CompTIA A+ 1202 Objective 2.5: Compare and Contrast Common Social Engineering Attacks, Threats, and Vulnerabilities

Social Engineering

Social engineering is the art of manipulating people into performing actions or divulging confidential information. Unlike traditional hacking that exploits technical vulnerabilities, social engineering targets the human element of security, which is often the weakest link in any security system.

Phishing

Common Phishing Techniques:

• Fake Login Pages: Replicas of legitimate websites to steal credentials
• Malicious Attachments: Email attachments containing malware
• Urgent Requests: Claims of account suspension or security breaches
• Prize Notifications: Fake lottery wins or contest prizes
• Charity Scams: Fake charitable organizations requesting donations

Vishing (Voice Phishing)

Common Vishing Scenarios:

• Bank Fraud Alerts: Fake calls about suspicious account activity
• Tech Support Scams: Claims of computer infections requiring remote access
• Tax Authority Impersonation: Fake IRS calls about tax issues
• Lottery Scams: Fake prize notifications requiring payment
• Medical Insurance: Fake calls about insurance coverage issues

Smishing (SMS Phishing)

Common Smishing Techniques:

• Package Delivery: Fake delivery notifications with tracking links
• Bank Alerts: Fake banking security alerts
• App Updates: Fake app update notifications
• Contest Entries: Fake contest or survey invitations
• Account Verification: Fake account verification requests

QR Code Phishing

QR Code Attack Vectors:

• Restaurant Menus: Fake QR codes on restaurant tables
• Parking Meters: Malicious QR codes on parking payment systems
• Wi-Fi Access: Fake QR codes for Wi-Fi network access
• Event Tickets: Fake QR codes for event access
• Product Information: Malicious QR codes on product packaging

Spear Phishing

Spear Phishing Characteristics:

• Executive Targeting: Targets high-level executives and decision makers
• Industry-specific: Uses industry-specific terminology and context
• Social Media Intelligence: Uses social media for target research
• Internal Communication: Mimics internal company communications
• Financial Transactions: Often involves financial or sensitive data requests

Whaling

Whaling Attack Methods:

• CEO Fraud: Impersonates CEO to authorize fraudulent transactions
• Legal Impersonation: Pretends to be from legal or compliance departments
• Board Communication: Mimics board-level communications
• Merger and Acquisition: Exploits confidential M&A information
• Regulatory Compliance: Fake regulatory compliance requests

Shoulder Surfing

Shoulder Surfing Prevention:

• Privacy Screens: Use privacy filters on computer screens
• Body Positioning: Position body to block view of screen
• Secure Locations: Use private areas for sensitive information entry
• Biometric Authentication: Use biometrics instead of passwords when possible
• Awareness Training: Educate users about shoulder surfing risks

Tailgating

Tailgating Scenarios:

• Office Buildings: Following employees into office buildings
• Data Centers: Gaining access to server rooms and data centers
• Parking Garages: Following vehicles into restricted parking areas
• Elevator Access: Using elevators to reach restricted floors
• Loading Docks: Exploiting delivery and loading areas

Impersonation

Impersonation Techniques:

• Uniforms and Badges: Uses fake uniforms and identification badges
• Voice Mimicking: Mimics voices of known individuals
• Document Forgery: Creates fake documents and credentials
• Social Media Profiles: Creates fake social media profiles
• Email Spoofing: Sends emails from spoofed addresses

Dumpster Diving

Dumpster Diving Targets:

• Bank Statements: Financial information and account details
• Employee Directories: Contact information and organizational structure
• Network Diagrams: Information about network infrastructure
• Password Lists: Written passwords and login credentials
• Customer Lists: Customer information and contact details

Threats

Security threats are potential dangers that can exploit vulnerabilities in systems, networks, or processes. Understanding different types of threats helps IT professionals implement appropriate countermeasures and response strategies.

Denial of Service (DoS)

DoS Attack Types:

• SYN Flood: Sends multiple SYN requests without completing handshake
• Ping Flood: Sends large numbers of ping requests
• HTTP Flood: Overwhelms web servers with HTTP requests
• DNS Amplification: Uses DNS servers to amplify attack traffic
• Application-specific: Targets specific application vulnerabilities

Distributed Denial of Service (DDoS)

DDoS Attack Vectors:

• Volume-based: Overwhelms bandwidth with high traffic volume
• Protocol-based: Exploits network protocol weaknesses
• Application-based: Targets application layer with sophisticated requests
• Reflection Attacks: Uses third-party servers to amplify traffic
• Multi-vector: Combines multiple attack types simultaneously

Evil Twin

Evil Twin Characteristics:

• SSID Spoofing: Uses similar or identical network names
• Stronger Signal: Often provides stronger signal than legitimate network
• No Authentication: May offer open access to attract users
• Traffic Interception: Captures all data transmitted through the network
• Malware Distribution: Can inject malware into user traffic

Zero-day Attack

Zero-day Attack Lifecycle:

• Discovery: Vulnerability discovered by researchers or attackers
• Exploit Development: Creation of exploit code for the vulnerability
• Targeted Attacks: Initial attacks against high-value targets
• Widespread Exploitation: Mass exploitation once exploit becomes public
• Patch Development: Vendor develops and releases security patches

Spoofing

Spoofing Attack Types:

