3.1.2 Social Engineering Overview Facts

Ace your homework & exams now with Quizwiz!

Which of the following best describes a script kiddie?

A hacker who uses scripts written by much more talented individuals.

Likeability

Likeability works well because humans tend to do more to please a person they like as opposed to a person they don't like.

Social networking

Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information. Also, many attackers use social media to scam users. These scams are designed to entice the user to click a link that brings up a malicious site the attacker controls. Usually, the site requests personal information and sensitive data, such as an email address or credit card number.

You are instant messaging a coworker, and you get a malicious link. Which type of social engineering attack is this?

Spim

Hacker

Generally speaking, a hacker is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information. Hackers could attack for several different reasons. Some types of hackers are: Those motivated by bragging rights, attention, and the thrill. Hacktivists with a political motive. Script kiddies, who use applications or scripts written by much more talented individuals. A white hat hacker, who tries to help a company see the vulnerabilities that exist in their security. Cybercriminals, who are motivated by significant financial gain. They typically take more risks and use extreme tactics. Corporate spies are a sub-category of cybercriminal.

Being a good listener

An attacker may approach a target and carefully listen to what the target has to say, validate any feelings they express, and share similar experiences (which may be real or fabricated). The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds, leading the target to share more information.

Compliments

Attackers may give a target a compliment about something they know the target did in hopes that the target will take the bait and elaborate on the subject. Even if the target downplays the skill or ability involved, talking about it might give the attacker valuable information.

Feigning ignorance

Attackers might make a wrong statement and then admit to not knowing much about the subject. This statement will hopefully get the target to not only correct the attacker, but also explain why the attacker is wrong in detail. The explanation might help the attacker learn, or at least have a chance to ask questions without looking suspicious.

Innate human trust

Attackers often exploit a target's natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust.

Common ground and shared interest

Common ground and shared interest work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.

Scarcity

Scarcity appeals to the target's greed. If something is in short supply and will not be available, the target is more likely to fall for it.

Impersonation

Impersonation is pretending to be trustworthy and having a legitimate reason for approaching the target to ask for sensitive information or access to protected systems.

Spear phishing

In spear phishing, an attacker gathers information about the victim, such as their online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.

Social engineers are master manipulators. Which of the following are tactics they might use?

Moral obligation, ignorance, and threatening

Urgency

To create a sense of urgency, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.

An attack that targets senior executives and high-profile victims is referred to as:

Whaling

Whaling

Whaling is another form of phishing that targets senior executives and high-profile victims.

Targeted

A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the hackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target.

Threatening

An attacker threatens when they intimidate a target with threats convincing enough to make them comply with the attacker's request.

Moral obligation

An attacker uses moral obligation to exploit the target's willingness to be helpful and assist them out of a sense of responsibility.

Insider

An insider could be a customer, a janitor, or even a security guard. But most of the time, it's an employee. Employees pose one of the biggest threats to any organization. There are many reasons why an employee might become a threat. The employee could: Be motivated by a personal vendetta because they are disgruntled. Want to make money. Be bribed into stealing information. Sometimes, an employee can become a threat actor without even realizing it. This is known as an unintentional threat actor. The employee may create security breaches doing what seems to be harmless day-to-day work. An unintentional threat actor is the most common insider threat.

Opportunistic

An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities, such as old software, exposed ports, poorly secured networks, and default configurations. When one is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out.

Which of the following best describes an inside attacker?

An unintentional threat actor; the most common threat.

Jason is at home, attempting to access the website for his music store. When he goes to the website, it has a simple form asking for name, email, and phone number. This is not the music store website. Jason is sure the website has been hacked. How did the attacker accomplish this hack?

DNS cache poisoning

Observation

During these interviews and interrogations, the hacker pays attention to every change the target displays. This allows the attacker to discern the target's thoughts and topics that should be investigated further. Every part of the human body can give a clue about what is going on inside the mind. Most people don't even realize they give many physical cues, nor do they recognize these cues in others. A skilled observer pays close attention and puts these clues together to confirm another person's thoughts and feelings.

Eavesdropping

Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.

Compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique?

Elictitation

Hoax

Email hoaxes are often easy to spot because of their bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real.

Pharming

Pharming involves the attacker executing malicious programs on the target's computer so that any URL traffic redirects to the attacker's malicious website. This attack is also called phishing without a lure. The attacker is then privy to the user's sensitive data, like IDs, passwords, and banking details. Pharming attacks frequently come in the form of malware such as Trojan horses, worms, and similar programs. Pharming is commonly implemented using DNS cache poisoning or host file modification. In DNS cache poisoning, the attacker launches the attack on the chosen DNS server. Then, in the DNS table, the attacker changes the IP address of a legitimate website to a fake website. When the user enters a legitimate URL, the DNS redirects the user to the fake website controlled by the attacker. In host file modification, the attacker sends malicious code as an email attachment. When the user opens the attachment, the malicious code executes and modifies the local host file on the user's computer. When the user enters a legitimate URL in the browser, the compromised host file redirects the user to the fraudulent website controlled by the attacker.

Preloading

Preloading is used to set up a target by influencing the target's thoughts, opinions, and emotions.

Using a fictitious scenario to persuade someone to perform an action or give information they aren't authorized to share is called:

Pretexting

Pretexting

Pretexting is doing research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets.

Brandon is helping Fred with his computer. He needs Fred to enter his username and password into the system. Fred enters the username and password while Brandon is watching him. Brandon explains to Fred that it is not a good idea to allow anyone to watch you type in usernames or passwords. Which type of social engineering attack is Fred referring to?

