Social engineering is a method of using people as part of an attack process. Social engineering is just a step in the overall attack process, but it is an effective way of starting an attack on a system. There are various forms of technical attacks against the computer components of a system, but in each case, there is a starting point by which the attack is presented to the system. In this chapter, we examine the various types of social engineering techniques that can be employed to begin the attack cycle.

Certification Objective  This chapter covers CompTIA Security+ exam objective 1.1: Compare and contrast different types of social engineering techniques.

Social Engineering Methods

Social engineering is an attack against a user, and typically involves some form of social interaction. The weakness that is being exploited in the attack is not necessarily one of technical knowledge or even security awareness. Social engineering at its heart involves manipulating the very social nature of interpersonal relationships. It, in essence, preys on several characteristics we tend to desire. The willingness to help, for instance, is a characteristic one would like to see in a team environment. We want employees who help each other, and we tend to reward those who are helpful and punish those who are not.

If our work culture is built around collaboration and teamwork, then how can this be exploited? It is not simple, but it can be accomplished through a series of subtle ruses. One is built around the concept of developing a sense of familiarity—making it seem as if you belong to the group. For example, by injecting yourself into a conversation or encounter, armed with the right words and the correct information, you can make it seem as if you belong. Through careful name dropping and aligning your story with current events and expectations, you can just slip in unnoticed. Another example is by arriving at a door at the same time as a person with an ID card, carrying something in both your hands, you probably can get them to open and hold the door for you. An even more successful technique is to have a conversation on the way to the door over something that makes you fit in. People want to help, and this tactic encourages the person to help you.

A second method involves creating a hostile situation. People tend to want to avoid hostility, so if you are engaged in a heated argument with someone as you enter the group you wish to join—making sure not only that you are losing the argument, but that it also seems totally unfair—you instantly can build a connection to anyone who has been similarly mistreated. Play on sympathy, their desire for compassion, and use the situation to bypass the connection opportunity.

A good social engineer understands how to use body language to influence others—how to smile at the right time, how to mirror movements, how to influence others not through words but through body language cues. Any woman who has used body language to get a man to do something without directly asking him to do it understands this game. Men understand as well, and they play because they are attempting to get something, too. When someone has the key information you need for a project, a proposal, or any other important thing, trading a quid pro quo is an unspoken ritual. And if you do this with someone who has malicious intent, then remember the saying, “Beware of Greeks bearing gifts.”

The best defense against social engineering attacks is a comprehensive training and awareness program that includes social engineering, but this does not mean that employees should be trained to be stubborn and unhelpful. Rather, training should emphasize the value of being helpful and working as a team but doing so in an environment where trust is verified and is a ritual without social stigma. No one will get past Transportation Security Administration (TSA) employees with social engineering techniques when checking in at an airport, because they dispassionately enforce and follow set procedures, but they frequently do so with kindness, politeness, and helpfulness while also ensuring that the screening procedures are always completed.

Tools

The tools in a social engineer’s toolbox are based on a knowledge of psychology and don’t necessarily require a sophisticated knowledge of software or hardware. The social engineer will employ strategies aimed at exploiting people’s own biases and beliefs in a manner to momentarily deny them the service of good judgment and the use of standard procedures. Employing social engineering tools is second nature to a social engineer, and with skill they can switch these tools in and out in any particular circumstance, just as a plumber uses various hand tools and a system administrator uses OS commands to achieve complex tasks. When watching any of these professionals work, we may marvel at how they wield their tools, and the same is true for social engineers—except their tools are more subtle, and the targets are people and trust. The “techniques” that are commonly employed in many social engineering attacks are described next.

Phishing

Phishing (pronounced “fishing”) is a type of social engineering in which an attacker attempts to obtain sensitive information from users by masquerading as a trusted entity in an e-mail or instant message sent to a large group of often random users. The attacker attempts to obtain information such as usernames, passwords, credit card numbers, and details about the users’ bank accounts. The message that is sent often encourages the user to go to a website that appears to be for a reputable entity such as PayPal or eBay, both of which have frequently been used in phishing attempts. The website the user actually visits is not owned by the reputable organization, however, and asks the user to supply information that can be used in a later attack. Often the message sent to the user states that the user’s account has been compromised and requests, for security purposes, the user to enter their account information to verify the details.

