In this video you will learn about social engineering techniques such as: prepending, identity fraud, invoice scams, credential harvesting, reconnaissance, hoax, impersonation, watering hole attack, typosquatting, pretexting, influence campaigns, & principles pertaining to reasons for effectiveness.
Prepending
Prepend is a word that means to attach content as a prefix. It is often used in different kinds of programming and in automated processes. Some prepending is done manually as a user. For example, a prepend command could be used in scripting language that a programmer would enter into a certain function or code module. It would add certain characters of text to the beginning of some variable or object. Other kinds of prepending are automated.[1] You can configure email servers or email cloud services to prepend a message in the email subject line to identify emails that are coming from outside of the organization.[2]
Identity Fraud
Identity theft occurs when an assailant impersonates you for their own gain using stolen information that is often used to identify you (social security number, address, etc.). Examples of some of the nefarious actions that may be carried by a criminal using your identity include:[3]
Invoice Scams
Invoice scams are when scammers send unsolicited emails and other messages to victims that include an “invoice” (as a malicious attachment) for something that they have not purchased. For instance, a scammer might send you a targeted email message including an invoice for something that you most likely have purchased in the past. The scammer may look for information about you and then send a targeted email with such an invoice.[2] Typically, these scams work in three steps:
Fake invoice scams take advantage of the fact that the average email user or someone handling administrative tasks for a business (or personal affairs) may not know whether any product or service has actually been purchased.[4]
Credential Harvesting
Credential harvesting (password harvesting) is the process of gathering valid usernames, passwords, private emails, & email addresses through infrastructure breaches. The possible motivations for such a breach are many: the hackers could sell delicate personal & financial data on the dark web; gain access to a company network for purposes of corporate espionage and steal IP or other assets; or use the data to embezzle money. A commonly cited source of credential harvesting is the use of phishing emails. These emails contain an attachment encoded with a hyperlink that, when clicked, uploads data-stealing programs onto your console. While phishing emails are the most common avenue, credential harvesting can also be performed by malware viruses, cloned website links, the use of unsecure third party vendors, and ransomware. In many cases, the breached user often has no knowledge that the malicious attack has even occurred.[5]
Reconnaissance
In the context of cybersecurity, reconnaissance is the practice of covertly discovering & collecting information about a system. This method is often used in ethical hacking or penetration testing. Reconnaissance generally follows seven steps:
Using these steps, an attacker will aim to gain the following information about a network:
One of the most common techniques involved with reconnaissance is port scanning, which sends data to various TCP & UDP ports on a device and evaluates the response.[6]
Hoax
A hoax is the attempt at deceiving people into believing something that is false. The differences between hoaxes & phishing can be quite gray. However, hoaxes can come in person or through other means of communication, whereas phishing is generally relegated to e-communication & phone. Although phishing can occur at any time, and with the specific goal of obtaining private information, a hoax can often be perpetuated on holidays or other special days and could be carried out simply for fun. Regardless, hoaxes can use up valuable organization resources such as email replies, Internet bandwidth usage, time spent, etc.[2]
Impersonation
Impersonation is a form of fraud in which attackers pose as a known or trusted person to dupe an employee into transferring money to a fraudulent account, sharing sensitive information (such as intellectual property, financial data or payroll information), or revealing login credentials that attackers can use to hack into a company’s computer network. CEO fraud, business email compromise and whaling are specific forms of impersonation attacks where malicious individuals pose as high-level executives within a company. Impersonation attacks are typically malware-less attacks conducted through email using social engineering to gain the trust of a targeted employee. Attackers may research a victim online, gathering information from social media accounts and other online sources which, when used in the text of an email, can lend authenticity to the message.[7]
Watering Hole Attack
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some members of the targeted group will become infected.[8] Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research.[9]
Typosquatting
Typosquatting (URL hijacking or fake URL) is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).[10] The typosquatter’s URL will usually be one of five kinds, all similar to the victim site address:
Once in a typosquatter’s site, the user may also be tricked into thinking that they are in fact in the real site, through the use of copied or similar logos, website layouts, or content. Spam emails sometimes make use of typosquatting URLs to trick users into visiting malicious sites that look like a given bank’s site.
Pretexting
Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext.[11] In its history, pretexting has been described as the first stage of social engineering, and has been used by the FBI to aid in investigations.[12] A reason for pretexting’s prevalence among social engineering attacks is its reliance on manipulating people in order to gain access to the information the attacker wants, versus having to hack a technological system. When looking for victims, attackers can watch out for a variety of characteristics, such as ability to trust, low perception of threat, response to authority, and susceptibility to react with fear or excitement in different situations.[13]
Influence Campaigns
Principles (Reasons for Effectiveness)
The following are several motivation techniques used by social engineers:[2]
References