Subido por Juan Hurtado

Social Engineering Types

Anuncio
Different
Types of
Attacks
1
Phishing
Phishing is a way to obtain information such as usernames,
passwords, and credit card details by masquerading as a
trustworthy brand or person in an electronic communication.
The most common example of phishing scams is those that
target online banking customers, where users receive emails
that appear to be from their bank asking them to click on a
link to review recent transactions. The link takes users to a
site that looks legitimate but is actually controlled by the
attacker.
The user then enters their name and password into the
phishing website, which collects the user's login credentials
and gives them access to your account. This allows
attackers to drain your balances, utilize your services
(loans/mortgages), purchase goods on your credit card, etc.
2
Vishing
Vishing is a type of phone fraud that uses social engineering to obtain
sensitive data from individual customers. Vishing schemes can take
many forms, but most commonly, they appear as a customer service
representative demanding verification of personal information through
an automated recording or interactive voice response system.
In another common scenario, individuals receive calls from falsely
claiming to represent financial institutions, law enforcement agencies,
court clerks, and other entities. The imposters play audio recordings
asking for immediate action on a pressing matter such as the
expiration of a password or placing funds at risk by sending a payment
to a "new" country where money is held up in customs.
Or they pose as government agents letting you know that tax auditors
need your help immediately to correct an issue or that agencies need
to know who your clients are. They then ask for personal information
directly or guide the victim through an IVR system to enter their data.
3
Baiting
Baiting attacks use a false promise to pique a victim’s curiosity.
Then, they lure users into a trap that steals their personal
information and infects their computers with malware.
An attacker will send an email promising the victim some reward
for completing a task, but instead of receiving what they
expected, victims are handed over to attackers. The baiting
attack deceives the customer into installing malicious software
or submitting confidential information that can compromise
their privacy or damage their machine(s).
Baiting attacks depend on human psychology because many
people are too curious not to click on something they aren’t
supposed to. Once users have unknowingly downloaded
potentially malicious content onto their devices, attackers take
advantage of this opportunity and hijack systems.
4
Quid pro quo
The perpetrator calls random employees in an organization,
offering some service or benefit for them in exchange for
information or access. It is done until one of the victims
agrees to provide it - this victim becomes an insider threat to
its security.
An insider could reveal sensitive data through physical
channels (phone calls), which might pose a significant threat
to an organization's information security. After this data leaks,
it should be easily detected, but if attackers used social
engineering methods like pretexting and quid pro quo, their
actions would be indistinguishable from legitimate requests.
Attackers can quickly collect enough information about an
organization's people, processes, and systems - gaining inside
knowledge that will allow them much easier access into target
network/systems.
5
Pretexting
Pretexting is often initiated by a perpetrator pretending to need
sensitive information from a victim so as to perform a critical
task. The success rate of this attack heavily depends on the
ability of the attacker to build trust.
The pretext generally casts the attacker in the role of someone
in authority who has the right to access the information being
sought, or who can use the information to help the victim.
More advanced attacks sometimes try to trick their targets into
doing something that abuses an organization’s digital and/or
physical weaknesses. For example, an attacker might
impersonate an external IT services auditor so that they can
talk a target company’s physical security team into letting
them into the building.
Is this
information
useful to you?
Feel free to like, share, and save
if you find this post useful!
Descargar