CAPEC-508: Shoulder Surfing

Description
In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.
Extended Description

When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.

A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.

Severity :

High

Possibility :

High

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-560: Use of Known Domain Credentials Use of Known Domain Credentials CAPEC-651: Eavesdropping Eavesdropping
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The adversary typically requires physical proximity to the target's environment, in order to observe their screen or conversation. This may not be the case if the adversary is able to record the target and obtain sensitive information upon review of the recording.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low In most cases, an adversary can simply observe and retain the desired information.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Visit http://capec.mitre.org/ for more details.