In another very common example of phishing, the attacker sends a bulk e-mail, supposedly from a bank, telling the recipients that a security breach has occurred and instructing them to click a link to verify that their account has not been tampered with. If the individual actually clicks the link, they are taken to a site that appears to be owned by the bank but is actually controlled by the attacker. When they supply their account and password for “verification” purposes, the individual is actually giving it to the attacker.

Smishing

Smishing is an attack using Short Message Service (SMS) on victims’ cell phones. It is a version of phishing via SMS. It begins with an SMS message directing a user to a URL that can serve up a variety of attack vectors, including forms of malware. This attack works primarily due to the use of urgency and intimidation in the message, which might use a warning such as “You are subscribed to XYZ service, which will begin regular billings of $2 a month. Click here to unsubscribe before billing takes place.” When the user clicks the URL, the next phase of the attack can begin.

Vishing

Vishing is a variation of phishing that uses voice communication technology to obtain the information the attacker is seeking. Vishing takes advantage of the trust that some people place in the telephone network. Users are unaware that attackers can spoof (simulate) calls from legitimate entities using Voice over IP (VoIP) technology. Voice messaging can also be compromised and used in these attempts. This tactic is used to establish a form of trust that is then exploited by the attacker over the phone. Generally, the attacker is hoping to obtain credit card numbers or other information that can be used in identity theft. The user may receive an e-mail asking them to call a number that is answered by a potentially compromised voice message system. Users may also receive a recorded message that appears to come from a legitimate entity. In both cases, the user will be encouraged to respond quickly and provide the sensitive information so that access to their account is not blocked. If a user ever receives a message that claims to be from a reputable entity and asks for sensitive information, the user should not provide it but instead should use the Internet or examine a legitimate account statement to find a phone number that can be used to contact the entity. The user can then verify that the message received was legitimate and report the vishing attempt.

Spam

Spam, as just about everybody knows, is bulk unsolicited e-mail. Though not generally considered by many as a social engineering issue, or even a security issue for that matter, spam can still be a security concern. It can be legitimate in the sense that it has been sent by a company advertising a product or service, but it can also be malicious and could include an attachment that contains malicious software designed to harm your system, or a link to a malicious website that may attempt to obtain personal information from you. As spam is unsolicited, one should always consider the source before clicking any links or directly responding. Because spam can result in users clicking links, it should be regarded as a form of altering human behavior or social engineering.

Spam over Instant Messaging (SPIM)

Though not as well known, a variation on spam is SPIM, which is basically spam delivered via an instant messaging application. The purpose of hostile SPIM is the same as that of spam—getting an unsuspecting user to click malicious content or links, thus initiating the attack.

Spear Phishing

Spear phishing is a term created to refer to a phishing attack that targets a specific person or group of people with something in common. Because the attack targets a specific group, such as senior executives, the ratio of successful attacks (that is, the number of responses received) to the total number of e-mails or messages sent usually increases because a targeted attack will seem more plausible than a message sent to users randomly.

Dumpster Diving

The process of going through a target’s trash in hopes of finding valuable information that might be used in a penetration attempt is known in the security community as dumpster diving. One common place to find information, if the attacker is in the vicinity of the target, is in the target’s trash. The attacker might find little bits of information that could be useful for an attack. The tactic is not, however, unique to the computer community; it has been used for many years by others, such as identity thieves, private investigators, and law enforcement personnel, to obtain information about an individual or organization. If the attacker is very lucky, and the target’s security procedures are very poor, they may actually find user IDs and passwords.

An attacker may gather a variety of information that can be useful in a social engineering attack. In most locations, trash is no longer considered private property after it has been discarded (and even where dumpster diving is illegal, little enforcement occurs). An organization should have policies about discarding materials. Sensitive information should be shredded and the organization should consider securing the trash receptacle so that individuals can’t forage through it. People should also consider shredding personal or sensitive information that they wish to discard in their own trash. A reasonable quality shredder is inexpensive and well worth the price when compared with the potential loss that could occur as a result of identity theft.

Shoulder Surfing

Shoulder surfing does not necessarily involve direct contact with the target; instead, the attacker directly observes the individual entering sensitive information on a form, keypad, or keyboard. The attacker may simply look over the shoulder of the user at work, for example, or may set up a camera or use binoculars to view the user entering sensitive data. The attacker can attempt to obtain information such as a personal identification number (PIN) at an automated teller machine (ATM), an access control entry code at a secure gate or door, or a calling card or credit card number. Many locations now use a privacy screen or filter to surround a keypad so that it is difficult to observe somebody as they enter information. More sophisticated systems can actually scramble the location of the numbers so that the top row at one time includes the numbers 1, 2, and 3 and the next time includes 4, 8, and 0. While this makes it a bit slower for the user to enter information, it thwarts an attacker’s attempt to observe what numbers are pressed and then enter the same button pattern since the location of the numbers constantly changes.

