1.0 Compare and contrast different types of social engineering techniques
Tailgating
A means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint *Piggy backing is a similar situation, but means that the attacker enters a secure area with an employee's permission
Pharming
A passive means of redirecting users from a legitimate website to a malicious one. Example: Rather than using social engineering techniques to trick the user, pharming relies on corrupting the way the victim's computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one.
Watering hole attack
A passive technique where the threat actor does not have to risk communicating directly with the target. It relies on the circumstance that a group of targets may use an unsecure third-party website. Example: For example, staff running an international e-commerce site might use a local pizza delivery firm. If an attacker can compromise the pizza delivery firm's website or deploy a type of malvertising, they may be able infect the computers of the e-commerce company's employees and penetrate the e-commerce company systems.
Whaling
A spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other "big fish"). Upper management may also be more vulnerable to ordinary phishing attacks because of their reluctance to learn basic security procedures.
Identity fraud
A specific type of impersonation where the attacker uses specific details of someone's identity. A typical consumer identity fraud is using someone else's name and address to make a loan application or using stolen credit card details to start a mobile phone contract.
Prepending
Adding text that appears to have been generated by the mail system
Hoax
An act intended to trick or deceive, a fraud; (v.) to trick, deceive Example: Such as security alerts or chain emails, are another common social engineering technique, often combined with phishing attacks. An email alert or web pop-up will claim to have identified some sort of security problem, such as virus infection, and offer a tool to fix the problem.
Invoice scams
Another common type of identity fraud. The fraudster will usually spoof the invoice details of a genuine supplier, but change the bank account number
Social Engineering Principles ( 7 reasons for effectiveness)
Authority Intimidation Consensus Scarcity Familiarity Trust Urgency
Scarcity & Urgency - Social Engineering Principle
Creating a false sense and can disturb people's ordinary decision-making process. Example: For example, the social engineer might try to get the target to sign up for a "limited time" or "invitation-only" trial and request a username and password for the service (hoping that the target will offer a password he or she has used for other accounts). Fake antivirus products generate a sense of urgency by trying to trick users into thinking that their computer is already infected with malware.
Spear phishing
Each phishing message is tailored to address a specific target user. The attacker might know the name of a document that the target is editing, for instance, and send a malicious copy, or the phishing email might show that the attacker knows the recipient's full name, job title, telephone number, or other details that help convince the target that the communication is genuine.
Eliciting information
Form of social engineering to means of encouraging a client to reach for and share information Some other methods of social engineering: * Familiarity/Liking simply to be affable and likable, and to present the requests they make as completely reasonable and unobjectionable * Consensus/Social Proof without an explicit instruction to behave in a certain way, many people will act just as they think others would act * Authority and Intimidation Many people find it difficult to refuse a request by someone they perceive as superior in rank or expertise * Scarcity and Urgency Often also deployed by salespeople, creating a false sense of scarcity or urgency can disturb people's ordinary decision-making process. The social engineer can try to pressure his or her target by demanding a quick response.
Hybrid Warfare
Hybrid warfare is the challenge presented by the increasing complexity of armed conflict, where adversaries may combine types of warfare plus nonmilitary means to neutralise conventional military power. Example: Hybrid warfare mainly targets the effectiveness of the military to conduct successful operations.
Dumpster diving
Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away
Influence campaigns
Is a major program launched by an adversary with a high level of capability, such as a nation-state actor, terrorist group, or hacktivist group. The goal of an influence campaign is to shift public opinion on some topic.
Authority & Intimidation - Social Engineering Principle
Many people find it difficult to refuse a request by someone they perceive as superior in rank or expertise. Social engineers can try to exploit this behavior to intimidate their target by pretending to be a senior executive. Example: An attack might be launched by impersonating someone who would often be deferred to, such as a police officer, judge, or doctor
Shoulder surfing
Method in which a threat actor can learn a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be in close proximity to the target—they could use high-powered binoculars or CCTV to directly observe the target remotely
Familiarity/Liking & Trust - Social Engineering Principle
One of the basic tools of a social engineer is simply to be affable and likable, and to present the requests they make as completely reasonable and unobjectionable. *Low Risk
Vishing
Phishing attacks committed using telephone calls or VoIP systems.
Smishing
Phishing attacks committed using text messages (SMS).
Phishing
Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector.
Impersonation
Simply means pretending to be someone else. It is one of the basic social engineering techniques. Impersonation can use either a consensus/liking or intimidating approach. Impersonation is possible where the target cannot verify the attacker's identity easily, such as over the phone or via an email message.
Reconnaissance
Technique where the attacker harvests domains, IP address ranges, employees, and other data that will assist in identifying attack vectors.
Pretexting
The classic impersonation attack is for the social engineer to phone into a department, claim they have to adjust something on the user's system remotely, and get the user to reveal their password. - Lying to get information - Attacker is a character in a situation they create - Hi, we're calling from Visa regarding an automated payment to your utility service...
Consensus - Social Engineering Principle
The principle of consensus or social proof refers to the fact that without an explicit instruction to behave in a certain way, many people will act just as they think others would act. Example 1: Exploit polite behavior to slip into a building while someone holds the door for them. Example 2: As another example, an attacker may be able to fool a user into believing that a malicious website is actually legitimate by posting numerous fake reviews and testimonials praising the site.
Typosquatting
This means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference. These are also referred to as cousin, lookalike, or doppelganger domains. Note* Typosquatting might be used for pharming and phishing attacks. Another technique is to register a hijacked subdomain using the primary domain of a trusted cloud provider, such as onmicrosoft.com. If a phishing message appears to come from comptia.onmicrosoft.com, many users will be inclined to trust it.
Spam over instant messaging (SPIM)
Unsolicited messages sent over an instant messaging service, such as Windows Messenger.
Social Media
Web and social media—malware may be concealed in files attached to posts or presented as downloads. An attacker may also be able to compromise a site so that it automatically infects vulnerable browser software (a drive-by download). Social media may also be used more subtly, to reinforce a social engineering campaign and drive the adoption of Trojans.
Credential harvesting
When an attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network.
Spam
unsolicited email