, and performs other routine chores. They show up to do the job at a slightly different time than it's usually done, and, if challenged, play on the sympathy of the workers by saying they are filling in for X or covering for Y.
What is eliciting information?
Attackers posing as help desk and tech support employees.
How is familiarity used in social engineering attacks?
Building this sense of familiarity and appeal can lead to misplaced trust. The social engineer can focus the conversation on familiar items, not the differences.
What is spam?
Bulk unsolicited e-mail.
How is scarcity used in social engineering?
By giving the impression of scarcity (or short supply) of a desirable product, an attacker can motivate a target to make a decision quickly without deliberation.
Which of the following are specifically used to spread influence, alter perceptions, and sway people toward a position favored by those spreading it?
Influence campaigns, social media, hybrid warfare
What is pharming?
Misdirecting users to fake websites made to look official.
What is the most common form of social engineering attack related to computer security?
Phishing
What does an online impersonation attack look like?
Phishing attempts such as e-mail or social media scams.
What is SPIM?
Spam delivered via an instant messaging application.
What is prepending?
Supplying information that another will act upon, frequently before they ask for it, in an attempt to legitimize the actual request, which comes later.
What is credential harvesting?
The collection of credential information, such as user IDs, passwords, and so on, enabling an attacker a series of access passes to the system.
What is dumpster diving?
The process of going through a target's trash in hopes of finding valuable information that might be used in a penetration attempt.
How is trust used in social engineering attacks?
Trust is defined as having an understanding of how something will act under specific conditions. Social engineers can shape the perceptions of a target to where they feel they are doing the correct thing in the moment.
What method is used to counter attackers who have harvested and try to use your credentials?
Two-factor authentication
A colleague asks you for advice on why he can't log in to his Gmail account. Looking at his browser, you see he has typed www.gmal.com in the address bar. The screen looks very similar to the Gmail login screen. Your colleague has just fallen victim to what type of attack?
Typosquatting
What are other names for typosquatting?
URL hijacking, fake URL, or brandjacking if the objective is to deceive based on branding.
A user in your organization contacts you to see if there's any update to the "account compromise" that happened last week. When you ask him to explain what he means, and the user tells you he received a phone call earlier in the week from your department and was asked to verify his user ID and password. The user says he gave the caller his user ID and password. This user has fallen victim to what specific type of attack?
Vishing
What is a watering hole attack?
When an attacker plants malware at sites where users are likely to frequent.
What is the key in all social engineering attacks?
You are manipulating a person and their actions by manipulating their perception of a situation.
What does a third-party authorization impersonation attack look like?
1) Attacker arrives with something the victim is quasi-expecting or would see as normal. 2) Attacker uses the guise of a project in trouble or some other situation where the attacker will be viewed as helpful or as someone not to upset. 3) Attacker name-drops the contact "Mr. Big," who happens to be out of the office and unreachable at the moment, thus avoiding the reference check. These actions can create the appearance of a third-party authorization, when in fact there is none.
What is whaling?
A custom-built attack on a high-value person, such as a CEO or CFO.
What is an invoice scam?
A fake invoice in an attempt to get a company to pay for things it has not ordered.
What is spear phishing?
A phishing attack that targets a specific person or group of people with something in common.
What is a mantrap?
A sophisticated countermeasure to piggybacking which utilizes two doors to gain access to the facility. The second door does not open until the first one is closed, and the doors are closely spaced so that an enclosure is formed that only allows one individual through at a time.
What is phishing?
A type of social engineering in which an attacker attempts to obtain sensitive information from users by masquerading as a trusted entity in an e-mail or instant message sent to a large group of often random users.
What is vishing?
A variation of phishing that spoofs (simulates) calls from legitimate entities using Voice over IP (VoIP) technology to obtain the information the attacker is seeking.
What is an example of smishing?
An intimidating message, such as "You are subscribed to XYZ service, which will begin regular billings of $2 a month. Click here to unsubscribe before billing takes place."
Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the building early this morning. The security guard says the people claimed to be looking for aluminum cans, but only had a bag of papers—no cans. What type of attack has this security guard witnessed?
Dumpster diving
How is urgency used in social engineering?
Giving the target a reason to believe that they can take advantage of a timely situation, whether or not it is real, achieves the outcome of them acting in a desired manner.
How can an attacker use consensus in social engineering?
Group-wide decisions can be manipulated by social engineers by motivating others to achieve their desired outcome.
What is the best defense against impersonation attacks?
Having processes in place that require employees to ask to see a person's ID before engaging with them if the employees do not personally know them. That includes challenging people such as delivery drivers and contract workers. Don't let people in through the door, piggybacking, without checking their ID.
How can a hoax be damaging?
If it causes users to take some sort of action that weakens security.
You notice a new custodian in the office, working much earlier than normal, emptying trash cans, and moving slowly past people working. You ask him where the normal guy is, and in very broken English he says, "Out sick," indicating a cough. What is happening?
Impersonation
What is an influence campaign?
Involves the use of collected information and selective publication of material to key individuals in an attempt to alter perceptions and change people's minds on a topic.
How can intimidation be utilized in a social engineering attack?
It can be either subtle, through perceived power, or more direct, through the use of communications that build an expectation of superiority. The use of one's title creates an air of authority around one's persona.
Which of the following is a type of social engineering attack in which an attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity in an e-mail?
Phishing
What three social engineering methods attack against a users' cognitive state causing them to take the bait and click the link?
Phishing, smishing, and vishing
What is another term for tailgating?
Piggybacking
Your boss thanks you for pictures you sent from the recent company picnic. You ask him what he is talking about, and he says he got an e-mail from you with pictures from the picnic. Knowing you have not sent him that e-mail, what type of attack do you suspect is happening?
Spear phishing
While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to a locked door with a large box in his hands. He waits for someone else to come along and open the locked door and then proceeds to follow her inside. What type of social engineering attack have you just witnessed?
Tailgating
What is impersonation?
The attacker assumes a role that is recognized by the person being attacked, and in assuming that role, the attacker uses the potential victim's biases against their better judgment to follow procedures.
What is shoulder surfing?
The attacker directly observes the individual entering sensitive information on a form, keypad, or keyboard.
What is a pretexting attack?
The attacker uses a narrative (the pretext) to influence the victim into giving up some item of information. An example would be calling up, posing as a fellow student from college, or a fellow admin to a senior executive. Pretexting uses deception and false motives to manipulate the victim. The main goal of the attacker is to gain the target's trust and exploit it.
What is tailgating?
The simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building.
Identity Fraud
The use of fake credentials to achieve an end.
How is authority used to increase social engineering success?
The user feels at risk in challenging attacker over an issue.