Phishweb is about educating employees and family on Cybersecurity and Phishing.
People and Automated Scripts Lie or Tell the Truth to Social Engineer you.
They will be relatable and approachable.
Experience, time, and patience.
Become friends with an employee — then exploit.
Trust needs to be established to avoid suspicion. Manipulate.
Commercial, Residential, or Private property? CCTV, buildings, storage, airport & hangers, parking lots, highrises, physical security points. Locks in use, type of doors, ceiling tiles or straight drywall, HVAC layout.
Open Log Books
Employee schedules (days, evenings, graveyard, weekend shifts), printed contact numbers and addresses, printed email lists, printed client lists, printed social events, stick-it notes with passwords and emails for new employees, visitor sign-in logs.
Device types (unattended and unlocked), work screen, server room, operating systems, software and hardware, company website, databases, email servers, customer portals, company website, social media pages (employees who talk lots).
Industrial, Commercial, Residential bins. Recon first.
Dropping thumb drives in parking lots, libraries, shopping centers, restaurants, or the hallways of an apartment building. When an unsuspecting person picks up the USB and plugs it into their office or home computer, the payload on the USB can inject malicious code, redirect your browser to a predetermined website, or give access to your network.
Bait and Switch
Sellers will not show the original product or service advertised but instead will demonstrate a more expensive product or a similarly priced but lower quality product. Sellers expects to earn a higher margin on the substitute product.
Business Email Compromise
An exploit in which the attacker gains access to a corporate email account and spoofs the owner's identity to defraud the company or its employees, customers or partners of money.
A malicious website that tricks the user into clicking on a masked element of another site which they have loaded in a hidden iframe. The user can be routed to another website or domain, leading them to believe they are on the correct web service, email or bank account.
Email Reply Chain Attack
Bad actor gains access to one or multiple email accounts. Conversations are monitored for the right opportunity to send malware or submit poisoned URLs to recipients from the compromised already-trust-worthy sender account. As long as the conversation tone is convincing post compromise, further attacks can be launched.
Ages 11-24 are currently the most vulnerable to Social Media, Messenger, Chatbot, Online Romance, and Rewards Campaign Scams.
Excuse to do or say something that is false. Pretexts may be based on a half-truth or developed in the context of a misleading fabrication. Pretexts have been used to conceal the true purpose or rationale behind actions and words.
Pump and Dump
Form of securities fraud that involves artificially inflating the price of an owned stock (crypto-currency, microcap) through false and misleading statements, in order to sell the cheaply purchased stock at a higher price. Operators "dump/sell" these shares milking investors out of their money.
Quid Pro Quo Attack
Bad actor promises a service or a benefit based on the execution of a specific action. This attack is psychological manipulation to steal sensitive credentials or credit card information.
Part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.
Trick people into believing that they’ve won a contest, but the less obvious ones pose as banks and credit card companies. They will then attempt to get the person’s information either by a link in the text or a prompt to call a number.
Bad actors create and send emails to a particular person to make the person think the email is legitimate. Attacks can target anyone including executives, high ranking employees, or those in financial departments who can access sensitive financial data and services.
Walk in behind a person who is authorized to enter the facility. One could impersonate a delivery driver with a parcel, clipboard and pen in hand. Simply ask the authorized employee to hold the door open and take a chance playing the part.
Voice over IP (VoIP) attack can be used to appear as virtually anything, and the caller ID can be changed. Vishing attempts can be very successful.
Bad actors send a text message stating a parcel is waiting for you to pick up. You will be asked to verify personal information before any package details are released.
Fake Wireless Access Points set up for unsuspecting people to join. In doing so can take control of your accounts after logging into them because your keystrokes are harvested from the device that fake WAP is being broadcasted from. A parked vehicle, coffe shop, airport, hotel, college, university, apartment complex, shopping mall, or compromised business network may pose as a legit Open-Wifi connection.
Watering Hole Attack
Attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected.
Attackers target high-level employees and executives to gain access to their email accounts or spoof them. If they’re able to do that, it puts the entire business at risk.
Zoom Info (name used in scam)
Scammers scrape CEO signatures off of invoices from unsuspecting companies and use it to charge that CEO's company for a service or good. Scammers will take legal action once they have invoiced you (mainly collection agencies). In Canada you will need to contact the RCMP and follow their directions.