1.1 Compare and contrast different types of social engineering techniques

Question 1

Phising

Answer 1

the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Question 2

Smishing

Answer 2

the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.

Question 3

Vishing

Answer 3

the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

Question 4

Spam

Answer 4

This is unsolicited emails we get. These emails are getting us or wanting us to click some links to buy something

Question 5

Spam over instant messaging (SPIM)

Answer 5

This is unsolicited instant messaging. This is when you pop open your IM and suddenly you’re getting messages all over the place.

Question 6

Spear Phishing

Answer 6

the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.

Question 7

Dumpster diving

Answer 7

Dumpster diving is the process of searching trash to obtain useful information about a person/business that can later be used for the hacking purpose

Question 8

Shoulder surfing

Answer 8

Shoulder surfing is a practice where thieves steal your personal data by spying over your shoulder as you use a computer, laptop, ATM, public kiosk or other electronic device.

Question 9

Pharming

Answer 9

A cyberattack intended to redirect a website’s traffic to another, fake site by installing a malicious program on the computer. Can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software.

Question 10

Tailgating

Answer 10

the passage of unauthorised personnel, either forced or accidental, behind that of an authorised user.

Question 11

Eliciting Information

Answer 11

A technique used to discreetly gather information. The strategic use of casual conversation to extract information from people (targets) without giving them the feeling that they are being interrogated or pressed for the information.

Question 12

Whaling

Answer 12

a highly targeted phishing attack - aimed at senior executives - masquerading as a legitimate email.

Question 13

What is the difference between Spear Phising and Whaling?

Answer 13

whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile.

Question 14

Prepending

Answer 14

adding code to the beginning of a presumably safe file. It activates when the file is opened.

Question 15

Identity Fraud

Answer 15

A crime in which an imposter obtains key pieces of personally identifiable information (PII), such as Social Security or driver’s license numbers, to impersonate someone else.

Question 16

Invoice Scam

Answer 16

These scams happen when adversaries trick individuals into transferring funds by acting as legitimate companies.

Question 17

Credential Harvesting

Answer 17

the use of MITM attacks, DNS poisoning, phishing, and other vectors to amass large numbers of credentials (username / password combinations) for reuse.

Question 18

Reconnaissance

Answer 18

The practice of covertly discovering and collecting information about a company, network, or system.

Question 19

Hoax

Answer 19

A threat that doesn’t actually exist, But they seem like they COULD be real. Often an email, but can be a Facebook wall post, or tweet, or…
Will attempt take your money, but not necessarily through electronic means.

Question 20

Impersonation

Answer 20

A form of fraud in which attackers pose as a known or trusted person to dupe an employee into transferring money to a fraudulent account, sharing sensitive information (such as intellectual property, financial data or payroll information), or revealing login credentials that attackers can used to hack into a company’s computer network.

Question 21

Watering Hole Attack

Answer 21

A security exploit where the attacker infects websites that are frequently visited by members of the group being attacked, with a goal of infecting a computer used by one of the targeted group when they visit the infected website.

Question 22

Typosquatting

Answer 22

A type of attack which targets internet users who incorrectly type a URL into their web browser rather than using a search engine. Typically, it involves tricking users into visiting malicious websites with URLs that are common misspellings of legitimate websites.

Question 23

Pretexting

Answer 23

A type of social engineering attack that involves a situation created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give. Has been described as the first stage of social engineering, and has been used by the FBI to aid in investigations. A specific example of is reverse social engineering, in which the attacker tricks the victim into contacting the attacker first

Question 24

What are the two methods of influence campaigns?

Answer 24

Social media and Hybrid warfare

Question 25

Influence Campaigns: Social Media

Answer 25

This might be a completely legitimate person who’s trying to present a particular political perspective or a social issue, but this might also be someone trying to manipulate how people are thinking in a particular area. This is very commonly an attacker from a nation-state that is trying to change the way that people are voting and the way that people are thinking in a particular country. Sometimes, these bad actors will spend a lot of money on advertising as a way to change the opinion of people who may be reading things online. Some of the most powerful influence campaigns use more than just a single person. They use an entire system to amplify that message and get it into the eyes and the ears of many people.

Question 26

Influence Campaigns: Hybrid Warfare

Answer 26

You might have one country that is trying to change the way that people are thinking in another country. And if people change the way they’re thinking, then they’ll ask their elected officials to vote on particular policies in a particular way. This is not a new process. Militaries all over the world have tried to make this happen in different countries. But the internet changes the way that they’re able to get that message out.

Question 27

What are the Principles of Social Engineering and influence?

Answer 27

- Authority - Intimidation - Consensus - Scarcity - Familiarity - Trust - Urgency

Question 28

Social Engineering Principles: Authority

Answer 28

A social engineering principle where the social engineer pretends to be someone who either has a higher clearance or a special clearance in order to get the target to provide information or access that they normally would not give. – I’m calling from the help desk/office of the CEO/police/Lawyers/Government etc

Question 29

Social Engineering Principle: Intimidation

Answer 29

A principle of Social Engineering where the attacker says something catastrophic will happen if the target doesn't do a certain task or give information that they normally would not give. And it may not be something that is directly focused on you, it may instead be a situation that is intimidating. They might say that bad things will happen if you don’t help, or it could be something as simple as saying, the payroll checks aren’t going to go out unless I get this information from you.

Question 30

Social Engineering Principle: Consensus or Social Proof

Answer 30

A social engineer using other people and what they’ve done to try to justify what they’re doing. They might tell you that your coworker was able to provide this information last week. They’re not in the office now so it’s something that maybe you could provide for them

Question 31

Social Engineering Principle: Scarcity and Urgency

Answer 31

This particular situation is only going to be this way for a certain amount of time, we have to be able to resolve this issue before this timer expires. Act without thinking because time is running out.

Question 32

Social Engineering Principle: Familiarity

Answer 32

They become your friend. They talk about things that you like, and by doing that, they make you familiar with them on the phone and make you want to do things for them. Someone you know, we have common friends. We went to the same school, grew up in the same town etc..

Question 33

Social Engineering Principle: Trust

Answer 33

He’s going to try to tell you that he’s going to be able to solve all of your problems. He’s going to be able to fix all of these issues. You just need to provide the information he’s asking for. someone who is safe. I’m from IT, and I’m here to help.