Testout Security Pro 2.3 but better
What is Elicitation?
A technique used to extract information from a target without arousing suspicion.
What is a Watering hole attack?
A watering hole is a passive computer attack technique in which an attacker anticipates or observes the websites an organization uses often and infects them with malware.
How do hackers use someone's Moral obligation to their advantage?
An attacker uses moral obligation and a sense of responsibility to exploit the target's willingness to be helpful.
What is hybrid warfare?
As it refers to technology, hybrid warfare employs political warfare and blends conventional warfare with cyberwarfare.
What is pretexting?
Conducting research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets.
What is the most common insider type?
Employees
The _______________ the attacker chooses for conducting an interview and interrogation is essential to setting the mood.
Environment
How do social engineers use Likeability?
Humans tend to do more to please a person they like as opposed to a person they don't like.
What is phishing?
In a phishing attack, the social engineer masquerades as a trustworthy entity in an electronic communication.
What happens in the interview phase?
In the interview phase, the attacker lets the target do the talking while the attacker mostly listens.
What are the 3 types of attackers?
Insider, Hacker, and Nation state
Why is social media important to hackers?
Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information.
What will an attacker do after an exploitation?
Most attackers tie up loose ends Ex. such as erasing digital footprints and ensuring no items or information are left behind for the target to determine that an attack has taken place or identify the attacker. Ex 2. A well-planned and smooth exit strategy is the attacker's goal and final act in the exploitation phase.
What type of attacker has the most sophisticated attacks?
Nation state
What is done in the impersonation phase?
Pretending to be trustworthy and having a legitimate reason for approaching the target to ask for sensitive information or access to protected systems.
How do social engineers use Scarcity?
Scarcity appeals to the target's greed. Ex. If something is in short supply and will not be available, the target is more likely to fall for it.
What are the 2 parts to the development phase of a social engineering attack?
Selecting individual targets within the organization being attacked and forming a relationship with the selected targets.
What is preloading?
Setting up a target by influencing the target's thoughts, opinions, and emotions.
How do social engineers use keystroke loggers and USBs?
Social engineers often employ keystroke loggers to capture usernames and passwords or use USBs to steal information.
What is spim
Spim is similar to spam, but the malicious link is sent to the target using instant messaging instead of email.
What is Spear phishing?
TL;DR Personalized Phishing An attacker gathers information about the victim, such as the online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Ex. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.
What is footprinting?
Taking advantage of all resources available to gain information.
What are the 2 types of attacks?
Targeted and opportunistic
What is the research phase of a social engineering attack?
The attacker gathers information about the target organization.
Pharming attacks frequently come in the form of malware such as ________,_____, and ____________________
Trojan horses, worms, DNS cache poisoning or host file modification. DNS cache poisoning or host file modification. is not a form of malware it just looked good in the question.
What are intimidation tactics?
Try ingto intimidate a target with threats to make the target comply with a request. Ex. This is especially the case when moral obligation and innate human trust tactics are not effective.
What is Typo squatting(URL hijacking)?
Typo squatting relies on mistakes, such as typos made by users inputting a website address into a web browser. When a user enters an incorrect website address, the squatter may lead them to any URL.
What is Vishing
Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information.
What is Whaling
Whaling is another form of phishing. It targets senior executives and high-profile victims.
What is spam?
When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it.
All social engineering techniques involve some __________, ____________, and ___________
pretexting, preloading, and impersonation
What are the three main phases of a social engineering attack?
research, development, and exploitation
What is Social engineering?
An attacker enticing or manipulating people to perform tasks or relay information. Ex. Social engineering tries to get a person to do something the person wouldn't do under normal circumstances.
What is Pharming?
An attacker executing malicious programs on the target's computer so that any URL traffic redirects to the attacker's malicious website.
How do social engineers use Urgency?
An attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.
What is Eavesdropping?
Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.
What are the 5 Manipulation types used by social engineers.
1: Moral obligation 2: Innate human trust 3: Threatening 4: Offering something for very little to nothing 5: Ignorance
How would an attacker use compliments to get information?
An attacker may give a target a compliment about something the target did. The attacker waits for the target to take the bait and elaborate on the subject.
How do attackers use offering something for very little to nothing?
An attacker promising huge rewards if the target is willing to do a very small favor. Ex. The small favor can include sharing what the target thinks is a very trivial piece of information for something the attacker offers.
Why would an attacker Feign ignorance?
Attackers might make a wrong statement and then admit to not knowing much about the subject. The intent is to get the target to not only correct the attacker, but also explain in detail why the attacker is wrong.
How do social engineers use Authority and fear?
Authority techniques rely on power to get a target to comply without questioning the attacker. Ex. The attacker pretends to be a superior with enough power that the target will comply right away without question. Ex 2. The attacker could also pretend to be there in the name of or upon the request of a superior.
What is Credential harvesting?
Credential harvesting, also known as password harvesting, is the process of gathering the usernames, passwords, email addresses, and other information through breaches and other activities.
What is an email hoax?
Email hoaxes are often easy to spot because of the bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real.
Why is it important an attacker in observant?
Every part of the human body can give a clue about what is going on inside the mind. Most people don't realize they give many physical cues, nor do they recognize these cues in others.
What is a hacker?
Generally speaking, a hacker is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information
How do social engineers use Social proof?
The attacker uses social pressure to convince the target that it's okay to share or do something. Ex. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too."
What is SMS phishing(smishing)?
Sending a text message with a supposedly urgent topic to trick the victim into taking immediate action. Ex. The message usually contains a link that either installs malware on the victim's phone or extracts personal information.
How do social engineers use Common ground and shared interest?
Sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.
What is shoulder surfing?
Shoulder surfing involves looking over someone's shoulder while that person works on a computer or reviews documents. Ex. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.
What happens in the interrogation phase.
The attacker leads the interview phase into an interrogation phase. It's most effective when done smoothly and naturally, and when the target feels a connection and trusts the attacker.
How would an attacker use misinformation to get information?
The attacker makes a statement with the wrong details. The attacker's intent is for the target to provide the accurate details that the attacker wants to confirm.
How would an attacker utilize being a good listener?
The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds.
What is the exploitation phase of a social engineering attack?
the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker's purposes in some way.