Chapter 4: Social Engineering

authority

most people will obey someone who appears to be in charge or knowledgeable regardless of whether or not they actually are.

intimidation

scaring or bullying an individual into taking a desired action

consensus-based

social engineering uses the fact that people tend to want to do what others are doing to persuade them to take an action.

Scarcity

used for social engineering in scenarios that make something look more desirable because it may be the last one available.

Familiarity based

attacks rely on you liking the individual or even the organization the individual is claiming to represent.

Trust

relies on a connection with the individual they are targeting

Urgency

creating a feeling that the action must be taken quickly due to some reason or reasons.

Phishing

the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Smishing

Phishing attacks committed using text messages (SMS).

Vishing

a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information

spear phishing

a phishing expedition in which the emails are carefully designed to target a particular person or organization

Whaling

A phishing attack that targets only wealthy individuals.

credential harvesting

gathering credentials like usernames and passwords

Pharming

An online scam that attacks the browser's address bar. Users type in what they think is a valid website address and are unknowingly redirected to an illegitimate site that steals their personal information.

Typosquatting attacks

use misspelled and slightly off but similar to the legitimate site URLs to conduct Typosquatting attacks

Spam

unsolicited email

Spam over Instant Messaging (spim)

Unsolicited messages sent over an instant messaging service, such as Windows Messenger. (16)

dumpster diving

Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away

Shoulder surfing

the process of looking over a person's shoulder to capture information like passwords or other data.

Tailgating

When an unauthorized individual enters a restricted-access building by following an authorized user.

Eliciting Information

is a technique used to gather information without targets realizing they are providing it.

Pretexting

a form of social engineering in which one individual lies to obtain confidential data about another individual

identity fraud

a crime where one person uses another person's personal data, without authorization, to deceive or defraud someone else

online influence campaigns

traditionally focused on social media, email and other online-centric mediums, have become part of what has come to be called hybrid warfare

Hybrid Warfare

- Combining conventional warfare with cyberwarfare

Password Attacks

Attempt to discover or bypass passwords used for authentication on systems and networks, and for different types of files

Brute force attacks

Exhausts all possible password combinations to break into an account

Password Spraying attacks

a type of brute force attack that attempts to use a single password or small set of passwords against many accounts.

Dictionary attacks

compare passwords to a list of common words, and can search for multiword phrase combinations

Physical attacks

Attack vector that trumps logical, leverage remote device physical access to gain access to other devices on a network

Malicious USB cables and flash drives

a device crafted to perform unwanted activities against a computer and/or mobile device or peripheral without the victim realizing the attack is occurring. Attacks include exfiltrating data and injecting malware.

Card Cloning attacks

Focus on capturing information from cards like RFID and magnetic stripe cards often used for entry access.

Skimming attacks

use hidden or fake readers or social engineering and hand-hed readers to capture card and then employ cloning tools to use credit cards and entry access cards for their own purposes.

Supply chain attacks

A cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.