1.0 Attacks, Threats, and Vulnerabilities
1.1 Types of Social Engineering Technique
Phishing - Email used to trick a victim into providing data/credentials.
Smishing - Phishing using text messages/sms instead of email.
Vishing - Phishing over the phone/VoIP.
Spam - Unsolicited email/Junk mail.
Spam over Instant Message (SPIM) - Unsolicited messages in a chat app or sms.
Spear Phishing - Target phishing, often personalized to the victim.
Dumpster Diving - Attacker collects data from garbage/disposed of info.
Shoulder Surfing - Attacker collects data by looking at victim’s display.
Pharming - Redirecting website traffic to fake/disguised site, can be done through DNS or by web host files being replaced.
Tailgating - Attacker follows somebody past a secure door to bypass required credentials.
Eliciting Information - Attacker collects data by persuading victim to provide it.
Whaling - Spear Phishing targeted at a high profile victim.
Prepending - Malicious code added to the beginning of a trusted source.
Identity Fraud - Attacker impersonates someone to get access/data.
Invoice Scams - Fake invoice sent to collect money/data.
Credential Harvesting - Tricking a victim to provide credentials.
Reconnaissance - Collecting info about a target often before an attack.
Watering Hole Attack - Attacker uses 3rd party sites often used by victim as a vector.
Typosquatting - Using similar or purposely misspelled words to trick Victim into fake site.
Pretexting - Attacker invents a scenario to trick the victim into providing data/access.
Influence Campaign - Marketing/propaganda, can be covert or overt.
Hybrid Warfare - Non-traditional state-sponsored attack, cyber, economic, political, ect.
Social Media - Using Social Media as communications and mass media manipulations.
Principles (reasons for effectiveness - Social engineering principles/techniques
Authority - Often used with impersonation, used to get the victim to do something.
Intimidation - Attacker attempts to bully the victim into doing something.
Consensus - Attacker manipulates group-think to trick a victim to agree to something.
Scarcity - Attacker fakes limited resources to get the victim to act without thinking.
Familiarity - Attacker builds a rapport with victim prior to attack.
Trust - Attacker builds a trusting relationship with victim prior to attack.
Urgency - Attacker uses limited time to pressure victim into acting.
Smishing - Phishing using text messages/sms instead of email.
Vishing - Phishing over the phone/VoIP.
Spam - Unsolicited email/Junk mail.
Spam over Instant Message (SPIM) - Unsolicited messages in a chat app or sms.
Spear Phishing - Target phishing, often personalized to the victim.
Dumpster Diving - Attacker collects data from garbage/disposed of info.
Shoulder Surfing - Attacker collects data by looking at victim’s display.
Pharming - Redirecting website traffic to fake/disguised site, can be done through DNS or by web host files being replaced.
Tailgating - Attacker follows somebody past a secure door to bypass required credentials.
Eliciting Information - Attacker collects data by persuading victim to provide it.
Whaling - Spear Phishing targeted at a high profile victim.
Prepending - Malicious code added to the beginning of a trusted source.
Identity Fraud - Attacker impersonates someone to get access/data.
Invoice Scams - Fake invoice sent to collect money/data.
Credential Harvesting - Tricking a victim to provide credentials.
Reconnaissance - Collecting info about a target often before an attack.
Watering Hole Attack - Attacker uses 3rd party sites often used by victim as a vector.
Typosquatting - Using similar or purposely misspelled words to trick Victim into fake site.
Pretexting - Attacker invents a scenario to trick the victim into providing data/access.
Influence Campaign - Marketing/propaganda, can be covert or overt.
Hybrid Warfare - Non-traditional state-sponsored attack, cyber, economic, political, ect.
Social Media - Using Social Media as communications and mass media manipulations.
Principles (reasons for effectiveness - Social engineering principles/techniques
Authority - Often used with impersonation, used to get the victim to do something.
Intimidation - Attacker attempts to bully the victim into doing something.
Consensus - Attacker manipulates group-think to trick a victim to agree to something.
Scarcity - Attacker fakes limited resources to get the victim to act without thinking.
Familiarity - Attacker builds a rapport with victim prior to attack.
Trust - Attacker builds a trusting relationship with victim prior to attack.
Urgency - Attacker uses limited time to pressure victim into acting.