2.3 Social Engineering

Hacktivist

A hacktivist is a hacker with a political motive.

Hoax

A hoax is a type of malicious email with some type of urgent or alarming message to deceive the target.

Being a good listener

An attacker may approach a target and carefully listen to what the target has to say, validate any feelings the target expresses, and share similar experiences, which may be real or fabricated. The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds. This leads the target to share more information.

Compliments

An attacker may give a target a compliment about something the target did. The attacker waits for the target to take the bait and elaborate on the subject. Even if the target downplays the skill or ability involved, talking about it might give the attacker valuable information.

Threatening

An attacker may try to intimidate a target with threats to make the target comply with a request. This is especially the case when when moral obligation and innate human trust tactics are not effective.

Feigning ignorance

Attackers might make a wrong statement and then admit to not knowing much about the subject. The intent is to get the target to not only correct the attacker, but also explain in detail why the attacker is wrong. The explanation might help the attacker learn, or at least have a chance to ask questions without looking suspicious.

Innate human trust

Attackers often exploit a target's natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust.

Authority and fear

Authority techniques rely on power to get a target to comply without questioning the attacker. The attacker pretends to be a superior with enough power that the target will comply right away without question. The attacker could also pretend to be there in the name of or upon the request of a superior. Authority is often combined with fear. If an authority figure threatens a target with being fired or demoted, the target is more likely to comply without a second thought.

Ignorance

Ignorance means the target is not educated in social engineering tactics and prevention, so the target doesn't recognize social engineering when it is happening. The attacker knows this and exploits the ignorance.

SMS phishing

In SMS phishing (smishing), the attacker sends a text message with a supposedly urgent topic to trick the victim into taking immediate action. The message usually contains a link that either installs malware on the victim's phone or extracts personal information.

Spear phishing

In spear phishing, an attacker gathers information about the victim, such as the online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.

Urgency

To create a sense of urgency, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.

Misinformation

Using the misinformation tactic, the attacker makes a statement with the wrong details. The attacker's intent is for the target to provide the accurate details that the attacker wants to confirm. The more precise the details given by the attacker, the better the chance that the target will take the bait.

Vishing

Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.

Whaling

Whaling is another form of phishing. It targets senior executives and high-profile victims.

Nation state

Are highly targeted. Identify a target and wage an all-out war. Are extremely motivated. Use the most sophisticated attack techniques of all the attackers. This often includes developing completely new applications and viruses in order to carry out an attack. Are well financed.

Common ground and shared interest

Common ground and shared interest work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.

Credential harvesting

Credential harvesting, also known as password harvesting, is the process of gathering the usernames, passwords, email addresses, and other information through breaches and other activities

Impersonation

Impersonation is pretending to be somebody else and approaching a target to extract information.

Exploitation

In the exploitation phase, the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker's purposes in some way. Some examples include disclosing password and username; introducing the attacker to other personnel, thus providing social credibility for the attacker; inserting a USB flash drive with a malicious payload into a organization's computer; opening an infected email attachment; and exposing trade secrets in a discussion. If the exploitation is successful, the only thing left to do is to wrap things up without raising suspicion. Most attackers tie up loose ends, such as erasing digital footprints and ensuring no items or information are left behind for the target to determine that an attack has taken place or identify the attacker. A well-planned and smooth exit strategy is the attacker's goal and final act in the exploitation phase.

Offering something for very little to nothing

Offering something for very little to nothing refers to an attacker promising huge rewards if the target is willing to do a very small favor. The small favor can include sharing what the target thinks is a very trivial piece of information for something the attacker offers.

Pharming

Pharming involves the attacker executing malicious programs on the target's computer so that any URL traffic redirects to the attacker's malicious website. Pharming attacks frequently come in the form of malware such as Trojan horses, worms, and similar programs

Preloading

Preloading is influencing a target's thoughts, opinions, and emotions before something happens.

SMiShing

SMiShing, or SMS phishing, is doing phishing through an SMS message. In other words, tricking a user to download a virus, Trojan horse, or malware onto a cell phone.

SPIM

SPIM is similar to spam, but the malicious link is sent to the target over instant messaging instead of email.

Scarcity

Scarcity appeals to the target's greed. If something is in short supply and will not be available, the target is more likely to fall for it.

