Other Social Engineering Attacks (OBJ 2.2)

Social Engineering Attacks Overview

  • In this lesson, we will cover various forms of social engineering attacks. These include:
    • Diversion theft
    • Hoaxes
    • Shoulder surfing
    • Dumpster diving
    • Baiting
    • Piggybacking or tailgating

Diversion Theft

  • Definition: Diversion theft refers to techniques that manipulate a situation or create distractions to steal items or information.
  • Types of Diversion Theft:
    • Physical Diversion Theft: Creating distractions to allow accomplices to steal physical items, for example, by staging a scene in a retail store.
    • Digital Diversion Theft: Manipulating internet traffic to redirect data to fraudulent websites, thereby stealing personal information from users.
  • Common Example:
    • DNS Spoofing Attack:
    • Explanation: An attacker alters the Domain Name System (DNS) settings. When a user enters a legitimate website URL, they are redirected to a fraudulent website.
    • Brand Impersonation: The fake website mimics a legitimate one to deceive users into believing they are visiting a safe site.
    • Data Capture: Users may unknowingly enter sensitive data, such as usernames, passwords, or credit card details, on the fake site, falling victim to the attack.

Hoaxes

  • Definition: A hoax is a malicious deception communicated through various channels like social media or email.
  • Consequences of Hoaxes:
    • Can cause panic, misinformation, and significant disruption.
    • May also serve as vehicles for phishing or malware distribution.
  • Example of a Hoax:
    • If a Mac user receives a virus alert claiming Windows OS malware, it signals a hoax since Windows malware cannot affect macOS systems.
  • Combating Hoaxes:
    • Users should utilize critical thinking and verify the source of suspicious messages before acting.

Shoulder Surfing

  • Definition: Shoulder surfing is the practice of watching someone’s actions, often over their shoulder, to gather personal information.
  • Common Targets:
    • ATMs (PINs), public computers (passwords), or documents containing sensitive information.
  • Modern Method:
    • Using technology such as high-powered cameras can enable attackers to gather information without being physically close.
  • Prevention Strategies:
    • Users should be vigilant about their surroundings while inputting sensitive information.
    • Organizations can use privacy screens and keypad shields to protect against shoulder surfing.

Dumpster Diving

  • Definition: Dumpster diving involves searching through trash to uncover valuable information that has not been properly discarded.
  • Typical Information Targeted:
    • Discarded documents that contain personal or sensitive corporate information.
  • Crucial Insights:
    • Even though it may seem unpleasant, social engineers often seek out discarded data as it can be rich in insights about their targets.
  • Preventative Measures:
    • Ensure sensitive documents are shredded prior to disposal.
    • Enforce a clean desk policy requiring documents to be secured or destroyed at the end of the day.
  • Digital Dumpster Diving:
    • Attacks may also involve recovery from deleted or recycled files from digital devices.
    • Prevention involves securely erasing files from storage devices before disposal.

Eavesdropping

  • Definition: Eavesdropping is the act of secretly listening to private conversations.
  • Contextual Examples:
    • Interception of network traffic to access sensitive information.
    • Wiretapping of telephone systems to overhear calls.
  • Advanced Techniques:
    • Man-in-the-middle Attack: An adversary intercepts communication between two parties without their knowledge.
  • Prevention Methods:
    • Use secure and encrypted communication channels regularly.
    • Always encrypt data sent across networks and keep systems updated.

Baiting

  • Definition: Baiting involves dropping malware-infected devices in areas where potential victims might find them and unknowingly use them.
  • Common Devices:
    • Physical devices like USB drives that, when connected to a system, install malware in seconds.
  • Common Scenarios:
    • Curious individuals may find a USB drive and plug it into their devices seeing what is stored on it.
  • Prevention Strategies:
    • Educate users to refrain from using unknown USBs or devices.

Piggybacking or Tailgating

  • Definitions:
    • Piggybacking: Involves an unauthorized person convincing an authorized individual to gain entry into a secure area by swiping their access card.
    • Tailgating: Happens when an unauthorized person follows an authorized person into a secured area without their consent or knowledge.
  • Practical Examples:
    • Tailgating Scenario: An attacker follows an employee who swipes their access card to gain illicit access.
    • Piggybacking Scenario: An attacker disguises as a delivery person and persuades an authorized employee to open the door allowing them access.
  • Implications:
    • Insider threats may utilize such methods to access secure locations without logging their entry.

Summary of Social Engineering Attacks

  • Types of social engineering attacks include:
    • Diversion theft: Redirecting goods or data.
    • Hoaxes: Spreading false claims creates anxiety or misguided actions.
    • Shoulder surfing: Observing personal information directly over a person’s shoulder.
    • Dumpster diving: Searching trash for leaking confidential information.
    • Eavesdropping: Secretly listening to private conversations.
    • Baiting: Luring victims to reveal data or install malware.
    • Piggybacking or tailgating: Unauthorized individuals gaining access through authorized personnel.