Shoulder surfing

Shoulder surfing

Shoulder surfing involves looking over someone's shoulder while they work on a computer or review documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.

Any attack involving human interaction of some kind is referred to as:

Social engineering

Manipulation Tactics

Social engineers are master manipulators. The following table describes some of the most popular tactics they use on targets.

Social proof

Social proof means the attacker uses social pressure to convince the target that it's okay to share or do something. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too."

Development

The development phase involves two parts: selecting individual targets within the organization being attacked and forming a relationship with the selected targets. Usually, attackers select people who not only will have access to the information or object they desire, but that also show signs of being frustrated, overconfident, arrogant, or somehow easy to extract information from. Once the targets are selected, the attacker will start forming a relationship with them through conversations, emails, shared interests, and so on. The relationship helps build the targets' trust in the attacker, allowing the target to be comfortable, relaxed, and more willing to help.

You get a call from one of your best customers. The customer is asking about your company's employees, teams, and managers. What should you do?

You should not provide any information and forward the call to the help desk.

Misinformation

Attackers might make a statement with the wrong details. The attacker's intent is that the target will give the accurate details that the attacker wanted to confirm. The more precise the details given by the attacker, the better the chance that the target will take the bait.

Nation state

Attacks from nation states have several key components that make them especially powerful. Typically, nation state attacks: Are highly targeted. Identify a target and wage an all-out war. Are extremely motivated. Use the most sophisticated attack techniques of all the attackers. This often includes developing completely new applications and viruses in order to carry out an attack. Are well financed.

Authority and fear

Authority techniques rely on power to get a target to comply without questioning the attacker. The attacker pretends to be a superior with enough power that the target will comply right away without question. The attacker could also pretend to be there in the name of or upon the request of a superior. Authority is often combined with fear. If an authority figure threatens a target with being fired or demoted, the target is more likely to comply without a second thought.

Ron, a hacker, wants to get access to a prestigious law firm he has been watching for a while. June, an administrative assistant at the law firm, is having lunch at the food court around the corner from her office. Ron notices that June has a picture of a dog on her phone. He casually walks by and starts a conversation about dogs. Which phase of the social engineering process is Ron in?

Development phase

Ignorance

Ignorance means the target is not educated in social engineering tactics and prevention, so the target can't recognize social engineering when it is happening. The attacker knows this and exploits the ignorance to his or her advantage.

SMS phishing

In SMS phishing (smishing), the attacker sends a text message with a supposedly urgent topic to trick the victim into taking immediate action. The message usually contains a link that will either install malware on the victim's phone or extract personal information.

Offering something for very little to nothing

Offering something for very little to nothing refers to an attacker promising huge rewards if the target is willing to do a very small favor or share what the target thinks is a very trivial piece of information.

Environment

The environment the attacker chooses for conducting an interview and interrogation is essential to setting the mood. The location should not be overly noisy or overly crowded. It should be a relaxing and stress-free environment that puts the target at ease. The attacker shouldn't sit between the target and the door. The target should never feel trapped in any way. Lighting should be good enough for both parties to see each other clearly. This will allow the attacker to better read the target's micro expressions and movements. It will also inspire trust in the target.

Vishing

Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.

USB and keyloggers

When on site, a social engineer also has the ability to stealing data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.

Spam and spim

When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.

Exploitation

In the exploitation phase, the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker's purposes in some way. Some examples include disclosing password and username; introducing the attacker to other personnel, providing social credibility for the attacker; inserting a USB flash drive with a malicious payload into a organization's computer; opening an infected email attachment; and exposing trade secrets in a discussion. If the exploitation is successful, the only thing left to do is to wrap things up without raising suspicion. Most attackers tie up loose ends, such as erasing digital footprints and ensuring no items or information are left behind for the target to determine that an attack has taken place or identify the attacker. A well-planned and smooth exit strategy is the attacker's goal and final act in the exploitation phase.

Interview vs interrogation

In the interview phase, the attacker lets the target do the talking while the attacker mostly listens. In this way, the attacker has the chance to learn more about the target and how to extract information from them. Then the attacker leads the interview phase into an interrogation phase. It's most effective when done smoothly and naturally and when the target already feels a connection and trust with the attacker. In the interrogation phase, the attacker talks about the target's statements. At this point, the attacker is mostly leading the conversation with questions and statements that will flow in the direction the attacker has in mind to obtain information.

Research

In the research phase, the attacker gathers information about the target organization. Attackers use a process called footprinting, which is using all resources available to gain information, including going through the target organization's official websites and social media; performing dumpster diving; searching sources for employees' names, email addresses, and IDs; going through a organization tour; and other kinds of onsite observation. Research may provide information for pretexting. Pretexting is using a fictitious scenario to persuade someone to perform an unauthorized action such as providing server names and login information. Pretexting usually requires the attacker to perform research to create a believable scenario. The more the attacker knows about the organization and the target, the more believable a scenario the attacker can come up with.

Social Engineering Process

The social engineering process can be divided into three main phases: research, development, and exploitation. The following table describes each phase.


Related study sets

Homeostasis and the Internal Environment

View Set

BIO 2700 (Evolution) Final Study Guide

View Set

Psychology Chapter 6, Chapter 7, Chapter 9,Chapter 10: Chapter 11Chapter 12...

View Set

Corporate Finance Final Exam Review

View Set

Choice of words (Analysis Non-Fictional Text)

View Set

Exam Prep 70-768 (Data Modeling)

View Set