Pharming

Pharming consists of misdirecting users to fake websites made to look official. Using phishing, attackers target individuals, one by one, by sending out e-mails. To become a victim, the recipient must take an action (for example, respond by providing personal information). In pharming, the user will be directed to the fake website as a result of activity such as DNS poisoning (an attack that changes URLs in a server’s domain name table) or modification of local host files (which are used to convert URLs to the appropriate IP address). Once at the fake site, the user might supply personal information, believing that they are connected to the legitimate site.

Tailgating

Tailgating (or piggybacking) is the simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building. People are often in a hurry and will frequently not follow good physical security practices and procedures. Attackers know this and may attempt to exploit this characteristic in human behavior. An attacker can thus gain access to the facility without having to know the access code or having to acquire an access card. It is similar to shoulder surfing in that it relies on the attacker taking advantage of an authorized user who is not following security procedures. Frequently the attacker may even start a conversation with the target before reaching the door so that the user may be more comfortable with allowing the individual in without challenging them. In this sense, piggybacking is related to social engineering attacks.

Both the piggybacking and shoulder surfing attack techniques rely on the poor security practices of an authorized user in order to be successful. Thus, both techniques can be easily countered by training employees to use simple procedures to ensure nobody follows them too closely or is in a position to observe their actions. A more sophisticated countermeasure to piggybacking involves the use of a mantrap, which utilizes two doors to gain access to the facility. The second door does not open until the first one is closed, and the doors are closely spaced so that an enclosure is formed that only allows one individual through at a time.

Eliciting Information

Calls to or from help desk and tech support units can be used to elicit information. A skilled social engineer can use a wide range of psychological techniques to convince people, whose main job is to help others, to perform tasks resulting in security compromises. Posing as an employee, an attacker can get a password reset, information about some system, or other useful information. The call can go the other direction as well, where the social engineer is posing as the help desk or tech support person. Then, by calling employees, the attacker can get information on system status and other interesting elements that they can use later.

Whaling

High-value targets are referred to as whales. A whaling attack is thus one where the target is a high-value person, such as a CEO or CFO. Whaling attacks are not performed by attacking multiple targets and hoping for a reply, but rather are custom built to increase the odds of success. Spear phishing is a common method used against whales, as the communication is designed to appear to be ordinary business for the target, being crafted to appear nonsuspicious. Whales can be deceived in the same manner as any other person; the difference is that the target group is limited, so an attacker cannot rely upon random returns from a wide population of targets.

Prepending

Prepending is defined as the act of adding something else to the beginning of an item. When used in a social engineering context, prepending is the act of supplying information that another will act upon, frequently before they ask for it, in an attempt to legitimize the actual request, which comes later. Using the psychological constructs of authority, an attacker can use prepending by stating that they were sent by the target’s boss, or another authority figure, as a means to justify why the target should perform a specific action—typically one that, in the absence of the prepending, would not be normal.

Identity Fraud

Identity fraud is the use of fake credentials to achieve an end. This can be high risk, pretending to be an official representative of a government agency or a regulator, or lower risk, showing up as the person who waters the plants. One could pretend to be a delivery agent, show up with a box—or better yet, a server—and attempt direct delivery to the server room. This works best when the victim is expecting the person, as in the case of a broken server under a repair warranty. Identity fraud can be done online as well, using known information about the person you are impersonating (see the “Impersonation” section later in the chapter), and deceiving the victim you are attacking. Defense against identity fraud is the same as most other social engineering attacks: use strong policies and procedures without exceptions. For example, all packages must be dropped at the security desk, all visitors who need access must be escorted, with no exceptions, and so on. Also, there should be no exceptions on disclosure policies, like resetting passwords or giving a party access. Doing everything by the rules works—just look at TSA security, where there is no way to sneak past their line. The accuracy and effectiveness of their screening may be called into question, but getting around it is not. This is key for stopping most social engineering attacks.

