CompTIA Security+ Section 1.1 Social Engineerin
Principles
Authority, Intimidation, Consensus, Scarcity, Familiarity, Trust, Urgency
hybrid warfare
Combining classical military strategy with modern capabilities, including digital influence campaigns, psychological warfare efforts, political tactics, and cyber warfare capabilities.
Pretext
a false statement crafted to sound believable to convince you to act or respond
Session hijacking (a.k.a. TCP/IP hijacking)
a form of attack in which the attacker takes over an existing communication session
Social engineering
a form of attack that exploits human nature and human behavior. The only direct defense against social engineering attacks is user education and awareness training
Business Email Compromise (BEC)
a form of spear phishing that is often focused on convincing members of accounting to transfer funds, pay invoices, or purchase products from a message that appears to originate from a boss, manager, or executive
Whaling
a form of spear phishing that targets specific high-value individuals, such as the CEO or other C-level executives, administrators, or high-net-worth clients. Often the goal of a whaling attack is to steal credentials from the high-level target or to use that target to steal funds or redirect resources to the benefit of the attacker.
Watering hole attack
a form of targeted attack against a region, a group, or an organization. The attacker observes the target's habits to discover a common resource that one or more members of the target frequent. This location is considered the watering hole. Malware is planted on the watering hole system. The target visits the poisoned watering hole, and they bring the infection back into the group or at least their system.
Clickjacking
a means to redirect a user's click or selection on a web page to an alternate, often malicious target instead of the intended and desired location.
Spear phishing
a more targeted form of phishing where the message is crafted and directed specifically to an individual or group of individuals.
Typosquatting
a practice employed to take advantage of when a user mistypes the domain name or IP address of an intended resource.
SMS phishing or smishing
a social engineering attack that occurs over or through standard text messaging services or apps
Scarcity
a technique used to convince someone that an object has a higher value based on the object's limited quantity.
Authority
an effective technique because most people are likely to respond to authority with obedience.
Spoofing
any action to hide a valid identity often by taking on the identity of something else.
Familiarity
attempts to exploit a person's native trust in that which is familiar. The attacker often tries to appear to have a common contact or relationship with the target, such as mutual friends or experiences, or uses a facade to take on the identity of another company or person.
Intimidation
can sometimes be seen as a derivative of the authority principle. Intimidation uses authority, confidence, or even the threat of harm to motivate someone to follow orders or instructions
Reconnaissance
collecting information about a target, often for the purposes of planning an attack against that target. Social engineering reconnaissance can include all of the previously mentioned techniques.
hoax
designed to convince targets to perform an action that will cause harm or reduce their IT security. Victims may be instructed to delete files, change configuration settings, or install fraudulent security software. A hoax often presents a threat and then provides or suggests a response or solution, while claiming taking no action will result in harm
Social media
has become a weapon in the hands of nation-states as they wage elements of hybrid warfare against their targets. They are also used by anyone wanting to control information, distribute propaganda, or change public opinion. We cannot just assume that content we see on a social network is accurate, valid, or complete.
Trust
involves an attacker working to develop a relationship with a victim. This may take seconds or months, but eventually the attacker attempts to use the value of the victim's trust in the attacker to convince the victim to reveal information or perform an action that violates company security.
Spam
not just unwanted advertisements; it can also include malicious content and attack vectors as well
Piggybacking
occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker by tricking the victim into providing consent.
Shoulder surfing
occurs when someone is able to watch a user's keyboard or view their display.
Invoice scams
often attempts to steal funds from an organization or individuals through the presentation of a false invoice often followed by strong inducements to pay.
Urgency
often dovetails with scarcity, because the need to act quickly increases as scarcity indicates a greater risk of missing out.
Vishing
phishing done over any telephony or voice communication system. This includes traditional phone lines, Voice-over-IP (VoIP) services, and mobile phones.
URL hijacking
refers to the practice of displaying a link or advertisement that looks like that of a well-known product, service, or site, but when clicked redirects the user to an alternate location, service, or product.
Influence campaigns
social engineering attacks that attempt to guide, adjust, or change public opinion, often waged by nation-states against their real or perceived foreign enemies
Dumpster diving
the act of digging through trash, discarded equipment, or abandoned locations to obtain information about a target organization or individual.
Identity theft
the act of stealing someone's identity. This can refer to the initial act of information gathering or elicitation where usernames, passwords, credit card numbers, Social Security numbers, and other related, relevant, and personal facts are obtained by the attacker.
Consensus
the act of taking advantage of a person's natural tendency to mimic what others are doing or are perceived as having done in the past. The attacker attempts to convince the victim that a particular action or response is preferred to be consistent with social norms or previous occurrences.
Impersonation
the act of taking on the identity of someone else to use their access or authority. Impersonation can also be known as masquerading, spoofing, and even identity fraud.
Credential harvesting
the activity of collecting and stealing account credentials
Eliciting information
the activity of gathering or collecting information from systems or people.
Prepending
the adding of a term, expression, or phrase to the beginning or header of a communication. Often prepending is used to further refine or establish the pretext of a social engineering attack.
Doxing
the collection of information about an individual or an organization to disclose the collected data publicly for the purpose of chaining the perception of the target
Pharming
the malicious redirection of a valid website's URL or IP address to a fake website that hosts a false version of the original, valid site. This is often an element of a phishing attack, on-path attack, or Domain Name System (DNS) abuse.
Phishing
the process of attempting to obtain sensitive information in electronic communications.
Spam over instant messaging (SPIM)
the transmission of unwanted communications over any messaging system that is supported by or occurs over the Internet.
Tailgating
when an unauthorized entity gains access to a facility under the authorization of a valid worker but without their knowledge. An attacker may be able to sneak in behind a valid worker before the door closes.
Identity fraud
when you falsely claim to be someone else through the use of stolen information from the victim.
