Skip to content
This repository has been archived by the owner on Nov 2, 2024. It is now read-only.

Latest commit

 

History

History
executable file
·
224 lines (142 loc) · 8.89 KB

036-Social-Engineering.md

File metadata and controls

executable file
·
224 lines (142 loc) · 8.89 KB

Social Engineering

Social Engineering

Social Engineering refers to tenetshe manipulation of individuals or groups to gain confidential information or unauthorized access to systems, often exploiting psychological vulnerabilities.

  • Creates familiarity with the target or victims.
  • Creating a sense of urgency to pressure people.

Social Engineering Concepts

  • Psychological Manipulation

    • Techniques such as deception, persuasion, or intimidation are used to exploit human behavior.
    • Exploits cognitive biases or emotional triggers to influence decision-making.

  • Pretexting

    • Fabricating a scenario or pretext to trick individuals into revealing sensitive information.
    • Often involves creating a sense of urgency or importance to increase compliance.

  • Hoaxes

    • Typically intended as a prank, joke, or to cause panic or confusion.
    • Can lead to misinformation, wasted resources in debunking, or emotional distress for those affected.

  • Impersonation

    • Pretending to be someone else to gain trust or access to restricted areas or information.
    • May involve adopting a false identity or impersonating authority figures.
    • Brand Impersonation - Pretending to represent a legitimate brand or company.

  • Dumpster Diving

    • Searching through trash to find discarded documents containing valuable information.
    • Can yield sensitive data such as financial records, passwords, or corporate documents.

  • Shoulder Surfing

    • Covertly observing or eavesdropping on individuals as they enter sensitive information.
    • Perpetrators may use hidden cameras or binoculars to capture information from a distance.

  • Tailgating

    • Following authorized personnel into secure areas without proper authentication.
    • Exploits social norms or politeness to gain unauthorized access to restricted areas.

Motivational Triggers

  • Authority

    • People tend to comply with requests from perceived authority figures or institutions.
    • Attackers exploit this trigger by posing as authority figures to gain trust and compliance.

  • Urgency

    • Urgent situations or deadlines can prompt individuals to act quickly without thoroughly evaluating the situation.
    • The sense of urgency pressure targets into making hasty decisions or disclosing sensitive information.

  • Social Proof

    • Individuals often look to others for guidance or validation, especially in uncertain situations.
    • Attackers use social proof by presenting fake testimonials, reviews, or endorsements to gain trust and credibility.

  • Scarcity

    • People value items or opportunities that are perceived as scarce or in high demand.
    • Attackers exploit scarcity by creating artificial scarcity or deadlines to encourage immediate action or compliance.

  • Likeability

    • Individuals are more likely to comply with requests from people they like or feel a connection with.
    • Attackers use charm, flattery, or sympathy to build rapport and manipulate targets into complying with their requests.

  • Fear

    • Fear of loss, harm, or negative consequences can override logical decision-making.
    • Achieved through legal action threat, financial loss, or personal harm to coerce targets.
    • This factor prompts individuals to act impulsively.

Attacks

To learn more, please see Cyber Threats and Attacks.

  • Website Redirection

    • Redirecting users from legitimate websites to malicious ones without their knowledge or consent.

  • Watering Hole Attack

    • Targeting websites that are frequently visited by a specific group of users, such as employees of a company or members of a community.

  • Adversarial Artificial Intelligence

    • AI systems designed to deceive, manipulate, or exploit vulnerabilities in other AI systems or human users.

  • Spam

    • Mass mailing of unsolicited messages.

  • Phishing

    • Sending deceptive emails or messages to trick recipients into divulging personal information or clicking malicious links.

  • Typosquatting

    • Attacker registers a domain name similar to a popular website.
    • The "copycat" usually contains some kind of common typographical errors.
    • Goal is to victimize users who might accidentally mistype a URL.
    • Example: Registering "gnail.com" to impersonate gmail.com

Fraud and Scams

  • Identity Fraud

    • Unauthorized use of someone else's personal information.
    • Often for financial gain.
    • Can lead to financial losses and damage to credit history.

  • Identity Theft

    • Stolen personal information used without consent.
    • Can involve impersonation, financial fraud, or accessing bank accounts.
    • Can result from various methods like phishing, data breaches, or physical theft.

  • Scams

    • Fraudulent schemes or deceptive practices.
    • Designed to trick individuals or organizations.
    • Common types include lottery scams, romance scams, and investment scams.

  • Invoice Scam

    • Fake or fraudulent invoices for goods or services not ordered or received.
    • Often appear legitimate with logos and contact information.
    • Scammers impersonate suppliers to request payment for fictitious products or services.

Influence Campaigns

Influence campaigns aim to sway perceptions and attitudes on a wide scale, often leveraging media, social networks, and other communication channels to disseminate their messages.

  • Misinformation

    • Inaccurate or false information shared without harmful intent.
    • Often spread inadvertently through misunderstanding, ignorance, or negligence.
    • Can lead to confusion or misunderstanding but may not be intentionally deceptive.
    • Example: Claims on gargling saltwater can prevent COVID-19.

  • Disinformation

    • Deliberately false or misleading information spread with the intent to deceive or manipulate.
    • Often disseminated for political, ideological, or malicious purposes.
    • Designed to influence opinions, sow discord, or achieve specific agendas.
    • Example: Spreading disinformation againts electoral candidates.

Anti-Phishing Campaigns

Creating an anti-phishing campaign is crucial for raising awareness and educating people about the dangers of phishing attacks. Here's a step-by-step guide to developing an effective campaign:

  1. Identify Goals:

    • Determine what you want to achieve with your campaign.

    • Whether it's increasing awareness, or changing behaviors, clear goals will guide your efforts.

  2. Understand Your Audience:

    • Know who you're targeting with your campaign.

    • Consider demographics, tech-savviness, and common phishing targets within your organization.

  3. Educational Materials:

    • Develop engaging and informative materials that explain what phishing is and how to recognize it.

    • This could include infographics, videos, quizzes, and interactive modules.

  4. Training Sessions:

    • Organize training sessions where participants can learn about phishing tactics.
    • Learning how to identify suspicious emails, and what to do if they encounter a phishing attempt.

  5. Simulated Phishing Attacks:

    • Conduct simulated phishing attacks to test employees' awareness and responses.

    • This helps identify weak points and provides opportunities for additional training.

  6. Regular Updates:

    • Keep your audience informed about the latest phishing trends, techniques, and examples.

    • Phishing tactics evolve, so ongoing education is essential.

  7. Promote Reporting:

    • Encourage employees to report suspicious emails or activities promptly.

    • Implement clear reporting procedures and ensure that reports are taken seriously.

  8. Incentives and Recognition:

    • Offer incentives or recognition for employees who demonstrate awareness of phishing attempts.

    • Positive reinforcement can boost participation and engagement.

  9. Partnerships:

    • Collaborate with IT security teams, industry experts, or other organizations.
    • Goal is to enhance the effectiveness of your campaign and access additional resources.

  10. Evaluation and Feedback:

    • Continuously monitor and evaluate the effectiveness of your campaign.
    • Solicit feedback from participants to identify areas for improvement.

  11. Follow-Up:

    • Phishing awareness is an ongoing process.

    • Follow up with regular refreshers, updates on new threats, and reinforcement of best practices.

  12. Measurement:

    • Define key metrics to measure the success of your campaign.
    • Examples:
      • Reduction in successful phishing attempts
      • Increase in reporting rates
      • Improvement in participants' ability to identify phishing emails.