A social engineering attack leverages the weakest link in an organization, which is the

human user. If an attacker can get a user to reveal information, it is much easier for the
attacker to cause harm than it is by using some other method of reconnaissance. Social
engineering can be accomplished through email or misdirection of web pages and
prompting a user to click something that leads to the attacker gaining information. Social
engineering can also be done in person by an insider or an outside entity or over the
phone.

A primary example is attackers leveraging normal user behavior. Suppose that you are
a security professional who is in charge of the network firewalls and other security
infrastructure equipment in your company. An attacker could post a job offer for a very
lucrative position and make it very attractive to you, the victim. Suppose the job
description lists benefits and compensation far beyond what you are making at your
company. You decide to apply for the position. The criminal (attacker) then schedules
an interview with you. Because you are likely to “show off” your skills and work, the
attacker may be able to get you to explain how you have configured the firewalls and
other network infrastructure devices for your company. You might disclose information
about the firewalls used in your network, how you have configured them, how they were
designed, and so on. This would give the attacker a lot of knowledge about the
organization without requiring the attacker to perform any type of scanning or
reconnaissance on the network.

Email Phishing
With phishing, an attacker presents to a user a link or an attachment that looks like a
valid, trusted resource. When the user clicks it, he or she is prompted to disclose
confidential information such as his or her username and password. Example 4-1 shows
an example of a phishing email.

Example 4-1 - Phishing Email Example

Subject: PAYMENT CONFIRMATION

Message Body:

Dear sir,
We have discovered that there are occasional delays from our acco
unts department in making complete payments to our suppliers.
This has caused undue reduction in our stocks and in our producti
on department of which suppliers do not deliver materials on time
.
The purpose of this letter is to confirm whether or not payment h
as been made for the attached supplies received.
Kindly confirm receipt and advise.

Attachment: SD_085_085_pdf.xz / SD_085_085_pdf.exe

MD5 Checksum of the attachment: 0x8CB6D923E48B51A1CB3B080A0D43589
D

Spear Phishing
Spear phishing is a phishing attempt that is constructed in a very specific way and
directly targeted to specific groups of individuals or companies. The attacker studies a
victim and the victim’s organization in order to be able to make emails look legitimate
and perhaps make them appear to come from trusted users within the company.
Example 4-2 shows an example of a spear phishing email.

In the email shown in Example 4-2, the threat actor has become aware that Chris and
Omar are collaborating on a book. The threat actor impersonates Chris and sends an
email asking Omar to review a document (a chapter of the book). The attachment
actually contains malware that is installed on Omar’s system.

Example 4-2 - Spear Phishing Email Example

From: Chris Cleveland

To: Omar Santos
Subject: Please review chapter 3 for me and provide feedback by 2
pm

Message Body:
Dear Omar,

Please review the attached document.

Regards,
Chris

Attachment: chapter.zip
MD5 Checksum of the attachment: 0x61D60EA55AC14444291AA1F911F3B1B
E

Whaling
Whaling, which is similar to phishing and spear phishing, is an attack targeted at high-
profile business executives and key individuals in a company. Like threat actors
conducting spear phishing attacks, threat actors conducting whaling attacks also create
emails and web pages to serve malware or collect sensitive information; however, the
whaling attackers’ emails and pages have a more official or serious look and feel.
Whaling emails are designed to look like critical business emails or emails from
someone who has legitimate authority, either within or outside the company. In whaling
attacks, web pages are designed to specifically address high-profile victims. In a regular
phishing attack, the email might be a faked warning from a bank or service provider. In
a whaling attack, the email or web page would be created with a more serious
executive-level form. The content is created to target an upper manager such as the
CEO or an individual who might have credentials for valuable accounts within the
organization.

The main goal in whaling attacks is to steal sensitive information or compromise the
victim’s system and then target other key high-profile victims.
Complete 4.2.3 Vishing

Vishing
Vishing (which is short for voice phishing) is a social engineering attack carried out in a
phone conversation. The attacker persuades the user to reveal private personal and
financial information or information about another person or a company.

The goal of vishing is typically to steal credit card numbers, Social Security numbers,
and other information that can be used in identity theft schemes. Attackers may
impersonate and spoof caller ID to hide themselves when performing vishing attacks.
Complete 4.2.4 Short Message Service (SMS) Phishing

Short Message Service (SMS) Phishing

Because phishing has been an effective tactic for threat actors, they have found ways
other than using email to fool their victims into following malicious links or activating
malware from emails. Phishing campaigns often use text messages to send malware or
malicious links to mobile devices.

One example of Short Message Service (SMS) phishing is the bitcoin-related SMS
scams that have surfaced in recent years. Numerous victims have received messages
instructing them to click on links to confirm their accounts and claim bitcoin. When a
user clicks such a link, he or she may be fooled into entering sensitive information on
that attacker’s site.

You can help mitigate SMS phishing attacks by not clicking on links from any unknown
message senders. Sometimes attackers spoof the identity of legitimate entities (such as
your bank, your Internet provider, social media platforms, Amazon, or eBay). You
should not click on any links sent via text messages if you did not expect such a
message to be sent to you. For example, if you receive a random message about a
problem with an Amazon order, do not click on that link. Instead, go directly to
Amazon’s website, log in, and verify on the Amazon website whether there is a problem.
Similarly, if you receive a message saying that there is a problem with a credit card
transaction or a bill, call the bank directly instead of clicking on a link. If you receive a
message telling you that you have won something, it’s probably an SMS phishing
attempt, and you should not click the link.

Universal Serial Bus (USB) Drop Key

Many pen testers and attackers have used Universal Serial Bus (USB) drop
key attacks to successfully compromise victim systems. This type of attack involves just
leaving USB sticks (sometimes referred to as USB keys or USB pen drives) unattended
or placing them in strategic locations. Oftentimes, users think that the devices are lost
and insert them into their systems to figure out whom to return the devices to; before
they know it, they are downloading and installing malware. Plugging in that USB stick
you found lying around on the street outside your office could lead to a security breach.

Research by Elie Bursztein, of Google’s anti-abuse research team, shows that the
majority of users will plug USB drives into their system without hesitation. As part of his
research, he dropped close to 300 USB sticks on the University of Illinois Urbana-
Champaign campus and measured who plugged in the drives. The results showed that
98% of the USB drives were picked up, and for 45% of the drives, someone not only
plugged in the drive but clicked on files.

Another social engineering technique involves dropping a key ring containing a USB
stick that may also include pictures of kids or pets and an actual key or two. These
types of personal touches may prompt a victim to try to identify the owner in order to
return the key chain. This type of social engineering attack is very effective and also can
be catastrophic.

Watering Hole Attacks

A watering hole attack is a targeted attack that occurs when an attacker profiles
websites that the intended victim accesses. The attacker then scans those websites for
possible vulnerabilities. If the attacker locates a website that can be compromised, the
website is then injected with a JavaScript or other similar code injection that is designed
to redirect the user when the user returns to that site. (This redirection is also known as
a pivot attack.) The user is then redirected to a site with some sort of exploit code. The
purpose is to infect computers in the organization’s network, thereby allowing the
attacker to gain a foothold in the network for espionage or other reasons.

Watering hole attacks are often designed to profile users of specific organizations.
Organizations should therefore develop policies to prevent these attacks. Such a policy
might, for example, require updating anti-malware applications regularly and using
secure virtual browsers that have little connectivity to the rest of the system and the rest
of the network. To avoid having a website compromised as part of such an attack, an
administrator should use proper programming methods and scan the organization’s
website for malware regularly. User education is paramount to help prevent these types
of attacks.