Questions tagged [social-engineering]
Social engineering is the act of manipulating people into performing actions or divulging confidential information.
201 questions
0
votes
2
answers
209
views
What's the risk of interacting with a social engineer?
I received a WhatsApp message.
I never registed with any recruitment job portal, or even speak Arabic at all
What are the dangers in myself trying to find out what happened (did they send the same ...
- 101
4
votes
1
answer
273
views
Is there any benefit to normalize unicode/utf-8 names that I am overlooking?
Reading how Spotify was normalizing unicode inconsistently, and now I'm questioning if I am overlooking any issue on accepting non-normalized usernames.
From what I can tell, lowercase was first used ...
- 283
3
votes
0
answers
179
views
A paper about putting formally proven secure "fake" vulnerabilities into your software to waste malicious actors' time
I remember seeing a tweet about an infosec research paper a while ago on how one can put a lot of "fake vulnerabilities", which resemble real vulnerabilities but are actually formally proven ...
3
votes
1
answer
883
views
Is FIDO2 authentication vulnerable to a social engineering replay attack?
I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible...
Victim visits a credential harvesting page and enters their credentials
Credential harvesting backend ...
- 845
1
vote
0
answers
110
views
Should I publish a blog post about scam ideas? [closed]
I have written and was planning on publishing a blog post about scams. The blog post talks about methods used by hackers in their Reconnaissance phase (specifically, researching individual people) and ...
- 111
0
votes
1
answer
351
views
Doesn't 2FA increase the vulnerability of an account?
You create an account on an online service X with login=your email + password. Compare these 2 situations:
No 2FA enabled. The only risk is if your email is compromised: the "I lost my password&...
- 3
1
vote
0
answers
108
views
Is there a standard for fencing email domains to specific use cases?
To my knowledge, there's no common standard for sysadmins to publish trusted domains for specific use cases.
If it exists, I would presume that this might limit phishing attacks. Think of my question ...
- 195
1
vote
1
answer
195
views
Suspicious hyperlinks (all hex URLs) in e-mail
I'm communicating with a job headhunter over LinkedIn and he sent me an e-mail containing information about a position. However, I noticed that all of the hyperlinks in the e-mail (even the one on ...
- 115
3
votes
1
answer
224
views
Would there be any security downside to text-message "verification codes" saying what they're for?
When I log into some web services, I need to send back a verification code contained in a text message that starts out with something to the effect of "You or someone claiming to be you is trying ...
- 2,059
5
votes
0
answers
1k
views
Disturbing/suspicious Google notifications about account recovery and password change
This is similar to Is this Google mail from gaia.bounces.google.com legit?, except a) I have nothing in my life related to the language used (Indonesian), b) these are different notifications (and ...
- 151
1
vote
1
answer
261
views
Can you impersonate someone on a cell phone network if you can get them to enter a magic code?
I just got weird warning on a social network about a scam that is supposedly making the rounds. However the claims were quite outlandish and I'm skeptical if it's even technically possible.
If the ...
- 1,050
2
votes
4
answers
642
views
Why don't bigger companies buy similar domains to their main domain to prevent typosquatting?
One big threat out there is typosquat domains. For example instead of:
steamcommunity.com some malicious actor will register the domain stearncornmunity.com and set up his fake steam login.
Why do ...
- 41
0
votes
1
answer
305
views
Purpose of fraudulent AWS SL/TLS certificate request for my domain
I just received an email from AWS re Certificate request for [my personal domain].
This email asked me to approve this request with a link or forward to a AWS email for validation.
Needless to say ...
- 101
0
votes
0
answers
205
views
How can I protect myself from this simple, yet lethal (SE) WhatsApp hack?
I've been using WhatsApp as well as my current phone number for at least eight years now. As of now, everything went pretty smooth. That's why the message four days ago, 13rd of August 2021, struck me:...
- 101
2
votes
1
answer
618
views
Multiple login attempts made using mobile OTP in multiple customer sites at the same time
We have multiple customer sites which provides login via mobile number OTP option (new & registered users). Recently, we come across an incident where a user received 100+ OTPs with in few minutes ...
0
votes
1
answer
159
views
Realistic for organizations to avoid links in emails pointing to less known sites?
Over the years, I found myself constantly pointing out to organizations that emails containing links with 3rd party domain names that are relatively unknown are problematic. That's how social ...
