Scribd
Upload
9 views4 pages

Comp Tiach4

The document outlines various social engineering and password attack techniques, highlighting core psychological principles such as authority, intimidation, and urgency that attackers exploit. It details specific attack types including phishing, impersonation, and business email compromise, along with indicators for recognizing these attacks. Additionally, it provides protection strategies to mitigate risks associated with these threats.

Uploaded by

ansih12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views4 pages

Comp Tiach4

The document outlines various social engineering and password attack techniques, highlighting core psychological principles such as authority, intimidation, and urgency that attackers exploit. It details specific attack types including phishing, impersonation, and business email compromise, along with indicators for recognizing these attacks. Additionally, it provides protection strategies to mitigate risks associated with these threats.

Uploaded by

ansih12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Ch4.

social engineering and passwords attacks

Core psychological principles used in social engineering:


Principle Description & example
Authority Claiming to be a boss , police , it admin , users
comply out of respect .
Intimidation Threatening consequences unless the target
acts.
Consensus (social proof) ‘everyone else did it’ comfort
Scarcity ‘only one left!’ rushed decisions
Familiarity Pretending to be a familiar company
Trust Building rapport over time before exploiting
Urgency ‘act now or else!’ limit critical thinking
*real attacks often combine multiple principles for higher success.

Social engineering attack type


➢ Phishing( via email ):
Tricks users into revealing credentials or clicking malicious links.
Variants:
.spear phishing – target specific indivisuals.
.whaling-targets high level executives.
.smishing- phishing via SMS.
.vishing- voice phishing via phone or voicemail.

➢ Impersonation
Attacker pretends to be someone trusted ( boss, IT, delivery personal).
Common in BEC, pretexting, in- person attacks.

➢ Pretexting
Creating fake scenario to justify request

➢ Business email compromise (BEC):


Uses spoofed/ compromised emails to:
. send fake invoices
. steal credentials
. trick into buying gift cards or wiring funds.

Information Classification: Public


➢ Watering hole attacks
Infects websites frequently visited by targets.
Delivers malware or exploits browser vulnerabilities

➢ Brand impersonation
Fake emails/websites mimicking trusted brands.
Used in phishing or malware delivery.

➢ Typosquatting
Registering mistyped URLs
Used for ads,malware, fake login pages.
Defense: register common typo variations.

➢ Pharming
Redirects traffic to fake websites via :
. malicious DNS changes
. Host file modifications.

Misinformation & disinformation


Misinformation: false info spread unintentionally.
Disinformation: false info spread intentionally to manipulate.
Malinformation: true info used maliciously.
➢ Used in:
. influence campaigns
. social media manipulation
. election interference

CISAs TRUST model for combating MDM:


1.Tell your story
2.Ready your team
3.Understand the threat
4.Stratigize
5. Track outcomes

Information Classification: Public


Password Attacks
1.Brute-force attacks
> try every possible combination until success.
> can be online (slow,logged) or offline (faster , stealthier).

2.Password spraying
> try one/few passwords against many usernames.
> exploits weak/common passwords across accounts.
EX: try pass:Sumeer2024 , on 500 account.

3.Dicitonary attacks (context only)


> use word lists(names, sport teams).
>not on the exam but useful to understand.

4.Rainbow table attack


>precomputed hash tables for fast cracking of weak hashes (ex:MD5)
> used by both attackers & security teams.

>>secure storage tip :never stop plain-text passwords- use salted,strong hashes.

Key indicators for social engineering or passwords attacks


Attack type Indicators
BEC/Phishing Odd sender domain , urgency ,
misspellings
Spraying Same password used on many usernames
Brute-force Many login failures on one account
Impersonation Requests from “ senior staff” for urgent
tasks
Typosquatting URL similar to real domain , full of ads.
Waterholes Compromised site visited by the target org.

Information Classification: Public


Assessment insights( sample question summary )
Scenario Attack type
Amaz0n.com link Typosquatting
Phone call pretending to be IT head Impersonation
Text phishing message Smishing
Mass login attempts with the same Spraying
passwords
Gift card scam posing CEO BEC
Fake email asking for login Brand impersonation
Malware-leaden ads on visited site Watring hole
Social media account copying real brand Brand impersonation
Political propaganda via fake profiles Disinformation
Login failures on single account Brute-force attacks

Protection strategies
Risk Mitigation
Phishing/ vishing / smishing Awareness training ,spam filters, MFA
Password attacks Strong hashing ,MFA, lockout policies
Misinformation / disinformation Monitor social media ,respond fast (TRUST
model)
Impersonation /pretexting Verify identity , callback procedures
BEC Email authentication , user training
Typosquatting Buy typo domains , DNS monitoring

Information Classification: Public

You might also like