Shoulder Surfing

Shoulder surfing is a word that refers to someone looking at another person’s computer or mobile device screen and keyboard in order to collect sensitive information. Direct observation can be accomplished by simply glancing over someone’s shoulder – a practice known as shoulder surfing – or by employing binoculars, hidden or apparent video cameras, and other optical equipment.

Example 

Shoulder surfing at ATMs is an example of a crime in which a suspect looks over your shoulder while you enter in your PIN number.

Several recent incidents have resulted in police issuing warnings, announcing arrests, and even conducting sting operations:

Milpitas (California) – On Jan. 2, 2015, a bank employee spotted a lady monitoring ATM clients. Police investigated and discovered that money had been illegally stolen from numerous consumers’ accounts.

Concept

Shoulder surfing is the act of directly observing someone to gain personal or private information. Shoulder surfing is the practice of peeking over someone’s shoulder to acquire information while the victim is unaware. This is particularly useful in congested areas if someone is using a computer, smartphone, or ATM. Shoulder surfing gets suspect fast if it occurs while there are few people around. Depending on the area and scenario, binoculars, video cameras, and vision-enhancing equipment are also employed.

Personal security keys, such as username and password combinations, are important personal and private data protections in our data and identity-driven world. Unfortunately, hackers do not necessarily require technical knowledge to obtain information. Credit card numbers, personal identification numbers (PINs), crucial personal information (such as middle names and birth dates required in password recovery) and usernames/passwords are the most often stolen data by shoulder surfing. In the case of bank accounts, this sort of information might be used to log into accounts and steal additional information, such as money.

Dumpster diving

A dumpster diving attack is a type of cyber attack made possible by searching through the victim’s trash.

While you may imagine a dirty and disgusting scene in which someone jumps into a trash, the reality is far less filthy. Threat actors might be in and out of the dumpster in minutes during a dumpster diving attack. They may, however, already have a box full of sensitive papers, storage devices, and workstations.

Example

Jerry Schneider, who established a wholesale telephone equipment firm while still in high school in 1968, is one of the most well-known trash divers. The inspiration originated from a dumpster, especially Pacific Telephone’s garbage, which contained paperwork, instructions, and bills related to the order and delivery system.

Needless to say, Schneider got in trouble and served 40 days in a security facility. He then founded a security consulting company.

Concept 

Dumpster diving is the act of searching through an organization’s trash for information that may be used to gain access to its network. Companies frequently discard sensitive data, such as system manuals, which attackers exploit to gain access to information systems. Un-erased and complete hard drives with extremely sensitive information are dumped in certain circumstances, allowing a dumpster diver to easily boot up and get information.

In many cases, dumpster diving involves getting data about a user in order to impersonate that user and gain access to his or her user profiles or other restricted areas of the Internet or a local network. Dumpster diving can mean looking through physical trash for such information, or searching discarded digital data. In either case, security experts warn users to leave a clean trail to prevent identity theft and avoid other consequences that can stem from a successful dumpster diving operation.

Businesses and other large entities have developed practical ways to discourage dumpster diving, such as shredding paperwork and locking waste bins. Other security measures include the use of firewalls and other precautions to stop dumpster divers from getting access to discarded or loose data, such as ensuring that data is wiped off of old hard drives and destroying old storage media.

Social engineering

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Example

 $100 Million Google and Facebook Spear Phishing Scam

The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook.

Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.

The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts.

Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.

Concept

Spear phishing is a common social engineering technique. For example, a phisher may send an email to addresses at a target company asking a user to verify security information. The email is made to appear legitimate and from the IT staff or senior management, along with a warning for major consequences if the required information is not provided. As with a regular phishing attack, the victim clicks a link that goes to a site the hacker sets up to gather the sensitive information, generally with the look and feel of the real website. After obtaining the info, the hacker has the ability to access the company’s network by using a legitimate login.

Social engineering is as dangerous and harmful as any other technical attack. In fact, you could argue that social engineering is more serious than other threats, as humans are always in a vulnerable state. It is not that tough to properly configure a firewall. It is very difficult to train new staff about the dangers of social engineering exploits.