Invoice Scams

Invoice scams use a fake invoice in an attempt to get a company to pay for things it has not ordered. The premise is simple: send a fake invoice and then get paid. In practice, since most companies have fairly strong accounting controls, the scam involves getting someone outside of the accounting group to initiate the process, lending a sense of legitimacy. This all seems like it wouldn’t work, yet cybercriminals collect literally billions of dollars using this method. Common items used in the scams are office products such as toner and typical office supplies, cleaning products, organizational memberships, and a wide range of corporate services. Sometimes, to add urgency, a final notice is included, threatening to report the organization to a collection agency, thus making a person hesitate before just throwing the bill away.

Credential Harvesting

Credential harvesting involves the collection of credential information, such as user IDs, passwords, and so on, enabling an attacker a series of access passes to the system. A common form of credential harvesting starts with a phishing e-mail that convinces a user to click a link and, in response, brings up a replica of their bank’s web page. Users typically do not check the security settings of their browser connection, and when they enter their user ID and password, their credentials are harvested and stored for later use by the criminal.

The objective of a credential harvest is just to obtain credentials. Once the criminal has tricked you into providing your credentials, they will either redirect you to the correct website or provide an error and a new connection to the correct website for you to try again. They want to mask the fact that they stole your credentials. This attack method has been highly successful, and it is now standard practice for financial firms to follow a normal user ID and password with a second-factor, out-of-band inquiry to prevent subsequent use of harvested credentials. While this adds a layer of complexity and inconvenience to the user, it has become an accepted practice and is necessary to prevent harvested credential reuse.

Reconnaissance

Reconnaissance is a military term used to describe the actions of surveying a battlefield to gain information prior to hostilities. In the field of cybersecurity, the concept is the same: an adversary will examine the systems they intend to attack, using a wide range of methods. Some of these methods are outside the purview of the victim: Google searches, public record searches, and so on. But other aspects are involved in directly manipulating people to gain information. Surveying a company’s org charts, calling and asking for people’s contact information and building a personnel directory, asking questions about hardware and software via surveys, and reading press releases can all be used to obtain information that goes into a description of the system that will be under attack. Although most reconnaissance is accepted as inevitable, some of it is helped via press releases telling the world who your security partners are, what products you are employing, and so on. Each of these items of information will be used later as part of the attack process. Known weaknesses against specific products can be employed and are easier to find if the attacker knows what products the company is using. Performing solid reconnaissance before attacking provides the attacker with key informational elements later when these items are needed.

Hoax

At first glance, it might seem that a hoax related to security would be considered a nuisance and not a real security issue. This might be the case for some hoaxes, especially those of the urban legend type, but the reality of the situation is that a hoax can be very damaging if it causes users to take some sort of action that weakens security. One real hoax, for example, described a new, highly destructive piece of malicious software. It instructed users to check for the existence of a certain file and to delete it if the file was found. In reality, the file mentioned was an important file used by the operating system, and deleting it caused problems the next time the system was booted. The damage caused by users modifying security settings can be serious. As with other forms of social engineering, training and awareness are the best and first line of defense for both users and administrators. Users should be trained to be suspicious of unusual e-mails and stories and should know who to contact in the organization to verify their validity if they are received. A hoax often also advises the user to send it to their friends so that they know about the issue as well—and by doing so, the user helps spread the hoax. Users need to be suspicious of any e-mail telling them to “spread the word.”

Impersonation

Impersonation is a common social engineering technique and can be employed in many ways. It can occur in person, over a phone, or online. In the case of an impersonation attack, the attacker assumes a role that is recognized by the person being attacked, and in assuming that role, the attacker uses the potential victim’s biases against their better judgment to follow procedures. Impersonation can occur in a variety of ways—from third parties, to help desk operators, to vendors, or even online sources.

Third-Party Authorization

Using previously obtained information about a project, deadlines, bosses, and so on, the attacker (1) arrives with something the victim is quasi-expecting or would see as normal, (2) uses the guise of a project in trouble or some other situation where the attacker will be viewed as helpful or as someone not to upset, and (3) name-drops the contact “Mr. Big,” who happens to be out of the office and unreachable at the moment, thus avoiding the reference check. Also, the attacker seldom asks for anything that seems unreasonable or is unlikely to be shared based on the circumstances. These actions can create the appearance of a third-party authorization, when in fact there is none.

Contractors/Outside Parties

It is common in many organizations to have outside contractors clean the building, water the plants, and perform other routine chores. In many of these situations, without proper safeguards, an attacker can simply put on clothing that matches a contractor’s uniform, show up to do the job at a slightly different time than it’s usually done, and, if challenged, play on the sympathy of the workers by saying they are filling in for X or covering for Y. The attacker then roams the halls unnoticed because they blend in, all the while photographing desks and papers and looking for information.

