1.1 Social Engineering Techniques

Question 1

What is Phishing?

Answer 1

• A scam using this social engineering technique targets a large group of recipients with a generic message.
• Aim: Trick at least the most gullible into acting
• Ex: Visiting a website and entering PII, responding to an email, responding to a text (Smishing).
• Relies on: A false sense of trust (contain familiar logos, official looking messages)

Question 2

What is Smishing?

Answer 2

• A particular type of phishing that uses text of SMS messaging to scam someone.

Question 3

What is Vishing?

Answer 3

• A type of phishing attack that takes place over phone systems, most commonly over VoIP (Voice over IP).
• Aim: Using tools specific to VoIP systems, hackers can program their autodialers to send a recording from a spoofed VoIP address.
• Ex: Call may claim to be from a bank and requesting a call back to verify information.

Question 4

What is Spam?

Answer 4

• A deliberate attempt to email unsolicited advertisements to a large number of recipients.
• Spam mailing lists are shared among internet spam advertisers
• Spam consumes space and bandwidth. (Annoying to users and network administrators).
• Continues to be a prime nuisance and security issue for organizations
• Ex: Any time you sign your email up to a website/ newsgroup you open yourself up to the possibility of being added to a spam mailing list.
• Prevention: Many ISPs (Internet Service Providers) and corporate networks use anti-spam mail filters to block incoming spam.

Question 5

What is SPIM?

Answer 5

• Spam over Instance Message (SPIM) is an instance message spam.
• Similar to the more common spam, it occurs when a user receives unsolicited instance message (including users who are known and in the user’s contact list)
• SPIM can be targeted and include user information like demographic, age, gender information
• Prevention: Make sure that only people in their contact list can send them messages. (Many organizations block access to external IM chat)

Question 6

What is Spear Phishing?

Answer 6

• A variant of phishing, which is a targeted type of attack that includes information familiar to the user and could appear to be from a trusted source.
• Much more sophisticated than a phishing attack, b/c the information is targeted at the victim.
• Aim: Provides a greater inducement for trust from the victim due to its targeted nature.
• Ex: A company from which the user has purchased something in the past, financial institution, etc could use the target’s name and mailing address (easily stolen or use employee names with whom the individual has interacted before.

Question 7

What is Dumpster Diving?

Answer 7

• Requires almost not social skills a tall! Literally, looking through trash / recycling.
• Prevention: Companies will shred documents so they can’t be put back together.

Question 8

What is Shoulder Surfing?

Answer 8

• Looking at someone’s sensitive information on their monitor (possibly over their shoulder or through an unobstructed view)
• Prevention: Users must examine their surroundings before entering or viewing conficential data. Ensure their monitor isn’t easy to read from a hallway, etc.
• Ex: Blinds can be installed in the office is near another building or screen filters can be used

Question 9

What is Pharming?

Answer 9

• A technique that misdirects a user to an attacker’s website without the user’s knowledge, generally through manipulation of the DNS (Domain Name Service) on an affected server or the host file on a user’s system.
• While similar to phishing where a user may click a seemingly legitimate link, it differs in that it installs code on the user’s computer that sends them to the malicious site, even if the URL is entered correctly or chosen from a web browser bookmark.
• User is tricked into browsing to the attackers website.
• Like phishing can result in the loss of confidential data and can lead to identity theft as well.

Question 10

What is Tailgating?

Answer 10

• A simpler form of social engineering, gaining physical access to an access-controlled facility by closely following an authorized person through the security check point
• Can also refer to using another user’s access rights on a computer. (Ex: leaving a computer unlocked and going to lunch) Users must be taught to always log out and lock their workstations before leaving their area.
• Ex: A person might make casual conversation while following someone in or tell them they’ve lost or forgotten their card
• Prevention: Organizations must have strict access control rules to prevent tailgating so that unauthorized persons aren’t allowed into any secure facility or room and employees should b educated not to let in unknown persons, visitors must be accompanied and must sign in / out.

Question 11

How to prevent social engineering scams?

Answer 11

• Education is key to provide user education to recognize the warning signs of scams, including any attempt to get financial information such as credit card / bank information over the phone.
• B/c technological controls alone are not sufficient to protect users.

Question 12

What is Hoax?

Answer 12

• Typically some kind of urban legend or sensational fake news that users pass along to others via email b/c they feel it is of interest.
• Ex: Forward this email to 10 friends for good luck.
• Ex: Email saying they’re collecting money for a sick individual.
• Hoaxes are generally harmless, just taking up resources on the network and computers.
• However, some are phishing attempts that try to get the user to visit the link to a malicious site.

Question 13

What is Prepending?

Answer 13

• Adding mentions (@username) to Tweets or social media posts to make them seem more personal and legitimate.
• Creates higher engagement and can be automated to become almost as efficient as manual spear phishing campaigns.

Question 14

What is Identity Fraud?

Answer 14

• When an unauthorized user collects enough personal information about their target to perform forged credit card / banking transactions using the victim’s financial / personal details.

Question 15

Exam tip! How to combat the problem of dumpster diving.

Answer 15

• The physical security of your facility should include your garbage disposal and recycling operations.

Question 16

What is Credential Harvesting?

Answer 16

• More than phishing and becoming increasingly common, essentially stealing passwords or exploiting weak passwords.
• Also known as password harvesting, it’s related to phishing but uses different tactics.
• Ex: It can take many forms.

Question 17

What is Reconnaissance?

Answer 17

• When the hacker takes time to gather information which can then be leveraged into a social engineering attack.

Question 18

What is Impersonation?

Answer 18

• A person pretends to be someone else and tricks the victim into revealing sensitive information
• Ex: Social engineer calls a helpdesk operator and claims to be a high level user and depends that they reset their password so that they can complete an important task. The social engineer might have gathered relevant information to make the scam more convincing and get the operator to reset their password.

Question 19

What is a Watering Hole Attack?

Answer 19

• Targeted attack toward a group of specified users.
• Hackers will infect websites that the targeted users are known to frequent.
• Goal: Load a malicious payload from the infected sites onto the user’s computer, giving the hacker’s access to the user’s network.

Question 20

What is Typosquatting?

Answer 20

• Hackers register domains with deliberately misspelled names of well-known websites to lure unsuspecting visitors to alternative websites
• Victims may end up here by mistyping the url or being lured as part of a wider phishing attack.

Question 21

What is Pretexting?

Answer 21

• A technique in which a social engineer creates a story or pretext that employs one or more principles to motivate victims to act contrary to their instincts/ training.

Question 22

Social Engineer Principle: Authority

Answer 22

• A reason why social engineering is effective

- Social engineers often claim a position of authority to intimidate the victim to give them access rights

Question 23

Social Engineer Principle: Intimidation

Answer 23

• A reason why social engineering is effective

- Social engineers can act belligerently if denied

Question 24

Social Engineer Principle: Consensus

Answer 24

• A reason why social engineering is effective
• AKA Social Proof principle - Try to make a social connection, claiming that another trusted individual can vouch for their authenticity

Question 25

Social Engineer Principle: Scarcity

Answer 25

• A reason why social engineering is effective

- Social engineers can act as if they have little time to verify the victim’s identity.

Question 26

Social Engineer Principle: Familiarity

Answer 26

• A reason why social engineering is effective

- Social engineers can try to seek common interests to create a bond between the social engineer and victim

Question 27

Social Engineer Principle: Trust

Answer 27

• A reason why social engineering is effective
• May cite professional credentials, known organization information or organization status to create a feeling of confidence

Question 28

Social Engineer Principle: Urgency

Answer 28

• A reason why social engineering is effective

- Social engineers can act as if the situation is urgent.