Social Engineering
Social engineering is a common attack vector for most modern attacks.
Examples
| Principle | Description | Example |
|---|---|---|
| Authority | Directed by someone impersonating authority figure or falsely citing their authority | “I’m the CEO calling.” |
| Intimidation | To frighten and coerce by threat | “If you don’t reset my password, I will call your supervisor.” |
| Consensus | Influenced by what others do | “I called last week, and your colleague reset my password.” |
| Scarcity | Something is in short supply | “I can’t waste time here.” |
| Urgency | Immediate action is needed | “My meeting with the board starts in 5 minutes.” |
| Familiarity | Victim is well known and well received | “I remember reading a good evaluation on you.” |
| Trust | Confidence | “You know who I am.” |
| ## Information | ||
| ### Pretext | ||
| The fake scenario which the attacker roleplays as in an attempt to gain the victims trust | ||
| ## Phishing | ||
| Phishing typically involves some sort of email, message, or web announcement displayed or sent to a user in order to trick them into clicking on a malicious link (therefore installing malware). |
[!NOTE] Note Phishing sometimes is just use to validate certain emails. Attackers can embed certain images which are tracked by the web server hosting them. Most modern email clients will refuse to load images from unknown senders to reduce the likelihood this information is gathered.
Types of phishing
Spear phishing
Customized messages which target a specific group of individual users and are targeted to look like a legitimate message addressed to each recipient.
Whaling
Similar to spear phishing, these attacks specifically target certain individuals. Rather than searching for specific info, these attacks simply go for the largest individuals in an organization. These attacks often involve spending a large amount of time crafting messages intended for C-suite executives or directors.
Vishing
Vishing is a type of phishing done over phone. These attacks usually pretend to be a legitimate business needing to verify a purchase or update customer details. Sometimes a second attack vector is involved by asking the victim to call the official company to verify the details. This phone number will also be fake and prompt the user to input personal information. This attack assumes the victim will be weary and tries to use social engineering to follow standard procedures but sent to a clone of the business instead.
Smishing
This attack is often performed similar to vishing. Attackers will commonly pretend to be a legitimate company like a bank sending a text message (SMS) to the victim. These messages often ask users to visit a suspicious website or call a specific number which will request their personal info or credit card info.
Business Email Compromise (BEC)
A common attack vector is to use compromised email accounts to continue spreading more phishing across a network. Since these come from official emails, they are most likely to be trusted by users and email filters.
Business Email Compromise is particularly dangerous because it can exploit trusted business relationships to spread the attack scope to other businesses. Attackers may attempt to exploit a vendor's email to request payment rerouting to a fake bank account.
| BEC attack | Description |
|---|---|
| Bogus invoice | Pretending to be a legitimate supplier, an attacker sends a fake invoice for goods or services demanding immediate payment on an overdue account. |
| Executive fraud | Posing as a company executive, a threat actor sends an email to employees in the Finance Department telling them to immediately transfer funds for an unpublicized new company initiative but not to tell anyone about it. |
| Account compromise | A Finance Department employee’s email account is compromised and then each vendor in the contact list is sent an email demanding immediate payment for a fictitious service. |
| ## Impersonation | |
| Impersonation often aims to masquerade as a trusted person or support role to attempt to gain information on users. They often provide a Pretext to gain the victims trust. The attacker then exploits the pretext to gain information that the victim would feel safe providing to the person being impersonated. | |
| ## Redirection | |
| Attackers may use certain tactics to make a victim believe they are being sent to the correct site or resource. However, attackers may use certain tactics like typo-squatting to send the victim to a malicious website. | |
| ### Typo-squatting | |
| Typo-squatting relies on purchasing domains which are often one character off. | |
| #### Caveats | |
| Since HTTPS can only verify the server belongs to that domain, HTTPS cannot protect you from going to the wrong website all together. This is why it is important to verify you recognize the URL of the website you are visiting. A second similar method called pharming can be stopped using HTTPS. | |
| ### Pharming | |
| Pharming attempts to redirect the user forcefully. This can be accomplished on personal devices by installing malware. On corporate or public networks, it may be possible to compromise the DNS server or perform man in the middle attacks against DNS queries. The attacker may attempt to remap a DNS lookup for a legitimate website to their own server's IP address. | |
| #### Defenses | |
| As previously mentioned, HTTPS should verify that you were sent to the correct website. In order to verify that you ended up on the correct server, HTTPS checks if the server holds a verified certificate for that website. If the clone attempts to forge the certificate, the browser will panic and state that the site is insecure. It is up to IT administrators to ensure insecure certificate CAs are not allowed on devices to allow certificate forgery. |
[!NOTE] Certificate warnings Companies like Let's Encrypt offer free certificates that are universally trusted. By making self-signed certificates less common, browser warnings no longer cry wolf and users are more likely to click off of a website with a self-signed certificate. Third party certificates are trusted by browsers because issuers must certify that the person they provided the certificate are the rightful owners of the domain name.
Misinformation and Disinformation
Misinformation is any false or inaccurate information. On the other hand, disinformation is misinformation specifically originating from malicious intent. Attackers will often use social engineering pretexts to spread a hoax, a form of disinformation. Attackers may spread disinformation about misconfigurations, incidents, or account issues. Attackers can use this information to trick users into disclosing sensitive information. Users may install software, spread fake emails, or make security changes in response to the disinformation in the pretext.
Watering Hole Attack
This attack is an allegory of its name sake. Attackers will locate resources which are commonly used between a specific group (such as executives at a company) and exploit it. While any series of attacks may work, this attack pattern is named after the selection strategy of finding commonality between a group of targets.
Data Reconnaissance
Dumpster diving
Dumpster diving can be lucrative at certain businesses where security policies may have gaps in physical security where their cybersecurity is otherwise sufficient. Dumpster diving usually involves finding things like employee records, financial data, memos, and other private info. Most business mitigate this risk by appropriately shredding sensitive documents. In a similar manner, many organizations will auction off their items. While items may be sold anonymously, data can still be sold on the dark web for a profit if it can be traced to a specific company. Ensuring proper data destruction is paramount in avoiding these attacks.
Google Dorking
Google Dorking involves crafting specific Google search queries to find information from a specific company and its employees. Websites like LinkedIn often contain valuable information in the form of job listing requesting experience with certain software products. LinkedIn can sometimes expose certain employee information like email addresses and titles. In some instances, Google dorking may be able to find information that was intended to be hidden but was not properly hidden from search engines. Using filters like filetype:pdf may expose internal documents that were exposed on a webserver.
Shoulder Surfing
Shoulder surfing is a technique that has limited use but can be nearly unpreventable in certain circumstances. Shoulder surfing typically encompasses quick actions like watching someone enter a PIN or access code into a building. Additional vectors may include setting up webcams in common areas. An attacker may even be able to find easy targets at coffee shops were workers frequently stop by. Covering codes as you type them and installing privacy screen protectors on your phone are good prevention methods