Section 5: Social Engineering

social engineering

manipulative strategy that exploits human psychology to gain access to systems, data, or physical spaces

types of motivational triggers used by social engineers

1. authority: attacker pretends to be important client/agency

2. urgency: time-sensitive urgency

3. social proof: individuals look to the behaviors/actions of others to determine thier own decions/actions in similar situations. fake credibility

4. scarcity: pressure based on limited supply/offer

5. likability: friendly and inviting

6. fear: play off victim’s fear. ransomware

4 main forms of impersonation

1. impersonation

2. brand impersonation

3. typosquatting

4. watering hole attacks

typosquatting (URL hijacking, cybersquatting)

cyber attack where an attacker registers a domain name that is similar to a popular website but contains common typographical errors

watering hole attack

passive cyber attack where attackers compromise a specific website or service that their target is known to use

pretexting

attacker gets an individual to fill in the blanks in order to gather their information/attack their system

types of phishing attacks

1. phishing

2. vishing

3. smishing

4. whaling

5. spear phishing

6. business email compromise

phishing

fraudulent attack mass spreading deceptive emails from trusted sources to trick individuals into disclosing personal info

spear phishing

targeted phishing used by cybercriminals who are more tightly focused on a specific group of individuals or organizations

whaling

spear phishing that targets high profile individuals

business email compromise (BEC)

taking over a legitimate email account within a company to manipulate employees into carrying out malicious actions for the attacker

vishing (voice phishing)

phone-based attack using impersonation to deceive victims into providing personal/financial info

smishing (SMS phishing)

using text messages to deceive individuals into sharing their personal info

why a phishing email may have a lot of spelling errors

if the phising emails are too well done, too many people will fall for it and it would overwhelm the attacker’s ability to to deal with all that personal info at once

• need gullible people for more profit

fraud

criminal deception intended to result in financial or personal gain

identity fraud vs identity theft

attacker takes the victim’s info and makes changes vs attempt to assume the identity of the victim

scam

fraudulent act or operation

invoice scam

a person is tricked into paying for a fake invoice for a service/product they did not order

influence campaign

coordinated efforts for shaping public opinion and behavior

misinformation vs disinformation

inaccurate information shared unitentionally vs intentionally

• misunderstanding vs rumors

diversion theft

manipulating a situation or creating a distraction to steal valuable items or info

ex. DNS spoofing attack

hoax

malicious deception often spread through social media, email, or other communication channels

• paired with phishing and impersonation

shoulder surfing

looking over someone’s shoulder to gather personal info

dumpster diving

searching though the trash to find valuable info

virtual dumpster diving (digital dumpster diving)

attacker accesses the recycling bin/deleted files on a system

baiting

planting a malware-infected device for a victim to find and unitentionally introduce malware to their organization’s system