1.1 Compare and contrast different types of social engineering techniques.

Question 1

What is Phishing?

Answer 1

An attacker posing as a trusted source but attempts to deliver a malicious payload or gather personal or sensitive information from an individual. The email typically claims that the user needs to connect to or log onto a site; this site may look very convincing but it is fake. The link in an email may download malicious software that perform attacks on a system.

Question 2

What is Smishing?

Answer 2

A smishing attack is a phishing attack that uses SMS instead of email. These are cleverly designed to look like common texts received from vendors.

Question 3

What is Vishing?

Answer 3

Another form of phishing that is often done over Voice over IP (VoIP). Can be effective if prerecorded and using a spoofed telephone number to convince a target that the message is legitimate.

Question 4

What is Spam?

Answer 4

It is an unsolicited e-mail, usually advertising a product or service. A small amount of spams are really trying to steal your info.

Question 5

What is Spam over instant messaging (SPIM)?

Answer 5

It is Spam received over instant messaging instead of email.

Question 6

What is Spear Phishing?

Answer 6

A form of phishing that is designed to target a certain group or individual instead of a generic email sent to a mass of people. These emails typically use info that is personal to the victims so that this lends credibility to the attacker to persuade them that the email is legit. Another tactic may to spoof a known sender.

Question 7

What is dumpster diving?

Answer 7

Attackers go dumpster diving for social engineering by trying to find information on a company that gives them further insight into operations, missions, etc. This can be prevented with screening trash.

Question 8

What is Shoulder Surfing?

Answer 8

When a person inconspicuously looks over a victim’s shoulders to see what they are viewing or typing.

Question 9

What is Pharming?

Answer 9

In a pharming attack, the user is redirected to a fake site through some other means, such as malware on the computer, host file poisoning, or redirection from a DNS server that has been compromised

Question 10

What is Tailgating?

Answer 10

When an individual follows an authorized person through a security checkpoint or door to gain access to unauthorized areas. To mitigate, an organization needs to positively identify every individual. Mantraps are used to guard against tailgating.

Question 11

What is Eliciting Information?

Answer 11

Gathering info through various means. A common was to gather info is through social engineering.

Question 12

What is Whaling?

Answer 12

A form of phishing that sends an email to a high-value target instead of the masses. These emails are higher stakes because high-value individuals have info that may be considered more critical to attackers.

Question 13

What is Prepending?

Answer 13

A link that adds an unexpected payload at the beginning.

Question 14

What is Identity fraud?

Answer 14

It is using someone else’s PII for personal gain.

Question 15

What is an Invoice Scam?

Answer 15

An attacker submits a fake invoice that mimics that vendor’s invoice in every aspect except the payment destination that is the attacker’s info.

Question 16

What Credential Harvesting?

Answer 16

Social engineering that focuses on gathering credentials of one or more persons inside an organization. It could serve as a recon tool, or it might be an end in and of itself as a tool for any other type of attack.

Question 17

What is Reconnaissance?

Answer 17

Every proper attack begins with a recon for weak spots. Social engineering along with passive scanning and researching social media are the first step towards any attack.

Question 18

What is a Hoax?

Answer 18

A hoax is a lie or false story that leads one or more people to believe something is true that is very much not true. Occasionally, they can be used to carry out serious attacks. These email hoaxes could have a virus attached to it or an attacker could use the email hoax to map out all the associates you have to get an idea of a network.

Question 19

What is Impersonation?

Answer 19

The attacker impersonates usually someone of higher privileges than the victim or someone that the victims think is a “nobody” that easily slips by unnoticed.

Question 20

What is a Watering Hole Attack?

Answer 20

A bad actor will research the web-usage patterns of a group of people that are of interest and will infest the sites that the group commonly visits and evidently trusts. These bad actors will then steal information.

Question 21

What is TypoSquatting/URL hijacking?

Answer 21

Where con artists and scammers buy up domains that differ just slightly with a spelling error that is common amongst users like www.aamazon.com for example. These sites will try to steal information from you. URL hijacking is similar that it will register the same domain name as a legitimate company, but with a different top-level domain.

Question 22

What is Pretexting?

Answer 22

Same as a phishing attack, but it creates a plausible scenario for the target to grant the desired information.

Question 23

What are Influence Campaigns?

Answer 23

What bad actors use to spread inaccurate, emotional, and fear-mongering information to cause chaos. The internet has made this so much worse.

Question 24

What is Hybrid warfare (Influence Campaigns)?

Answer 24

Hybrid Warfare means to use influence campaigns, such as “winning hearts and minds” strategies, as part of conventional warfare.

Question 25

What is Social Media (Influence Campaign)?

Answer 25

Bad actors can use social media to issue propaganda to a very large audience, even faster than newspapers, phones, or emails.

Question 26

What are principles (social engineering)?

Answer 26

These are the principles that make social engineering so effective.

Question 27

What is the principle of Authority in regards to social engineering (Principles)?

Answer 27

Social Engineer leverage authority based on two reactions: respect and fear. Attackers make use of these tendencies to convince us that we are required to take these actions by virtue of the position of authority they are impersonating.

Question 28

What is the principle of Intimidation in regards to social engineering (Principles)?

Answer 28

Attackers can intimidate victims into wanting them to go away. This principle of social engineering usually works better on inexperienced workers.

Question 29

What is the principle of Consensus in regards to social engineering (Principles)?

Answer 29

Unlike intimidation, a social engineer will likely be a little nicer, more understanding, and more sympathetic to the needs of the target. They will usually exploit personal information on a victim to find common ground and to relate with them in any way. This usually needs a little bit more of an effort from the attacker.

Question 30

What is the principle of Scarcity in regards to social engineering (Principles)?

Answer 30

The attacker will offer the victim something that they REALLY NEED . They use this as an incentive or a bit of a “thank you” for doing favors for the attacker.

Question 31

What is the principle of Familiarity in regards to social engineering (Principles)?

Answer 31

Developing a bond with a social engineer target can help the attacker to better persuade and influence the target into giving him what he wants.

Question 32

What is the principle of Trust in regards to social engineering (Principles)?

Answer 32

An attacker will take the time to build a level of trust needed for the intended purpose that they have. This principle tends to take a bit longer than some of the other principles.

Question 33

What is the principle of Urgency in regards to social engineering (Principles)?

Answer 33

An attacker may use urgency to get a victim to perform or get information in a short amount of time while the victim cannot think clearly or confirm the identity of the attacker.