Online Attacks

Impersonation can be employed in online attacks as well. In these cases, technology plays an intermediary role in the communication chain. Some older forms, such as pop-up windows, tend to be less effective today because users are wary of them. Yet phishing attempts via e-mail and social media scams abound.

Defenses

In all of the cases of impersonation, the best defense is simple—have processes in place that require employees to ask to see a person’s ID before engaging with them if the employees do not personally know them. That includes challenging people such as delivery drivers and contract workers. Don’t let people in through the door, piggybacking, without checking their ID. If this is standard process, then no one becomes offended, and if someone fakes offense, it becomes even more suspicious. Training and awareness do work, as proven by trends such as the diminished effectiveness of pop-up windows. But the key to this defense is to conduct training on a regular basis and to tailor it to what is currently being experienced, rather than a generic recitation of best practices.

Watering Hole Attack

The most commonly recognized attack vectors are those that are direct to a target. Because of the attacks’ direct nature, defenses are crafted to detect and defend against them. But what if the user “asked” for the attack by visiting a website? Just as a hunter waits near a watering hole for animals to come drink, attackers can plant malware at sites where users are likely to frequent. First identified by the security firm RSA, a watering hole attack involves the infecting of a target website with malware. In some of the cases detected, the infection was constrained to a specific geographical area. These are not simple attacks, yet they can be very effective at delivering malware to specific groups of end users. Watering hole attacks are complex to achieve and appear to be backed by nation-states and other high-resource attackers. In light of the stakes, the typical attack vector will be a zero-day attack to further avoid detection.

Typosquatting

Typosquatting is an attack form that involves capitalizing upon common typographical errors. If a user mistypes a URL, then the result should be a 404 error, or “resource not found.” But if an attacker has registered the mistyped URL, then the user would land on the attacker’s page. This attack pattern is also referred to as URL hijacking, fake URL, or brandjacking if the objective is to deceive based on branding.

There are several reasons that an attacker will pursue this avenue of attack. The most obvious is one of a phishing attack. The fake site collects credentials, passing them on to the real site, and then steps out of the conversation to avoid detection once the credentials are obtained. It can also be used to plant drive-by malware on the victim machine. It can move the packets through an affiliate network, earning click-through revenue based on the typos. There are numerous other forms of attacks that can be perpetrated using a fake URL as a starting point.

Pretexting

Pretexting is a form of social engineering in which the attacker uses a narrative (the pretext) to influence the victim into giving up some item of information. An example would be calling up, posing as a fellow student from college, or a fellow admin to a senior executive. The pretext does not have to be true; it only needs to be believable and relevant in convincing the victim to give help. Pretexting uses deception and false motives to manipulate the victim. The main goal of the attacker is to gain the target’s trust and exploit it. A pretext attack can occur in person, by email, over the phone, or virtually any other form of communication.

Influence Campaigns

Influence campaigns involve the use of collected information and selective publication of material to key individuals in an attempt to alter perceptions and change people’s minds on a topic. One can engage in an influence campaign against a single person, but the effect is limited. Influence campaigns are even more powerful when used in conjunction with social media to spread influence through influencer propagation. Influencers are people who have large followings of people who read what they post, and in many cases act in accordance or agreement. This results in an amplifying mechanism, where single pieces of disinformation can be rapidly spread and build a following across the Internet. The effects are strong enough that nation-states have used these techniques as a form of conflict, termed hybrid warfare, where the information is used to sway people toward a position favored by those spreading it. What makes this effective is the psychological effects of groups, experiencing the bandwagon effect, where when one leads, many follow, typically without critically examining the premise they are then following. In previous wars, this was called propaganda, and today, with rapid communication worldwide via social media platforms, these methods are even more effective at moving mass beliefs of groups of populations.

Principles (Reasons for Effectiveness)

Social engineering is very successful for two general reasons. The first is the basic desire of most people to be helpful. When somebody asks a question for which we know the answer, our normal response is not to be suspicious but rather to answer the question. The problem with this is that seemingly innocuous information can be used either directly in an attack or indirectly to build a bigger picture that an attacker can use to create an aura of authenticity during an attack—the more information an individual has about an organization, the easier it will be to convince others that they are part of the organization and have a right to even more sensitive information.

