Other Social Engineering Attacks
(OBJ 2.2)
Some of the common other social engineering attacks
-
Diversion Theft
- Involves manipulating a situation or creating a distraction to steal valuable items or information
- Creating a distraction to steal valuable items or information.
- In the Physical world this can involve creating a scene to divert attention while an accomplice commits theft
- In the Digital realm it can involve diverting internet traffic to fake websites to steal victim's data
- Common example: Conduct a DNS Spoofing attack
- In a DNS Spoofing attack, the attacker manipulates the DNS server settings so that when a user types in a legitimate website URL, they are redirected to a fake website created by the attacker
- This fake website usually relies on a brand impersonation to closely resemble a legitimate site and trick users to believe they are on the correct site
- The user might be prompter to enter sensitive information, such as username, passwords, or credit card details
-
Hoaxes
- Malicious deception that is often spread through social media, email, or other communication channels
- Often paired with phishing attacks and impersonation attacks
- Example: You receive an alert of Windows malware in your MacOS system
- To prevent hoaxes people must fact check and use good critical thinking skills
-
Shoulder Surfing
- Involves looking over someone's shoulder to gather personal information
- Example: Steal credentials at ATMs or work computers
- Includes the use of high powered cameras or closed-circuit television cameras to steal information from a distance
- To prevent shoulder surfing, users must be aware of their surroundings when providing any sensitive information
- If you work on an open-floor plan building or a cubicle form you should require the use of privacy screens in your organization's workstations and provide shield to keypads when asking somone to enter a PIN.
-
Dumpster Diving
- Involves searching through trash to find valuable information
- Commonly used to find discarded documents containing personal or corporate information
- To prevent Dumpster Diving use clean desk and clean desktop policies
- Any sensitive or confidential documents should be shredded before a disposal and your organization should implement a clean desk policy where employees lock up their documents or shred them at the end of the day.
- Virtual or digital dumpster diving is also becoming more popular
- Performed by an attacker who is able to look through the recycling bin or the deleted files on a given system
- Can be prevented by properly deleting and overriding old files on your store's volumes such as your HHDs, SSDs, or Cloud-based store system.
-
Eavesdropping
- Involves the process of secretly listening to private conversations
- Perpetrator intercepts the communication of parties without their knowledge
- Revealing some type of information they might be interested in
- Prevent this by encrypting data in transit
- Use secure and encrypted communication channels
- Encrypt any data that will be transferred across the network and readily update and patch through systems.
-
Baiting
- Involves leaving a malware-infected physical device, like a USB drive, in a place where it will be found by a victim, who will then hopefully use the device to unknowingly install malware on their organization's computer system
- Most people tend to be curious about the USB drive that they found in the parking lot, unfortunately it contains malware
- To prevent baiting, train users to not use devices they find
- Involves leaving a malware-infected physical device, like a USB drive, in a place where it will be found by a victim, who will then hopefully use the device to unknowingly install malware on their organization's computer system
-
Piggybacking and Tailgating
- Involve an unauthorized person following an authorized person into a secure area
- Tailgating
- Attacker attempts to follow an employee through an access control vestibule or access control point without their knowledge
- Piggybacking
- Involves an attacker convincing an authorized employee to let them into the facility by getting the authorized employee to swipe their own access badge and allow the attacker inside the facility
- "Hold the door open for the delivery person" - The delivery person has just piggybacked
- Insider threats commonly use piggybacking to access offices or data centers without logging their badge in the security system