1.1 Compare and contrast different types of social engineering techniques.
Phishing: Phishing is the process of attempting to obtain sensitive information in electronic communications. (fishing for info)
Smishing: SMS phishing or smishing is a social engineering attack that occurs over or through standard text messaging services. (text phishing)
Vishing: Vishing is phishing done over any telephony or voice communication system. (over the phone/voicemail)
Spam: Spam is not just unwanted advertisement; it can also include malicious content and attack vectors as well. (unwanted email)
SPIM: Spam over instant messaging (SPIM) is the transmission of unwanted communications over any messaging system that is supported by or occurs over the internet.
Spear phishing: Spear phishing is a more targeted form of phishing where the message is crafted and directed specifically to an individual or group of individuals. (targeted)
Business email compromise (BEC): BEC is a form of spear phishing that is often focused on convincing members of accounting to transfer funds, pay invoices, or purchase products from a message that appears to originate from a boss, manager, or executive.
Dumpster diving: Dumpster diving is the act of digging through trash to obtain information about a target organization or individual. (trash)
Pretexting: A pretexting is a false statement crafted to sound believable to convince you to act or respond.
Shoulder surfing: Shoulder surfing occurs when someone is able to watch a user’s keyboard or view their display. (watching user’s keyboard)
Pharming: Pharming is the malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site. (redirection to a fake website, false version)
Tailgating and piggybacking: Tailgating occurs when an unauthorized entity gains access to a facility under authorization of a valid worker but without their knowledge. Piggybacking occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker by tricking the victim into providing consent. (sneak into a building)
Eliciting information: Eliciting information is the activity of gathering or collecting information from systems or people. (subtly gathering info)
Whaling: Whaling is a form of spear phishing that targets specific high-value individuals, such as CEO or other C-level executives, administrators, or high-net worth clients. (targets high value individuals)
Prepending: Prepending is the adding of a term, expression, or phase to the beginning or header of some other communication. (to make the receiver think the communication is the continuance of a previous conversation)
Identity theft: Identity theft is the act of stealing someone’s ideantity. This ca refer to the initial act of information gathering or elicitation. This can also refer to when those stolen credentials and details are used to take over someone’s account. (claim to be someone else through the use of stolen information from the victim)
Identity fraud: Identity fraud is when you falsely claim to be someone else through the use of stolen information from the victim.
Spoofing: Spoofing is any action to hide a valid identity often by taking on the identity of something else.
Invoice scams: Invoice scams are social engineering attack that attempts to steal funds from an organization or individuals through the presentation of a false invoice often followed by strong inducements to pay. (false voicemail/invoice)
Credential harvesting: Credential harvesting is the activity of collecting or stealing account credentials. (collecting stolen user credentials data & stuff)
Reconnaissance: Reconnaissance is collecting information about a target, often for the purposes of figuring out the best plan of attack against that target. (planning an attack against target)
Hoaxes: A hoax is a form of social engineering designed to convince targets to perform an action that will cause problems or reduce their IT security. (“false virus alert”)
Impersonation: Impersonation is the act of taking on the identity of someone else to use their power or authority. (pretending to be someone else after steaking their data)
Watering hole attacks: A watering hole attack is a form of targeted attack against a region, a group, or an organization. It’s waged by poisoning a commonly accessed resource. (observes the target habits & the target visits the web & brings back infection to group/system)
Typosquatting: Typosquatting is a practice employed to capture and redirect traffic when a user mistypes the domain name or IP address of an intended resource. (predicts URL typos. e.g., “Gooogle.com” instead of “Google.com”)
URL hijacking: URL hijacking can also refer to the practice of displayinga link or advertisement that looks like that of a well-known product, service, or site, but when clicked redirects the user to an alternate location, service, or product.
Clickjacking: Clickjacking is a means to redirect a user’s click or selection on a web page to an alternate often malicious target instead of the intended and desired location.
Session hijacking: Session hijacking (a.k.a. TCP/IP hijacking) is a form of attack in which the attacker takes over an existing communication session.
Influence campaigns: Influence campaigns are social engineering attacks that attempt to guide, adjust, or change public opinion, often waged by nation-states against their real or perceived foreign enemies.
Understand doxing: Doxing is the collection of information about an individual or an organization to disclose the collected data publicly for the purpose of chaining the perception of the target.
Hybrid warfare: Hybrid warfare is the combine of classical military strategy with modern capabilities, including digital influence campaigns, psychological warfare efforts, political tactics, and cyber warfare capabilities. It is also known as nonlinear warfare.
Principles of social engineering: Many techniques are involved in social engineering attacks. These often involve one or more common principles such as;
-authority,
-intimidation,
-consensus/social norms,
-scarcity, (existence of few)
-familiarity/liking,
-trust, and (attacker developing a relationship w/ a victim)
-urgency. (act quickly before considering)
