Social Engineering Techniques | CompTIA Security+ SY0-601 | 1.1a

In this video you are going to learn about social engineering techniques such as: phishing, smishing, vishing, spam, SPIM, spear phishing, pharming, tailgating, eliciting information, dumpster diving, shoulder surfing, & whaling.

Phishing

The fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details or other sensitive details, by impersonating oneself as a trustworthy entity in a digital communication. Phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate website.

Smishing

Smishing is any kind of phishing that involves a text message.  Oftentimes, this form of phishing involves a text message in an SMS or a phone number.  Smishing is particularly problematic because sometimes people tend to be more inclined to trust a text message than an email.  Most people are aware of the security risks involved with clicking on links in emails.  This is less true when it comes to text messages.  Smishing uses elements of social engineering to get you to share your personal information.  This tactic leverages your trust in order to obtain your information.  The information a smisher is looking for can be anything from an online password to your social security number to your credit card information.  Another option used by a smisher is to say that if you don’t click a link & enter your personal information that you’re going to be charged per day for use of a service.  If you haven’t signed up for the service, ignore the message.  If you see any unauthorized charges on your credit or debit card statement, alert your bank so they can open up an investigation so they can hopefully refund you your money.[1]

Vishing

Vishing (voice phishing) is the use of telephony (often VoIP) to conduct phishing attacks.  Vishing fraudsters often use modern VoIP features such as caller ID spoofing and automated systems to impede detection by law enforcement agencies.  Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.  Usually, vishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers.[2]  Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details & financial information regarding credit card, bank accounts, as well as personal information of the victim.  With the received information, the fraudster might be able to access & empty the account or commit identity fraud.  Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly.[3]  Callers often pose as law enforcement or as an IRS employee.[4]  Scammers often target immigrants & the elderly,[5] who are coerced to wire hundreds of thousands of dollars in response to threats of arrest or deportation.[6]

Spam

Spamming is the use of messaging systems to send multiple unsolicited messages to large numbers of recipients for the purpose of commercial advertising, for the purpose of non-commercial proselytizing, for any prohibited purpose (especially the fraudulent purpose of phishing), or simply sending the same message over and over to the same user.  While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media:  instant messaging spam, mobile phone messaging spam, social spam, etc.  Spamming remains electronically viable because advertisers have no operating costs beyond the management of their mailing lists, servers, infrastructures, IP ranges, and domain names, and it is difficult to hold senders accountable for their mass mailings.[7]

Spam over Instant Messaging (SPIM)

SPIM (messaging spam) is a type of spam targeting users of instant messaging (IM) services, SMS, or private messages within websites.  Instant messaging systems, such as WhatsApp, are targets for spammers.  Many IM services are publicly linked to social media platforms, which may include information on the user such as age, sex, location & interests.  Advertisers and scammers can gather this information, sign on to the service, & send unsolicited messages which could contain scam links, malware or ransomware.  With most services users can report & block spam accounts, or set privacy settings so only contacts can contact them.

Spear Phishing

Spear phishing involves an attacker directly targeting a specific organization or person with tailored phishing communications.[8]  This is essentially the creation and sending of emails to a particular person to make the person think the email is legitimate.  In contrast to bulk phishing, spear phishing attackers often gather & use personal information about their target to increase their probability of success of the attack.[9]  Spear phishing typically targets executives or those that work in financial departments that have access to the organization’s sensitive financial data and services.

Pharming

Pharming is a cyberattack intended to redirect a website’s traffic to another, fake site by installing a malicious program on the computer.  Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software.  DNS servers are responsible for resolving Internet names into their real IP addresses.  Compromised DNS servers are sometimes referred to as “poisoned”.  Pharming requires unprotected access to target a computer, such as altering a customer’s home computer, rather than a corporate business server.

Tailgating

Tailgating is a common social engineering attack also known as piggybacking that involves attackers seeking entry to a restricted area without proper authentication.  In it, the perpetrators can simply follow an authorized person into a restricted location.  They can impersonate delivery men carrying tons of packages, waiting for an employee to open the door.  They can ask the unknowing target to hold the door, bypassing security measures like electronic access control.[10]

Eliciting Information

Eliciting information is the subtle extraction of information during an apparently normal & innocent conversation.  Most intelligence operatives are well trained to take advantage of professional or social opportunities to interact with persons who have access to classified or other protected information.  Conducted by a skillful intelligence collector, elicitation appears to be normal social or professional conversation and can occur anywhere, such as a restaurant, conference, a visit to one’s home, etc.  But it is a conversation with a purpose, to collect information about your work or to collect assessment information about you or your colleagues.  Elicitation may involve a cover story or pretext to explain why questions are being asked.  Some elicitation efforts can be pretty aggressive, imaginative, or involve extensive planning.  Through elicitation, intelligence collectors may confirm or expand their knowledge of a sensitive program or may gain clearer insight into a person’s potential susceptibility to recruitment.[11]

Dumpster Diving

A technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organization chart can be used to assist an attacker using social engineering techniques to gain access to the network. To limit the prospects of a dumpster diver, paper shredders or shredding services should be employed to keep available data limited.

Shoulder Surfing

A type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder, either from keystrokes on a device or sensitive information being spoken and heard, also known as eavesdropping.

Whaling

Whaling is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company.  In many whaling attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.  Due to their highly targeted nature, whaling attacks are often more difficult to detect and prevent than standard phishing attacks.  In the enterprise, security administrators can help reduce the effectiveness of whaling attacks by encouraging corporate management staff to undergo information security awareness training.[12]