Shoulder surfing

Shoulder surfing involves looking over someone's shoulder while that person works on a computer or reviews documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.

Social engineering

Social engineering is an attack involving human interaction to obtain information or access.

Hacker

Those motivated by bragging rights, attention, and the thrill. Hacktivists with a political motive. Script kiddies, who use applications or scripts written by much more talented individuals. A white hat hacker, who tries to help a company see the vulnerabilities that exist in its security. Cybercriminals, who are motivated by significant financial gain. They typically take more risks and use extreme tactics. Corporate spies are a sub-category of cybercriminal.

Script kiddie

A less-skilled (usually younger) hacker that often relies on automated tools or scripts written by crackers to scan systems at random to find and exploit weaknesses.

Cybercriminal

A person (or team of individuals) who use technology to steal sensitive information for a profit. Cybercriminals are often associated with large organized crime syndicates such as the mafia.

Footprinting

Footprinting uses social engineering to obtain as much information as possible about an organization.

Phishing

In a phishing attack, the social engineer masquerades as a trustworthy entity in an electronic communication.

Likeability

Likeability works well because humans tend to do more to please a person they like as opposed to a person they don't like.

Typo squatting

Typo squatting, also called URL hijacking, relies on mistakes, such as typos made by users inputting a website address into a web browser.

Spam and spim

When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.

Watering hole attack

A watering hole is a passive computer attack technique in which an attacker anticipates or observes the websites an organization uses often and infects them with malware. Members of the targeted group can then become infected. Hackers could be looking for specific information to narrow their attacks from users that come from a specific IP address

Targeted

A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the attackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target. This attack type is typically used by an organized crime group.

White hat hacker

A white hat hacker is a professional who helps companies find the vulnerabilities in their security. Also known as an ethical hacker.

Moral obligation

An attacker uses moral obligation and a sense of responsibility to exploit the target's willingness to be helpful.

Opportunistic

An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities. Known vulnerabilities can include old software, exposed ports, poorly secured networks, and default configurations. When a vulnerability is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out. This type of attack is typically used by a single hacker.

Eavesdropping

Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.

Elicitation

Elicitation is a technique to extract information from a target without arousing suspicion.

Pretexting

Pretexting is a fictitious scenario to persuade someone to perform an action or give information.

Development

The development phase involves two parts: selecting individual targets within the organization being attacked and forming a relationship with the selected targets. Usually, attackers select people who not only will have access to the desired information or object, but who also show signs of being frustrated, overconfident, arrogant, or somehow easy to extract information from. Once a target is selected, the attacker will start forming a relationship with the target through conversations, emails, shared interests, and so on. The relationship helps build the target's trust in the attacker, allowing the targets to be comfortable, relaxed, and more willing to help.

Social proof

With a social proof technique, the attacker uses social pressure to convince the target that it's okay to share or do something. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too."

Insider

Be motivated by a personal vendetta because they are disgruntled. Want to make money. Be bribed into stealing information.

Research

In the research phase, the attacker gathers information about the target organization. Attackers use a process called footprinting, which takes advantage of all resources available to gain information. Footprinting includes going through the target organization's official websites and social media; performing dumpster diving; searching sources for employees' names, email addresses, and IDs; going through a tour of the organization; and other kinds of onsite observation. Research may provide information for pretexting. Pretexting is using a fictitious scenario to persuade someone to perform an unauthorized action such as providing server names and login information. Pretexting usually requires the attacker to perform research to create a believable scenario. The more the attacker knows about the organization and the target, the more believable a scenario the attacker can come up with.

Social media

Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information. Also, many attackers use social media to scam users

USB and keyloggers

When on site, a social engineer also has the ability to steal data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.

Hybrid warfare

a new term used to describe a strategy that deliberately mixes elements and techniques of conventional warfare (e.g., national uniforms, heavy weapons) and unconventional warfare (e.g., guerrilla, paramilitary, information, or cyber war) as a way to coerce adversaries while avoiding attribution and retribution As it refers to technology, hybrid warfare employs political warfare and blends conventional warfare with cyberwarfare. Its goal is to influence others with things such as fake news, diplomacy, lawfare, and foreign electoral intervention