The second reason that social engineering is successful is that individuals normally seek to avoid confrontation and trouble. If the attacker attempts to intimidate the target, threatening to call the target’s supervisor because of a lack of help, the target may give in and provide the information to avoid confrontation. The following sections will look at the concepts of authority, intimidation, consensus, scarcity, familiarity, trust, and urgency as applied to their use in furthering a successful social engineering attack.

Authority

The use of authority in social situations can lead to an environment where one party feels at risk in challenging another over an issue. If an attacker can convince a target that they have authority in a particular situation, they can entice the target to act in a particular manner or else face adverse consequences. In short, if you act like a boss when requesting something, people are less likely to withhold it.

The best defense against this and many social engineering attacks is a strong set of policies that has no exceptions. Much like security lines in the airport, when it comes to the point of screening, everyone gets screened, even flight crews, so there is no method of bypassing this critical step.

Intimidation

Intimidation can be either subtle, through perceived power, or more direct, through the use of communications that build an expectation of superiority. The use of one’s title, or fancy credentials, like being a “lead assessor for the standard,” creates an air of authority around one’s persona.

Consensus

Consensus is a group-wide decision. It frequently comes not from a champion, but rather through rounds of group negotiation. These rounds can be manipulated to achieve desired outcomes. The social engineer simply motivates others to achieve their desired outcome.

Scarcity

If something is in short supply and is valued, then arriving with what is needed can bring rewards—and acceptance. “Only X widgets left at this price” is an example of this technique. Even if something is not scarce, implied scarcity, or implied future change in availability, can create a perception of scarcity. By giving the impression of scarcity (or short supply) of a desirable product, an attacker can motivate a target to make a decision quickly without deliberation.

Familiarity

People do things for people they like or feel connected to. Building this sense of familiarity and appeal can lead to misplaced trust. The social engineer can focus the conversation on familiar items, not the differences. Again, leading with persuasion that one has been there before and done something, even if they haven’t, will lead to the desired “familiar” feeling in the target.

Trust

Trust is defined as having an understanding of how something will act under specific conditions. Social engineers can shape the perceptions of a target to where they will apply judgments to the trust equation and come to false conclusions. The whole objective of social engineering is not to force people to do things they would not do but rather to give them a pathway that leads them to feel they are doing the correct thing in the moment.

Urgency

Time can be manipulated to drive a sense of urgency and prompt shortcuts that can lead to opportunities for interjection into processes. Limited-time offers should always be viewed as suspect. Perception is the key. Giving the target a reason to believe that they can take advantage of a timely situation, whether or not it is real, achieves the outcome of them acting in a desired manner.

Defenses

While many of these social engineering attacks may make you want to roll your eyes and think they never work, the fact is they do, and billions are lost every year to these methods. Whether it is a direct scam or the first stages of a much larger attack, the elements presented in this chapter are used all the time by hackers and criminals. Fortunately, effective defenses against these social engineering attacks are easier to establish than those needed for many of the more technical attacks. Stopping social engineering begins with policies and procedures that eliminate the pathways used by these attacks. Visitor access, rules before assisting a customer, verifying requests as legitimate before sharing certain sensitive elements—these are all doable items. Once you have layered policies and procedures to avoid these issues, or their outcomes, the critical element is employee training. Maintaining vigilance on the part of employee actions is the challenge, and frequent reminders, retraining, and notification of violations can go a long way toward achieving the desired defense. Lastly, have multiple layers of defenses, including approvals and related safeguards so that a single mistake from an employee will not give away the keys to the kingdom. Also, a healthy dose of knowledge, through sharing the large cases started by social engineering techniques in the form of public awareness campaigns, will keep employees engaged in actively defending against social engineering.

Chapter Review

This chapter examined various tools and techniques employed in social engineering. The use of deception to get users to respond to messages via different channels of communication include phishing, smishing, vishing, spear phishing, spam, SPIM, and whaling. The chapter also covers physical methods like tailgating, dumpster diving, and shoulder surfing. Other techniques such as watering holes, credential harvesting, typosquatting, and influence campaigns are also covered. The chapter closes with an examination of some of the psychological traits that make users susceptible to social engineering as well as the techniques to defend against social engineering.

Questions

To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.

1.   While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to a locked door with a large box in his hands. He waits for someone else to come along and open the locked door and then proceeds to follow her inside. What type of social engineering attack have you just witnessed?

