1.1 Social Engineering

Phishing and Other Types of Social Engineering

Phishing is one of the most common and well-known types of social engineering attacks, but there are several other social engineering techniques that attackers use to manipulate individuals and organizations.

Phishing = social engineering with a touch of spoofing | collect access credentials

Typosquatting = type of URL hijacking - https://professormessor.com - https://pprofessormessorr.com Pretexting = lying to get information | attacker is the character in a situation they create

Pharming = redirecting a legit website to a fake site | harvest large groups of people's information - poisoned DNS server or client vulnerabilities - difficult for anti-malware software to stop | everything appears legitimate to the user

Vishing = phishing over the phone or voicemail - caller ID spoofing is common

Smishing = SMS phishing done by text message - forwards link or asks for personal information

Spear Phishing = targeted phishing | very directed attacks to a specific person or group of people

Whaling = targeted phishing with the possibility of a large catch | phishing a CEO or Department Manager | attack the ones who have the power or money, e.g. executives

Impersonation = attackers pretend to be someone they aren't | attack someone higher in rank | throw tons of technical details around to confuse the victim

Eliciting information = extracting information from the victim | commonly done with vishing - the victim is not even aware of this attack

Identity fraud = your identity can be used by others | credit card fraud | bank fraud | loan fraud

Dumpster diving = mobile garbage bin | simply searching for important information in a trash bin

Shoulder surfing = simply someone, attacker, looks over your sholder and see your password or other sensitive information - be aware of your surrounding - use privacy filters | keep your monitor out of sight

Computer hoaxes = a threat that doesn't actually exist but they seem like they could be real

Watering hole attack = attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit instead of primarily targeting your secure company, attackers target third party applications to find vulnerabilities - determine which website the victim group uses - use defense-in-depth | layered defense | firewalls and IPS | anti-virus

Spam = unsolicited messages, email, forums - commercial advertising - phishing attempts - Mail Gateways = stop unsolicited email at the gateway before it reaches the user - Tarpitting = intentionally slow down the server conversation (mail server)

Hacking public opinion = influence campaigns (influence public opinion on political and social issues) | nation-state actors (divide, distract, and persuade) - create fake users and fake content | post on social media | amplify messages | real users start to share the message | now mass media picks up the fake story - cyberwarfare = destabilization or destruction of critical systems. The objective is to weaken the target country by compromising its core systems

Tailgating = use an authorized person to gain unauthorized access to a building, simply follow them

Invoice scams = starts with a bit of spear phishing | attacker knows who pays the bills - attacker sends a fake invoice

Credential harvesting = attackers collect login credentials