Silvestre, Angelica B.

BSCPE 3-1

Part 1: Explore Social Engineering Techniques

Step 1: Explore Baiting, Shoulder Surfing, and Pretexting.

Questions:
What is baiting? Did you click on the USB drive? What happened to the victim’s system?
Baiting is a kind of attack where a social engineer will use a false promise or reward
to trap victims and steal their sensitive information by infecting their system with malware. Baits
are very attractive and enticing, not to mention manipulative, and their end goal is to infect your
system and gain access to personal information. If I click on the USB drive, malware will be
automatically installed on my computer system.

What is Shoulder Surfing? What device was used to perform the shoulder surfing? What
information was gained?

Shoulder surfing is the term used to describe one person observing another person’s
computer or mobile device screen and keyboard to obtain sensitive information. Direct
observation can be done by simply looking over someone’s shoulder – hence shoulder surfing –
or using binoculars, video cameras (hidden or visible), and other optical devices. Typically, the
objective of shoulder surfing is to view and steal sensitive information like username and
password combinations that can be later used to access a user’s account. Credit card numbers,
personal identification numbers (PIN), sensitive personal information used in response to security
questions (like middle name and birth date used for password recovery) are also targeted.

What is Pretexting? What type of information did the cybercriminal request? Would you
fall victim?

Pretexting is a type of social engineering attack whereby a cybercriminal stages a

scenario, or pretext, that baits victims into providing valuable information that they wouldn’t
otherwise. The cybercriminal request for the victim might be a password, credit card information,
personally identifiable information, confidential data, or anything that can be used for fraudulent
acts like identity theft. I will maybe fall victim because it might give me reasons and believable
information to fall and trust them.

Step 2: Explore Phishing/Spear Phishing and Whaling

Questions:
In this phishing example, what is the ploy the attacker uses to trick the victim to visit the
trap website? What is the trap website used to do?
 Phishing attacks are the practice of sending fraudulent communications that appear to
come from a reputable source. It is usually performed through email. In this attack, the attacker
creates a website that is virtually identical to the legitimate website of a business the victim uses,
such as a bank. When the user visits the page through whatever means, be it an email phishing
attempt, a hyperlink inside a forum, or via a search engine, the victim reaches a trap website
which they believe to be the legitimate site instead of a fraudulent copy.
What is the difference between phishing and spear phishing or whaling?
While phishing schemes are typically mass mailings, spear phishing is a more targeted
and customized attack. The bad guys will do a little research and find out specific information
about the target. It may be from the company website, social media, financial reports, or industry
sources. With the information in hand, they will customize an email to make it appear more
legitimate. Meanwhile, Whaling is a form of spear phishing aimed at “whales” at the top of the
food chain. Whaling targets CEO’s, CFOs, and other high-level executives. This type of cyber-
attack is big business for the hackers.
Step 3: Explore Scareware and Ransomware

Questions:
What data does the attacker claim to have in this example? Would you fall for this
deception?
The attacker claims to have the victim’s confidential information such as logins and bank
details. If this happen to me, I might not fall for this if I know that I don’t click any unknown email
or sites and also if I don’t give any information about myself.

What is the attacker requesting the victim do to get the data back?
The attacker requests the victim into paying a ransom by restricting access to the infected
device or threatening legal action in order for him to get the data back.
What is tailgating?

Tailgating, sometimes referred to as piggybacking, is a physical security breach in which

an unauthorized person follows an authorized individual to enter a secured premise. Tailgating
provides a simple social engineering-based way around many security mechanisms one would
think of as secure. Even retina scanners don't help if an employee holds the door for an unknown
person behind them, out of misguided courtesy.

Give three ways to prevent social engineering attacks?

1. Don't use the same password for different accounts. If a social engineering attack
gets the password for your social media account, you don't want them to be able to
unlock all of your other accounts too.
2. Keep your anti-malware and anti-virus software up to date. This can help prevent
malware that comes through phishing emails from installing itself. Use a package like
Kaspersky's Antivirus to keep your network and data secure.
3. Keep software and firmware regularly updated, particularly security patches.