- 129
0
votes
2
answers
461
views
How was the hacker able to get my Instagram tag through Facebook when they weren’t linked?
All of this happened on 18th November 2020
A person I know sent me a phishing link of Facebook then Google, I entered my credentials however as soon as I found out that its a phishing link, I turned ...
- 1
2
votes
1
answer
235
views
New trend? Recognizable and specific subject in Spam / malware mails
It seems that a new trend has emerged in the past few weeks. While users are (meanwhile) aware that an unexpected mail with subject "Your invoice" or "Your delivery" is suspicious, ...
- 1,158
77
votes
12
answers
20k
views
Why is a link in an email more dangerous than a link from a web search?
Everyone knows of the common cybersecurity tips to be careful when you open links in an email. But every day we look for something on the Internet, clicking links which the search engine shows us, and ...
- 863
1
vote
0
answers
116
views
Can OTP (One-Time password) be used to protect data after intrusion has been detected? [closed]
I am working on Social Engineering attacks happening via SMSs. Let's assume a person receives an SMS asking him to click on a malicious link. If a virus is installed on the person's device, how can ...
- 11
36
votes
4
answers
8k
views
Why is social engineering often excluded from bug bounties?
I noticed a lot of companies do not have social engineering as in-scope of bug bounties/responsible disclosure guidelines, even though it is often used in real-world attacks. I understand that for ...
- 463
-1
votes
1
answer
130
views
Social Engineering or Broken Authentication
If I go to a cybercafe and use one of the shared computers, and use a social media application, which deletes session IDs when the browser is closed.
A clever person comes, who knows about the ...
- 143
2
votes
2
answers
4k
views
How do I know/find out about Minecraft Server Vulnerabilities?
I remember playing Minecraft (Java-we're only talking about Minecraft Java on the computer here) at like 13-14 years old, and having this server owner claim that the server has been hacked, and that ...
- 51
8
votes
3
answers
385
views
I have lost control of my online identity due to mistakes made decades ago. What can I do?
About 2 decades ago (late 90s/early 00s), when I was still in high school, I opened up social media accounts online. Over the course of a few years and using these social media platforms, I posted ...
- 81
26
votes
6
answers
7k
views
Is it a good idea to use non-ASCII names in the U.S.? [closed]
Grimes and Elon Musk named their baby: X Æ A-12.
What are the risks of non-ASCII names?
For example, does the COBOL unemployment platform support non-ASCII names? Would it be possible to get a ...
- 1,422
2
votes
1
answer
184
views
How misappropriation-resistant are common deployed signature formats?
Given an RSA signature as produced by
openssl dgst -sha256 -sign rsapriv.pem -out afile.sig afile
and without access to the private key used for that, one can¹ come up with a fully functional RSA ...
- 1,275
0
votes
2
answers
408
views
Phishing emails - What do I look for?
I want to be able to spot a phishing email. What are the things to check when investigating and doing forensics on one?
There are some things I know to look for already but I want to get moer ...
-1
votes
1
answer
957
views
Are IPv4 more intuitively hard to track than IPv6?
I understand that it is easier for a human to intuitively figure out the alleged whereabouts of a machine if that machin's IP address is IPv6, rather than if its IPv4:
For example, since I configured ...
user123574
1
vote
0
answers
168
views
Is Social Engineering out of scope unless explicitly requested? [closed]
I've seen some sample "What would you like to be pentested?" page (I can't find or remember the exact source) where Cyber, Physical and Social were asked separately (among other areas like Wifi, ...
- 3,482
15
votes
3
answers
974
views
Canadian police mentioned a new line-trapping technique, but what is that?
The police in Canada are saying that there is a new technique ("line-trapping") where the scammers told a lady to call the police to confirm some fraudulent details, but when she hung up and called ...
- 1,294
1
vote
1
answer
1k
views
What is it called when someone glides through a building's external door behind you? [duplicate]
One form of social engineering is the practice of running up to a building's external door just as an employee is entering. The employee often holds the door open for the intruder, bypassing security ...
0
votes
1
answer
637
views
"Harmless" script which downloads malicious script
What if I code a program without malicious code which would pass in every antivirus scan and after the virus scan and user giving special rights to it, it downloads and executes the real virus? Since ...
- 141
19
votes
1
answer
4k
views
How to protect yourself against OSINT?
