SHREE LEARNING ACADEMY

Phishing

Phishing is a type of social engineering attack that aims to obtain sensitive credentials or personal identification details from individuals. The technique is rooted in the idea of "fishing" for information. Phishing is a fraudulent tactic utilized by attackers to deceive individuals into divulging sensitive information such as usernames, passwords, credit card details, or other Personally Identifiable Information(PII). The method involves impersonating a reputable entity, such as a bank, service provider, or merchant, in electronic communication, often through email. Phishing attacks can be carried out through multiple channels of communication, which may include email, the internet, live discussion forums, instant messaging, message boards, and various other means.

In order to safeguard against phishing attempts, it is recommended that end users undergo training to refrain from clicking on any links received via email, instant messaging, or social network messages. Instead, users should access the claimed website using a pre-existing bookmark or by searching for the website by its name. In the event that a duplicate message does not appear in the online messaging or alert system after accessing an account on a website, it is probable that the original message was a fraudulent attempt. It is advisable to notify the targeted organization about any such deceitful communications and subsequently delete the message.

Phishing tactics exploit individuals' tendency to trust apparently genuine third parties without adhering to fundamental principles of information security. Of utmost relevance in this context are two principles: "never open unexpected email attachments" and "never disclose sensitive information via email." These principles represent basic, common-sense measures to prevent security breaches.

Spear phishing

Spear phishing is a type of phishing that is customized and aimed at a specific group of people, rather than being sent out indiscriminately to anyone. Typically, attackers will attempt to infiltrate an online or digital enterprise to gain access to their customer database, enabling them to conduct more personalized attacks.

Afterward, fake messages are created to appear as if they were sent from the compromised enterprise, although with manipulated source addresses and URLs that are incorrect. The objective of the attack is to exploit the trust established through an existing digital or online relationship with the organization, increasing the likelihood that the recipient will be deceived by the fraudulent communication. In the event that the victim replies, the subsequent messages or website they visit are designed to extract their personal information with the intention of executing an account takeover or complete identity theft.

Whaling

Whaling refers to a type of phishing that focuses on particular individuals of high importance (based on their job title, industry, media presence, etc.), such as C-level executives or wealthy clients, and transmits customized messages that cater to their specific interests and requirements. Whaling attacks demand considerably more effort, preparation, and innovation on the part of the attackers to deceive the targeted individual. However, a successful attack can yield a substantial reward for the malicious hacker.

Vishing

Vishing refers to the act of phishing conducted through Voice-over-IP (VoIP) services, which is a technology enabling phone-like conversations over TCP/IP networks. Instead of traditional landline phones, several organizations and individuals use VoIP phones. Vishing can target individuals who are not necessarily utilizing VoIP themselves. Rather, the attack is initiated from a VoIP service, enabling the attacker to place a cost-free call to the victim from any location worldwide.

Vishing, which is essentially a variation of phishing, presents a significant challenge in terms of identifying the source of the attacks, as tracing their origin can be highly complex, and sometimes even impossible. Consequently, it is crucial to remain vigilant when receiving phone calls, even if the caller ID appears legitimate. It is advisable for all individuals to make an additional effort to authenticate the identity of the caller, or alternatively, terminate the call and contact the alleged organization via a verified and reliable phone number, such as the one provided on the back of a credit card or displayed on the official website of the organization.

It is important to educate users to exercise caution when asked to disclose personal information over the phone, such as account numbers, passwords, secret PINs, billing addresses, and similar data. While it may be appropriate to provide such information to a legitimate entity when initiating a call, it is not possible to fully authenticate the identity of the caller when receiving an incoming call.

Tailgating

Tailgating is a situation where an unauthorized individual gains entry to a facility by exploiting the access granted to an authorized employee, but without the employee's knowledge or consent. This type of attack can happen when an authorized employee uses their legitimate access credentials to unlock a door and enter a building. The attacker can then follow the employee closely behind and prevent the door from closing, allowing them to slip in undetected. Tailgating is a type of attack that doesn't require the victim's consent. It only relies on the victim's lack of awareness of what's happening behind them as they enter a building.

