1.0 Threats, Attacks and Vulnerabilities
Compare and Contrast different types of social engineering techniques
Phishing
An attempt to fraudulently obtain information from a user (usually by email)
example: collect access credentials
Smishing
Phishing done over text messaging (SMS)
Vishing
Phishing done over voice and phone calls
Spam
Abuse of electronic messaging systems mostly done by email (unsolicited
messages)
Spear Phishing
Targeted phishing on a specific individual for info, possibility of someone
important
Dumpster Diving
When a person scavenges for private information in garbage containers
Shoulder Surfing
When a person uses direct observation to obtain authentication information
Pharming
Phishing attempt to trick a user to access a different or fake website example:
redirection a legit website to a bogus site
Tailgating
Use an authorized person to gain unauthorized access to a building (not a
accident)
Whaling
A form of spear phishing that directly targets the CEO, CFO, CIO, CSO, or other
high-value target in an organization
Eliciting Information
Extracting information from the victim
Victim doesn’t even realize this is happening
Often seen with vishing (voice phishing)
Prepending
A technical method used in social engineering to trick users into entering their
username and passwords by adding an invisible string before the weblink they
click
The prepended string (data:text) converts the link into a Data URI (or Data URL)
that embeds small files inline of document
Identity Fraud
Identity theft involves stealing another person's identity and using it as your own
Invoice Scam
A scam in which a person is tricked into paying for a fake invoice for a service or
product that they did not order
Identity fraud and invoice scams are low-tech social engineering techniques
Credential Harvesting
Attackers collect login credentials (also called password harvesting)
Reconnaissance
The attacker determines what methods to use to complete the phases of the
attack
Hoax
Attempt at deceiving people into believing that something is false when it is true
(or vice versa)
Impersonation
Attackers pretend to be someone they aren’t
Watering Hole Attack
When an attacker figures out where users like to go, and places malware to gain
access to your organization
Typo Squatting
Is a form of cybersquatting and possibly brandjacking which relies on mistakes
such as typos made by the user when inputting a website address (URL hijacking
or fake URL)
Hybrid Warfare (Influence Campaigns)
A military strategy which employs political warfare and blends conventional
warfare, irregular warfare and cyberwarfare with other influencing methods, such
as fake news, diplomacy,social media and foreign electoral intervention
Principles (reasons for effectiveness)
Authority: People are more willing to comply with a request when they think it is
coming from someone in authority
Intimidation: threatening a person into helping
Consensus / social proof: convince based on what’s normally expected
Scarcity: must make the change before time expires, urgency
Familiarity: someone you know, we have common friends
Trust: attacker wants to gain some level of trust with you