I recently watched a video about OSINT and learnt it can be quite a powerful agent. I've been on the internet for years, and at this point I'm not sure what I've posted and where.
Given this is now ...
- 193
2
votes
1
answer
210
views
How can I as middleman verify whether a phishing site is valid if the scam listens only on the referrer link and blocks any other access methods?
How can I as a trusted user of a middleman company (such as PhishTank) verify whether a phishing site is valid if the scam listens only on a unique referrer link(randomly created) and is blocking any ...
- 431
-2
votes
2
answers
243
views
Is it social engineering when you know you are being social engineered? [closed]
More like a philosophical question.
- 17
2
votes
1
answer
272
views
How safe is to have a LinkedIn account where you have published all the important information about yourself?
How safe is it to make your information public? I know that there are many risks from social engineers' side, if you put everything about yourself a hacker will have most of the information about you ...
- 127
0
votes
1
answer
834
views
is it possible to evil twin a WPA 2 Wifi using one of EAP methods?
the same as fluxion but without the captive portal just like this video
Stealing 802.1x Credentials with Rogue AP & RADIUS server
he was able to get the username and the password of an EAP wifi ...
- 117
0
votes
1
answer
172
views
Data leakage in internet-only services
Nowadays, internet-only services became very popular, for example, direct bank and many others. The advantage of such services is you don't have to spend the time to get to the office in order to get ...
- 3
0
votes
1
answer
206
views
Tech support agent asked me some questions unrelated to tech support or my problem
About 4 years ago I was having a problem with my Microsoft Windows system so I went to Google and searched "Microsoft tech support phone number" to see the results and got the number from some random ...
- 2,127
6
votes
1
answer
2k
views
Understanding a Whatsapp account hack (social engineering?)
A friend of mine (Bob) received a suspicious Whatsapp message today, seemingly from a former colleague (Alice), who claimed to have "forwarded [to Bob] an SMS with a code in it by mistake", and who ...
- 163
0
votes
0
answers
115
views
What to do after a social engineering attack was used to trick utility services at my hypothetical business? How to close the security hole?
Business Attack Scenario
Standard information that was ubiquitous through my chain-businesses
was exploited by a rogue group of former employees to sabotage. They
considered manipulating all ...
- 149
0
votes
2
answers
408
views
Could someone commit a social engineering "hack" on a credit card processor to get my credit card number?
Peripherally related to: Is it safe to recycle unshredded credit card receipts?.
From some basic research, it seems as though the SEQ number is internal to the company running the POS software, the ...
- 343
2
votes
1
answer
224
views
Social engineering testing methodology?
Is there anything that could be used as a social engineering testing methodology from any sort of organisation (example: ISO, SANS, PCI DSS etc.)
- 1,900
106
votes
19
answers
24k
views
Defence methods against tailgating
This is a follow-up question to this one: Roles to play when tailgaiting into a residential building
How do you protect yourself or your company against tailgaters? What is the best answer when you ...
- 1,689
113
votes
6
answers
20k
views
Roles to play when tailgaiting into a residential building
Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have ...
- 1,907
43
votes
2
answers
13k
views
Does this mean Target's twitter was successfully attacked?
I was just surprised to see this suspicious promoted tweet, asking me to send Bitcoins
I added the hand-drawn red lines so I am not responsible for propagating the apparent scam.
Clicking on the ...
- 1,857
7
votes
3
answers
896
views
What (besides not complying, and reporting) should I do with blackmail emails? [duplicate]
I received the following email which claims, among other social engineering, to have installed a keylogger on a former system administrator's Linux box:
I know [old password deleted] one of yo...
- 1,200
2
votes
2
answers
380
views
How do I protect myself against SIM hijacking/social engineering?
There are several posts like these:
https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd
https://motherboard.vice.com/en_us/article/5984zn/listen-to-sim-jacking-account-ransom-...
- 23
2
votes
2
answers
439
views
Is single-click phishing possible?
For Chrome, IE/Edge, Safari, Firefox, Opera released after 2018, is it possible for a phishing to succeed by just enticing a user to click a URL?
Notice: The user only does a click on the URL, no ...
- 151
31
votes
7
answers
8k
views
How do hackers make the victim access an XSS attack URL?
As I understand it, the basic idea of XSS is to let the user's browser execute some malicious code created by the hackers.
Say, if a page has a vulnerability of loading arbitrary script when user ...
- 419