• ARP Spoofing: Manipulates ARP tables to redirect network traffic
• GPS Spoofing: Provides false GPS location information
• Website Spoofing: Creates fake websites that mimic legitimate ones
• Biometric Spoofing: Uses fake biometric data to bypass authentication
• Certificate Spoofing: Creates fake SSL/TLS certificates

On-path Attack

On-path Attack Methods:

• ARP Poisoning: Manipulates ARP tables to redirect traffic
• DNS Hijacking: Redirects DNS queries to malicious servers
• SSL Stripping: Downgrades HTTPS connections to HTTP
• Wi-Fi Interception: Intercepts traffic on wireless networks
• Router Compromise: Compromises network infrastructure devices

Brute-force Attack

Brute-force Attack Types:

• Online Brute-force: Attacks against live systems and services
• Offline Brute-force: Attacks against captured password hashes
• Hybrid Attacks: Combines dictionary words with brute-force techniques
• Distributed Brute-force: Uses multiple systems to distribute the attack
• GPU-accelerated: Uses graphics processing units for faster attacks

Dictionary Attack

Dictionary Attack Variants:

• Pure Dictionary: Uses exact words from dictionaries
• Hybrid Dictionary: Combines dictionary words with numbers and symbols
• Rule-based: Applies transformation rules to dictionary words
• Personal Information: Uses personal information in word lists
• Leaked Passwords: Uses passwords from previous data breaches

Insider Threat

Insider Threat Types:

• Malicious Insiders: Employees who deliberately cause harm
• Negligent Insiders: Employees who accidentally cause security issues
• Compromised Insiders: Employees whose accounts have been compromised
• Third-party Insiders: Contractors and vendors with system access
• Former Employees: Ex-employees with retained access or knowledge

Structured Query Language (SQL) Injection

SQL Injection Types:

• Union-based: Uses UNION statements to extract data
• Boolean-based: Uses boolean conditions to infer data
• Time-based: Uses time delays to infer data
• Error-based: Exploits database error messages
• Blind SQL Injection: Attacks without visible error messages

Cross-site Scripting (XSS)

XSS Attack Types:

• Stored XSS: Malicious scripts stored on the server
• Reflected XSS: Malicious scripts reflected from user input
• DOM-based XSS: Scripts executed through DOM manipulation
• Self-XSS: Tricks users into executing scripts themselves
• Blind XSS: Scripts executed in contexts not visible to attackers

Business Email Compromise (BEC)

BEC Attack Scenarios:

• CEO Fraud: Impersonates CEO to authorize wire transfers
• Vendor Impersonation: Pretends to be legitimate vendors
• Attorney Impersonation: Impersonates legal counsel for urgent matters
• Account Compromise: Compromises legitimate email accounts
• W-2 Theft: Requests employee tax information for identity theft

Supply Chain/Pipeline Attack

Supply Chain Attack Vectors:

• Malicious Updates: Distributes malware through software updates
• Compromised Libraries: Infects open-source libraries and dependencies
• Hardware Implants: Inserts malicious hardware during manufacturing
• Third-party Access: Exploits vendor access to customer systems
• Watering Hole Attacks: Compromises websites frequented by target organizations

Vulnerabilities

Vulnerabilities are weaknesses in systems, processes, or configurations that can be exploited by threats. Understanding common vulnerabilities helps IT professionals implement appropriate security measures and maintain secure environments.

Non-compliant Systems

Common Compliance Issues:

• PCI DSS Violations: Payment card industry compliance failures
• HIPAA Violations: Healthcare information privacy violations
• SOX Violations: Sarbanes-Oxley financial reporting violations
• GDPR Violations: European data protection regulation violations
• ISO 27001: Information security management system failures

Unpatched Systems

Patch Management Challenges:

• Testing Requirements: Need to test patches before deployment
• Downtime Concerns: Patches may require system restarts
• Compatibility Issues: Patches may break existing functionality
• Resource Constraints: Limited resources for patch management
• Legacy Systems: Older systems may not support current patches

Unprotected Systems

Protection Gaps:

• Network Segmentation: Lack of network segmentation and isolation
• Access Controls: Insufficient access control mechanisms
• Backup Systems: Missing or inadequate backup and recovery systems
• Incident Response: Lack of incident response capabilities
• Security Awareness: Insufficient security awareness training

End of Life (EOL)

EOL System Risks:

• Windows XP: No longer supported by Microsoft
• Windows 7: End of support for consumer versions
• Legacy Applications: Applications no longer supported by vendors
• Hardware Components: Hardware no longer supported by manufacturers
• Network Equipment: Network devices past their support lifecycle

Bring Your Own Device (BYOD)

BYOD Security Challenges:

• Device Management: Difficulty managing diverse personal devices
• Data Separation: Challenges separating personal and business data
• Compliance Issues: May violate data protection regulations
• Network Access: Uncontrolled access to corporate networks
• Application Security: Unknown security of personal applications

Exam Preparation Tips

Practice Scenarios:

1. Identify the type of social engineering attack in a given scenario
2. Recommend appropriate countermeasures for specific threats
3. Recognize system vulnerabilities and their security implications
4. Develop security awareness training content for users
5. Implement security controls to prevent common attacks
6. Respond to security incidents involving social engineering