Preventing tailgating is a simple task that users can easily accomplish. Every time a user unlocks or opens a door, they should make sure that it's properly closed and locked before walking away. This single action can effectively eliminate the risk of tailgating. Although there is social pressure to hold open a door for someone who is walking up behind you, it's important not to extend this courtesy to include secure entry points.

Piggybacking is a problem comparable to tailgating, wherein an unauthorized individual gains entry to a premise with the with their knowledge or consent of an authorized personnel. An attacker might employ the tactic of pretending to require assistance, for instance, by carrying a large box or several papers, and requesting someone to hold the door. The intention is to divert the victim's attention while the attacker enters the restricted area without being noticed, thereby preventing the victim from recognizing that the attacker did not possess the required credentials.

It is recommended to provide training to users on identifying and preventing such attacks. Whenever someone requests assistance in holding a secured door, users should either ask for proof of authorization or offer to swipe the individual's access card on their behalf. By doing so, the probability of an outsider using deception to gain entry to secured areas is significantly reduced.

Besides alterations in user behavior, the presence of mantraps, turnstiles, and security guards leads to a significant reduction in tailgating and piggybacking.

Impersonation

Impersonation refers to taking the identity of another individual,, which can occur through various modes of communication, including in-person interactions, phone conversations, or other means of communication. Impersonation is employed to deceive others by making them believe that you possess the claimed identity, thereby granting you access to the power or authority associated with that identity. Social engineering often employs impersonation as a tactic. The term "masquerading" can also be used to refer to impersonation. Pretexting is a type of impersonation that involves an individual fabricating a false scenario to serve as a pretext for initiating a social engineering attack.

Dumpster diving

Dumpster diving involves searching through discarded materials, such as trash, abandoned locations, or unused equipment, to acquire information about a particular individual or organization. While uncovering confidential or sensitive information would be a desirable outcome for attackers, they are primarily seeking ordinary documentation. Usual items that are collected through dumpster diving include meeting notes, call logs, printed reports, outdated calendars, sticky notes, user manuals, discarded forms, product packaging, or printer test sheets. The information obtained through dumpster diving can assist attackers in conducting social engineering attacks with greater ease and effectiveness.

To prevent dumpster diving, or to minimize the usefulness of the information that can be obtained through this method, it is advisable to shred and/or incinerate all documents prior to disposal. Furthermore, it is crucial to never dispose of any storage media in the trash; instead, utilize a secure disposal technique or service.

Shoulder surfing

When an individual is able to observe a user's keyboard or view their display, shoulder surfing can take place. This type of activity could enable the observer to gain access to confidential, private, or otherwise sensitive information, including passwords.

To prevent shoulder surfing, it is common practice to segregate worker groups by their access to sensitive information, which may involve the use of locked doors. Moreover, users should avoid positioning their displays in a manner that makes them visible from outside through windows or from walkways and doorways within the organization. It is also advisable to refrain from working on confidential information in public spaces, such as coffee shops or airplanes.

Hoax

A hoax is a type of social manipulation strategy aimed at persuading individuals to take actions that can compromise their IT security or lead to problems. Typically, a hoax takes the form of an email that warns of an impending threat spreading online and instructs the recipient to undertake specific actions to safeguard themselves. Instructions given to victims of hoaxes may include deleting files or modifying configuration settings, leading to a compromised or non-functional operating system, or weakened security defenses. Moreover, these deceptive emails usually urge the recipient to disseminate the message to their entire contact list in an attempt to propagate the false information.

Watering hole attack

A watering hole attack is a specific type of directed attack aimed at a particular geographic location, community, or institution. It involves three principal stages, the first of which involves monitoring the behaviors of the targeted individuals or group. The objective is to identify a shared resource, website, or physical location frequently accessed by one or more members of the target which is then used as the watering hole. The second phase entails introducing malware into the systems associated with the watering hole. In the third phase, the attackers bide their time, waiting for members of the targeted group to return to the infected watering hole and unwittingly introduce the malware back into their network.