Spam and many other types of hoaxes can be used as weapons of social engineering through impersonation attacks. In this video, learn about common impersonation attacks including spam, phishing, spoofing, vishing, spim, spear phishing, pharming, and whaling.
- [Instructor] You're probably already familiar with spam. It's hard to open your email inbox without being bombarded with unwanted messages. Let's take a look at how spam and many other types of hoaxes can be used as weapons of social engineering through impersonation attacks. Spam, also known as unsolicited commercial email, or UCE, consists of unwanted messages sent for a variety of marketing and scamming purposes. Most spam is illegal under the CAN-SPAM Act, but it is difficult to prosecute offenders because it is often hard to identify them.
Phishing is a subcategory of spam. Phishing messages have the explicit purpose of gaining access to an account. They want to trick users into revealing passwords to sensitive accounts such as bank accounts or employer systems. For example, an attacker might send thousands of email messages to random recipients warning them that they're email accounts are running out of space, and that they need to fill out a form to request more space. When users click the link to fill out the form, it first asks them for their username and password. Unfortunately, the page isn't legitimate, and is part of a phishing attack.
The form actually sends the username and password to the hacker who can then take control of the account. Credential reuse is another real danger with phishing attacks. Many people use the same username and password across many different sites. If they're tricked into providing their password during a phishing attack against a low-risk site, the attacker may then turn around and try to use that same password on a much more sensitive site such as an online banking account. Spear phishing attacks are highly targeted phishing exercises. These attacks specifically target a very small audience such as employees at a small business.
They then use the jargon of that business, and possibly the names of business leaders to add an air of legitimacy to the message. With this added authority, spear phishing attacks have higher success rates than generic phishing attacks. Whaling is a subset of spear phishing. Like spear phishing attacks, whaling attacks are also highly targeted. Whaling attacks focus even more specifically on senior executives. Trying to obtain the money, power, influence, or authority of a senior leader.
One common whaling tactic is to send fake court documents to senior business leaders saying that the organization is being sued, and that they must click a link to read the legal paperwork. They click that link, and boom, they're infected with malware, or their account is in a hacker's hands. Pharming attacks often begin with a phishing message, but go to great lengths to make them successful. The attackers set up a fake website that looks like a legitimate site, and send victims a link to the fake site.
They might use typosquatting to make the URL seem very similar to the real site, and then copy the look and feel of that real site that is already familiar to users. When the user logs in to the fake site, the attacker captures his or her credentials. Variations on the pharming attack might skip the phishing messages and use DNS poisoning to redirect victims to the fake site. Vishing, or voice phishing attacks, have been around forever, but now they have a fancy name. In these attacks, the hacker simply picks up the telephone and calls unsuspecting people using social engineering tactics to trick them into revealing sensitive information.
They might pose as a help desk, and ask for a user's password to help correct an account issue that doesn't exist. Or they might ask someone to visit a website and install a file to improve security. Not all spam messages are sent by email. Spim, or spam via IM, attacks use instant messaging services to send spam and phishing messages. These attacks began via AOL Instant Messenger years ago, but have spread to SMS, and iMessage in recent years.
They often use a tactic called spoofing, which as the name implies means faking the identity of someone else when sending a message. It is easy to forge an email, and hackers have software designed to do that where they can simply type in the name of a random sender and generate a fake message. Similar technology exists for caller ID and SMS messages. Attackers are persistent and clever in their attempts to infiltrate an enterprise through fake messages. While many of their attempts may seem simple, some are sophisticated.
The important thing to remember is that they don't all need to be successful. A phishing attack succeeds if it nets a single victim. That's why education and awareness are the most critical tools for defending against social engineering attacks.
Looking for study partners?Join the CompTIA Security+ SY0-501 Exam study group
The CompTIA Security+ exam is an excellent entry point for a career in information security. The latest version, SY0-501, expands coverage of cloud security, virtualization, and mobile security. This course prepares exam candidates for the critical Threats, Attacks, and Vulnerabilities domain of the exam. By learning about malware, networking and application security exploitations, and social engineering, you'll be prepared to answer questions from the exam—and strengthen your own organization's systems and defenses. Author Mike Chapple, an IT leader with over 15 years of experience, also covers the processes for discovering and mitigating threats and attacks, and conducting penetration testing and scanning for vulnerabilities. Visit certmike.com to join one of his free study groups.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities