CAPEC-508: Shoulder Surfing
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.
前提条件
- The adversary typically requires physical proximity to the target's environment, in order to observe their screen or conversation. This may not be the case if the adversary is able to record the target and obtain sensitive information upon review of the recording.
所需技能
后果影响
影响范围: Confidentiality
技术影响: Read Data
缓解措施
Be mindful of your surroundings when discussing or viewing sensitive information in public areas.
Pertaining to insider threats, ensure that sensitive information is not displayed to nor discussed around individuals without need-to-know access to said information.
示例实例
An adversary can capture a target's banking credentials and transfer money to adversary-controlled accounts.
An adversary observes the target's mobile device lock screen pattern/passcode and then steals the device, which can now be unlocked.
An insider could obtain database credentials for an application and sell the credentials on the black market.
An insider overhears a conversation pertaining to classified information, which could then be posted on an anonymous online forum.