Baiting and Quid Pro Quo attacks

Baiting and Quid Pro Quo attacks
DMARC

27 July, 2020

Baiting and Quid Pro Quo attacks

 

Baiting Phishing Attack

 

Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that malicious actors use to entice victims.

The “bait” comes in many forms both digital such as a music or movie download on a peer-to-peer site and physical such as a corporate branded flash drive labeled “Executive Salary Summary Q3” that is left out on a desk for an end-user to find. Once the bait is downloaded or used malicious software is delivered directly into the end-users system and the hacker is able to get to work.

Baiting attacks are not restricted to online schemes either. Attackers can also focus on exploiting human curiosity via the use of physical media.

 

Quid Pro Quo

 

Similar to baiting quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end-user might receive a phone call from the hacker who posed as a technology expert offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker posing as a researcher asks for access to the company’s network as part of an experiment in exchange for $100. If an offer sounds too good to be true it probably is quid pro quo.

One of the most common scenarios of ‘quid pro quo’ attacks involve fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates.

The most common scenario we see with a quid pro quo attack involves an attacker posing as technical support or a computer expert who offers the target assistance with a real problem while asking for their login credentials or other private data.

This type of attack can also include any action or service the hacker will offer to the target either in exchange for sensitive information or with a promise of a material prize. Leveraging on people’s love of affordable or even free gifts and services quid pro quo attacks can be quite successful.

 

AVOIDING QUID PRO QUO ATTACKS

 

As with other types of social engineering, there are security measures you should take to safeguard yourself and your sensitive data.

  • Never give personal or account information unless you initiated the exchange.
  • Always call the company back using a publicly posted phone number and not through a phone number provided by the person you are conversing with.
  • If you are at all suspicious about the call wise attempt would be to leave it at that.
  • Last but not least modify your password regularly.  To learn more about good password habits!

 

 

 

Request Your Complimentary Domain Analysis