You’ve been told you need social engineering training, but as soon as you start researching what social engineering is, you’re hit with all these confusing terms and abbreviations.
OSINT? Payload? C2? Whaling?
What in the world do all these technical terms mean, and how do they apply to social engineering?
Trust us, we know the lingo can be overwhelming to those outside of the cybersecurity industry. That’s why we decided to round a few of the most difficult or perplexing social engineering-related words and demystify them.
Here are nine cybersecurity terms often associated with social engineering, with clear examples to help with understanding:
Malware is derived from the terms malicious and software. It refers to any software that is intended to damage or disrupt computer systems. Additionally, malware may be used to gain unauthorized access to computer systems.
An attacker created a piece of software that, when installed on a computer system, causes the computer to crash. That software is known as malware.
2. Command & Control (C2 or C&C)
A command and control server (often referred to as C2 or C&C) is a machine that an attacker controls and uses to send technical hacking “commands” to compromised systems. It’s also often referred to as a command shell.
A computer got infected with malware and here’s what happened next: the C2 server sent commands back to the malware to encrypt the files on the infected computer. The malware then reached out to the C2 server for further instructions. Here, the hacker sits behind a keyboard telling it exactly what to do.
Phishing is the act of sending malicious emails, intended to fool or manipulate a victim into divulging sensitive information or performing actions damaging to the system.
Spear phishing and whaling are specific types of phishing. Spear phishing refers to a phishing email that is highly targeted. Essentially, the sender of the spear phishing email has done their research on the target and crafted an email explicitly designed for them— piercing them like a fisherman would stab a single fish with a spear.
Whaling is similar to spear phishing, but rather than the target being just anyone, whaling emails target high-value individuals such as CEOs and company presidents. Think, the biggest fish in that company’s ocean: the whale.
Vishing and SMS phishing (sometimes referred to as smishing) are types of phishing that use voice calls and text messages rather than email to trick their targets.
General Phishing Example:
A user received an email looking like it came from her bank. The fraudulent email requested that she reply with her social security number and birthdate so the bank could verify they have her information correct. However, the email did not come from her bank— rather— an attacker attempting to steal her data.
A user received a phone call from someone claiming to be from Microsoft. The caller stated that they detected a virus on the user's computer and that they must access the computer to remove it. However, the caller is not actually from Microsoft; instead, they are an attacker trying to gain unauthorized access to the user's computer.
SMS Phishing Example:
An individual has received a text message congratulating them for winning a gift card. To claim the gift card, they must click on the link in the text message. Unfortunately, the text message and the gift card are not legitimate. Instead, when the person clicks on the link in the text message, malware is installed on their mobile device.
Spear Phishing Example:
An attacker had performed research on a target individual's shopping habits. The attacker knows that the target often buys cosmetics from Amazon. With this knowledge, the attacker crafts an email that appears to be from Amazon regarding her recent cosmetic order. In reality, the email is a trick to get the individual to share her credit card information.
An attacker has performed research on a target company and drafted a fraudulent email targeting the company's CEO. The goal of the email is to trick the CEO into approving a high-value wire transfer that other employees in the organization do not have permission to perform.
4. Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT) refers to any information that an attacker can gather for free. Essentially, this is any information that is not behind a paywall and openly available to the everyday user on the internet or via public record.
An attacker is planning to target the HR department for an organization. The attacker found the name, email address and phone number of the HR director simply by searching for the company on LinkedIn and looking at their employees. The attacker in this scenario used OSINT to find the information they needed.
Pretexting refers to weaving a false story or narrative using as many true facts as possible to build trust and credibility. The purpose is to convince the target into a course of action, such as revealing sensitive information, permitting access to an unauthorized area or installing malicious software.
An attacker has arrived at an office building dressed in a suit and wearing a name badge that appears to be from the corporate office. The attacker speaks to the security guard stating that he is from out of town and is there for a crucial stakeholder meeting. The guard knows a stakeholder meeting is occurring this week, so he lets the attacker into the building without looking into his credentials further.
6. Back Door
A back door is a covert entry point that provides a secret way into a user's computer unknown to the user. Sometimes programmers create digital back doors into their software programs to go into the program to fix future problems.
Back Door Example:
An attacker gained access to an application. Concerned that the vulnerability that allowed them to access the application could potentially be discovered and fixed, the attacker modified the application to create a back door for access later.
7. Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a method for authenticating in which a user must provide two or more factors for verification. In an MFA environment, a password alone is not enough to gain access. Additional factors are required to prove that the individual is authorized to have access along with the password.
A user is in the process of setting up online access to her bank. After setting a password, she is asked to set up another authentication method such as voice, SMS or an authenticator app. The online banking site has been configured to require multiple steps for authenticating who they claim to be to prevent fraudulent access.
When discussing cybersecurity, a payload refers to a set of computer instructions secretly installed onto a victim's computer that gives the adversary covert access to the victim's computer system.
After a user has clicked a link to install malware on their device, the payload is activated and performs any actions programmed by the attacker.
9. Reverse Social Engineering
Reverse social engineering is a social engineering attack in which the attacker sets up a situation where the victim encounters a problem and contacts the attacker for help.
Reverse Social Engineering Example:
An attacker has created business cards, using a fake name and claiming to provide tech support. He distributes these business cards everywhere he goes. Then, when a user calls with a technical problem, he uses his facade to steal money from the individual without fixing their computer.
The Security Awareness Your Team Needs
Now that you know some high-level social engineering terms, are you ready to learn more about how social engineering attacks happen? Let the world’s once most famous hacker explains to your employees how it all works in his revered presentation, “How Hackers Attack & How to Fight Back.”