4A: Social Engineering Techniques

Social Engineering

Means of eliciting information from someone or getting them to perform some action in preparation for or to affect an intrusion. Referred to as "hacking the human".

Social Engineering Principles

Familiarity/Liking
Consensus/Social Proof
Authority and Intimidation
Scarcity and Urgency

Impersonation

Pretending to be someone else. Is possible when the target cannot verify the attacker's identity easily such as over the phone or via email. Publicly available information (employee lists, job titles, phone numbers, etc.) can help an attacker successfully impersonate.

Pretexting

When a social engineer calls and claims they have to adjust something on the user's system remotely and gets the user to reveal their credentials. Example of a classic impersonation attack.

Dumpster Diving

Going through an organization's or individual's garbage to try and find useful documents/files/removable media.

Tailgating

Means of entering a secure area without authorization by following close behind a person that has been allowed access.

Piggy Backing

Attacker enters a secure area WITH an employee's permission.

Identity Fraud

When the attacker uses specific details of someone's identity. Likely to involve the computer account.

Invoice Scam

Type of identity fraud. Invoice details of a genuine supplier are spoofed but the bank account number is changed.

Phishing

When bad actors use an email (traditionally) to trick a target into interacting with a malicious resource disguised as a trusted one. Combination of social engineering and spoofing. May try to get the target to perform a specific action.

Spear Phishing

When the phishing attack is targeting a specific individual. The bad actor has information that allows them to tailor the email to the target, making it much more likely the target will be fooled by the attack.

Whaling

Phishing attack directly at upper levels of management in an organization.

Vishing

Phishing attack conducted through a voice channel (phone or VoIP). It can be much more difficult for someone to refuse a request made in a phone call compared to one made in an email.

Smishing

Phishing by using simple message service (SMS) text communications as the vector.

Spam

Unsolicited email that is often used as a vector for attacks. Threat actors harvest email addresses or phone numbers from marketing lists or databases of historic breaches.

Hoaxes

Notifications of problems or alerts that are false. Ex: Security alerts or chain emails. An email alert or web pop-up will claim to have identified some sort of problem, such as a virus, and offer a tool to fix the problem. That tool will then be some sort of malicious or trojan application.

Prepending

Adding text that appears to have been generated by the mail system. Ex: RE:, MAILSAFE: PASSED. Used to make a phishing email more convincing.

Pharming

Passive technique that redirects users from a legitimate website to a malicious one by corrupting the way the victim's computer performs Internet name resolution.

Typosquatting

Threat actor registers a domain name that is very similar to a real one, hoping that users will not notice the difference. Referred to as cousin, lookalike, or doppelganger domains. Could also register a hijacked subdomain using the primary domain of a trusted cloud provider. Ex: using onmicrosoft.com to create comptia.onmicrosoft.com which is not real. Also passive.

Watering Hole Attack

Another passive technique that relies on a target using an unsecure 3rd party website. Ex: penetrating a secure e-commerce organization by compromising the pizza delivery website many of the employees use.

Credential Harvesting

Attack specifically designed to steal account credentials. Attacker may be looking to exploit the credentials directly or sell them for a profit.

Influence Campaign

Major program launched by an adversary (nation-state, terrorist group, hacktivist group) with the goal to shift public opinion on some topic.