John works as a Programmer for We-are-secure Inc. On one of his routine visits to the company, he
noted down the passwords of the employees while they were typing them on their computer
screens. Which of the following social engineering attacks did he just perform?
A.
Important user posing
B.
Shoulder surfing
C.
Dumpster diving
D.
Authorization by third party
Explanation:
In the given scenario, John was performing a shoulder surfing attack. Shoulder surfing
is a type of in person attack in which an attacker
gathers information about the premises of an organization. This attack is often performed by looking
surreptitiously at the keyboard of an
employee’s computer while he is typing in his password at any access point such as a terminal/Web
site. An attacker can also gather
information by looking at open documents on the employee’s desk, posted notices on the notice
boards, etc.
Answer option C is incorrect. John was not performing a dumpster diving attack. Dumpster diving is
a term that refers to going through
someone’s trash to find out useful or confidential information. Dumpster divers check and separate
items from commercial or residential trash
to get any information they desire. This information may be used for identity theft and for breaking
physical information security.
Answer option A is incorrect. John was not carrying out an Important user posing attack. In this
attack, the attacker pretends to be an
important member of the organization. These attacks work because there is a common belief that it
is not good to question authority.
Answer option D is incorrect. John was not performing an Authorization by third party attack. In this
attack, the attacker misleads the victim
into believing that he has approval from a third party. Such types of attacks work because it is
generally believed that most people are good
and are being truthful about what they are saying.