10/21/24
Penetration testing – Social Engineering Testing
• Baiting: • Definition: Baiting involves leaving physical devices, such as infected USB drives, in places where they are likely to be found. The goal is to entice individuals to use the devices, compromising the security of their systems. • Example: Leaving USB drives with malware in a public area, relying on someone finding it and plugging it into a computer. • Quizzes and Surveys: • Definition: Attackers may use fake quizzes, surveys, or contests to collect personal information from individuals. These deceptive forms may appear harmless but can lead to data theft. • Example: A social media quiz requesting personal information, which is then used for identity theft or account compromise. • Pretexting: • Definition: Pretexting involves creating a fabricated scenario or pretext to trick individuals into divulging information. This often includes gaining their trust by posing as a legitimate authority or service provider. • Example: An attacker posing as an IT support technician, claiming to need account information for a system upgrade.
company confidential
33
Penetration testing – Social Engineering Testing • Tailgating (Piggybacking): • Definition: Tailgating occurs when an unauthorized person follows an authorized individual into a secured area without proper authentication. This exploits the natural inclination to hold doors open for others. • Example: Someone without access badges following closely behind an authorized employee through a secure entrance. • Human-Based Impersonation Attacks (HBIAs): • Definition: HBIA involves attackers employing human-like characteristics in automated messages or AI-based interactions to deceive individuals. This technique combines social engineering with technology. • Example: A chatbot that mimics human communication to trick users into providing sensitive information. • Reverse Social Engineering: • Definition: In reverse social engineering, the attacker persuades the target to initiate contact, making it appear that the target is seeking help or information. • Example: An attacker posts a fake job opening online, prompting individuals to send their resumes and personal information.
company confidential
34
17
Made with FlippingBook - Online catalogs