1.1

Physical Attacks -

Tailgating

Shoulder Surfing

Dumpster Diving

Virtual Attacks

Phishing

Spear Phishing

Whaling

Vishing

Hoax

Watering Hole Attack

Social Engineering -

an attempt by an attacker to convince someone to provide info (like a password) or perform an action they wouldn’t normally perform (such as clicking on a malicious link)

Social engineers often try to gain access to the IT infrastructure or the physical facility.

Phishing -

commonly used to try to trick users into giving up personal information (such as user accounts and passwords), click a malicious link, or open a malicious attachment.

Spear phishing

targets specific groups of users

Whaling

targets high-level executives

Vishing

(voice phishing) phone-based

Smishing

uses sms(text) messaging on mobile

Spam -

Unsolicited email, generally considered an irritant

SPIM -

SPAM over instant messaging, also generally considered an irritant

Dumpster Diving -

Gathering important details (intelligence) from

things that people have thrown out in their trash.

(Legal, might target individuals or organizations)

Tailgating -

when an unauthorized individual might follow you in through that open door without badging in themselves.

Eliciting Information (Elicitation)

strategic use of casual conversation to extract information without the arousing suspicion of the target

Shoulder Surfing -

a criminal practice where thieves steal your personal data by spying over your shoulder

Pharming -

an online scam similar to phishing, where a website's traffic is manipulated, and confidential information is stolen.

Identity Fraud

use of another person's personal information, without authorization, to commit a crime or to deceive or defraud that person or other 3rd party

Prepending -

Prepending is adding words or phrases like “SAFE” to a malicious file or suggesting topics via social engineering to uncover information of interest.

Invoice Scams -

fake invoices with a goal of receiving money or

by prompting a victim to put their credentials

into a fake login screen.

Credential Harvesting -

attackers trying to gain access to your usernames and passwords that might be stored on your local computer

Countermeasures to Credential Harvesting -

email defense, anti-malware, EDR/XDR solutions that will check URLs and block the scripts often used to execute the attack

Passive discovery -

Techniques that do not send packets to the target; like Google hacking, phone calls, DNS and WHOIS lookups

Semi-passive discovery

Touches the target with packets in a non-aggressive fashion to avoid raising alarms of the target

Active Discovery -

More aggressive techniques likely to be noticed by the target, including port scanning, and tools like nmap and Metaspoit

Hoaxes -

Intentional falsehoods coming in a variety of forms ranging from virus hoaxes to fake news. Social media plays a prominent role in hoaxes today

Impersonation -

A form of fraud in which attackers pose as a known or trusted person to dupe the user into sharing sensitive info, transferring money, etc.

Watering Hole Attack -

Attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware

Typo squatting (URL Hijacking) -

a form of cybersquatting (sitting on sites under someone else’s brand or copyright) targeting users who type an incorrect website address

Pretexting -

an attacker tries to convince a victim to give up information of value, or access to a service or system.

Influence Campaigns -

A social engineering attack intended to manipulate the thoughts and minds of large groups of people

Hybrid Warfare

Attack using a mixture of conventional and unconventional methods and resources to carry out the campaign, can use social media and fake accounts

Principles of Social Engineering -

Authority

Intimidation

Consensus

Scarcity

Familiarity

Trust

Urgency

Authority -

Citing position, responsibility, or affiliation that grants the attacker the authority to make the request

Intimidation -

Suggesting you may face negative outcomes if you do not facilitate access or initiate a process.

Consensus -

Claiming that someone in a similar position or peer has carried out the same task in the past.

Scarcity (quantity) -

Limited opportunity, diminishing availability that requires we get this done in a certain amount of time, similar to urgency.

Familiarity (liking) -

Attempting to establish a personal connection, often citing mutual acquaintances, social proof

Trust -

Citing knowledge and experience, assisting the to target with a issue, to establish a relationship.

Urgency -

Time sensitivity that demands immediate action, similar to scarcity