A.   Impersonation

B.   Phishing

C.   Boxing

D.   Tailgating

2.   A colleague asks you for advice on why he can’t log in to his Gmail account. Looking at his browser, you see he has typed www.gmal.com in the address bar. The screen looks very similar to the Gmail login screen. Your colleague has just fallen victim to what type of attack?

A.   Jamming

B.   Rainbow table

C.   Whale phishing

D.   Typosquatting

3.   A user in your organization contacts you to see if there’s any update to the “account compromise” that happened last week. When you ask him to explain what he means, and the user tells you he received a phone call earlier in the week from your department and was asked to verify his user ID and password. The user says he gave the caller his user ID and password. This user has fallen victim to what specific type of attack?

A.   Spear phishing

B.   Vishing

C.   Phishing

D.   Replication

4.   Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the building early this morning. The security guard says the people claimed to be looking for aluminum cans, but only had a bag of papers—no cans. What type of attack has this security guard witnessed?

A.   Spear phishing

B.   Pharming

C.   Dumpster diving

D.   Rolling refuse

5.   Which of the following are specifically used to spread influence, alter perceptions, and sway people toward a position favored by those spreading it?

A.   Identity fraud, invoice scams, credential harvesting

B.   Hoaxes, eliciting information, urgency

C.   Influence campaigns, social media, hybrid warfare

D.   Authority, intimidation, consensus

6.   Which of the following is a type of social engineering attack in which an attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity in an e-mail?

A.   Phishing

B.   Pharming

C.   Spam

D.   Vishing

7.   Which of the following is/are psychological tools used by social engineers to create false trust with a target?

A.   Impersonation

B.   Urgency or scarcity

C.   Authority

D.   All of the above

8.   Once an organization’s security policies have been established, what is the single most effective method of countering potential social engineering attacks?

A.   An active security awareness program

B.   A separate physical access control mechanism for each department in the organization

C.   Frequent testing of both the organization’s physical security procedures and employee telephone practices

D.   Implementing access control cards and the wearing of security identification badges

9.   You notice a new custodian in the office, working much earlier than normal, emptying trash cans, and moving slowly past people working. You ask him where the normal guy is, and in very broken English he says, “Out sick,” indicating a cough. What is happening?

A.   Watering hole attack

B.   Impersonation

C.   Prepending

D.   Identity fraud

10.   Your boss thanks you for pictures you sent from the recent company picnic. You ask him what he is talking about, and he says he got an e-mail from you with pictures from the picnic. Knowing you have not sent him that e-mail, what type of attack do you suspect is happening?

A.   Phishing

B.   Spear phishing

C.   Reconnaissance

D.   Impersonation

Answers

1.   D. Tailgating (or piggybacking) is the simple tactic of following closely behind a person who has just used their own access card, key, or PIN to gain physical access to a room or building. The large box clearly impedes the person in the red shirt’s ability to open the door, so they let someone else do it for them and follow them in.

2.   D. Typosquatting capitalizes on common typing errors, such as gmal instead of gmail. The attacker registers a domain very similar to the real domain and attempts to collect credentials or other sensitive information from unsuspecting users.

3.   B. Vishing is a social engineering attack that uses voice communication technology to obtain the information the attacker is seeking. Most often the attacker will call a victim and pretend to be someone else in an attempt to extract information from the victim.

4.   C. Dumpster diving is the process of going through a target’s trash in the hopes of finding valuable information such as user lists, directories, organization charts, network maps, passwords, and so on.

5.   C. Influence campaigns are used to alter perceptions and change people’s minds on a topic. They are even more powerful when used in conjunction with social media to spread influence through influencer propagation. Nation-states often use hybrid warfare to sway people toward a position favored by those spreading it.

6.   A. This is the definition of a phishing attack, as introduced in the chapter. The key elements of the question are e-mail and the unsolicited nature of its sending (spam).

7.   D. Social engineers use a wide range of psychological tricks to fool users into trusting them, including faking authority, impersonation, creating a sense of scarcity or urgency, and claiming familiarity.

8.   A. Because any employee may be the target of a social engineering attack, the best thing you can do to protect your organization from these attacks is to implement an active security awareness program to ensure that all employees are cognizant of the threat and what they can do to address it.

9.   B. This is a likely impersonation attack, using the cover of the janitor. Because of the unusual circumstances, it would be wise to report to a manager for investigation.

10.   B. This is spear phishing, which is a targeted phishing attack against a specific person.