CompTIA Security+ SY0-601
Below are posts that work through the topics listed in the CompTIA Security+ Certification Exam Objectives.
Using authority is most effective with impersonation, whaling, and vishing attacks:
Some social engineers impersonate others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft. The Police Virus attempts to impersonate a law enforcement agency. Some social engineers attempt to impersonate a person of authority, such as an executive within a company, or a technician.
Executives respect authorities such as legal entities. In a well-known whaling attack, many executives were tricked into opening infected PDF files that looked like official subpoenas.
People are often more willing to like something that other people like.
Some attackers take advantage of this by creating web sites with fake testimonials that promote a product. For example, criminals have set up some web sites with dozens of testimonials listing all the benefits of their fake antivirus software (rogueware). If users search the Internet before downloading the rogueware, they will come across these web sites, and might believe that other real people are vouching for the product.
Using consensus/social proof is most effective with Trojans and hoaxes.
Victims are more likely to install a Trojan if everyone seems to indicate it’s safe. Similarly, if a person suspects a virus notice is just a hoax, but everyone seems to be saying it’s real, the victim is more likely to be tricked.
If you like someone, you are more likely to do what the person asks. This is why so many big companies hire well-liked celebrities. And, it’s also why they fire them when those celebrities become embroiled in a scandal that affects their credibility.
Some social engineers attempt to build rapport with the victim to build a relationship before launching the attack.
This principle is most effective with shoulder surfing and tailgating attacks:
Some attacks use urgency as a technique to encourage people to take action now.
As an example, the CryptoLocker ransomware virus uses the scarcity principle with a countdown timer. Victims have 72 hours before they’ll lose all their data, and each time they look at their computer, they’ll see the timer counting down.
Using urgency is most effective with ransomware, phishing, vishing, whaling, and hoaxes.
In some cases, the attacker attempts to intimidate the victim into taking action. Intimidation might be through bullying tactics, and it is often combined with impersonating someone else. Using intimidation is most effective with impersonation and vishing attacks.
People are often encouraged to take action when they think there is a limited quantity.
As an example of scarcity, think of Apple iPhones. When Apple first releases the new version, they typically sell out quickly.
A phishing email can take advantage of this and encourage users to click a link for exclusive access to a new product. If the users click, they’ll end up at a malicious web site.
Scarcity is often effective with phishing and Trojan attacks. People make quick decisions without thinking them through.
In addition to familiarity/liking, some social engineers attempt to build a trusting relationship between them and the victim. This often takes a little time, but the reward for the criminal can be worth it.
Vishing attacks often use this method.