Social engineering. Fraud using brands of famous corporations

Social engineering- a method of obtaining the necessary access to information, based on the characteristics of human psychology. Main goal social engineering is to gain access to confidential information, passwords, banking data and other secure systems. Although the term social engineering appeared not so long ago, the method of obtaining information in this way has been used for quite a long time. CIA and KGB employees who want to get some state secrets, politicians and parliamentary candidates, and we ourselves, if we want to get something, often without even realizing it, we use social engineering methods.

In order to protect yourself from the effects of social engineering, you need to understand how it works. Let's look at the main types of social engineering and methods of protecting against them.

Pretexting- this is a set of actions worked out according to a specific, pre-compiled scenario, as a result of which the victim can give out some information or perform a certain action. More often this type The attack involves the use of voice means such as Skype, telephone, etc.

To use this technique, the attacker must initially have some data about the victim (name of employee; position; name of the projects with which he works; date of birth). The attacker initially uses real queries with the names of company employees and, after gaining trust, obtains the information he needs.

Phishing– an Internet fraud technique aimed at obtaining confidential user information - authorization data various systems. The main type of phishing attack is a fake email sent to the victim that appears to be an official letter from payment system or bank. The letter contains a form for entering personal data (PIN codes, login and password, etc.) or a link to the web page where such a form is located. The reasons for a victim’s trust in such pages can be different: account blocking, system failure, data loss, etc.

Trojan horse– This technique is based on the curiosity, fear or other emotions of users. The attacker sends a letter to the victim via email, the attachment of which contains an antivirus “update”, a key to winning money, or incriminating evidence on an employee. In fact, the attachment contains a malicious program, which, after the user runs it on his computer, will be used by an attacker to collect or change information.

Qui about quo(one good turn deserves another) - this technique involves an attacker contacting the user by email or corporate phone. The attacker may introduce himself, for example, as an employee technical support and inform about the occurrence technical problems at work. He further informs about the need to eliminate them. In the process of “solving” such a problem, the attacker pushes the victim to take actions that allow the attacker to execute certain commands or install the necessary software on the victim’s computer.

Road apple– this method is an adaptation Trojan horse and consists of using physical media (CD, flash drives). An attacker usually plants such media in public places on company premises (parking lots, canteens, employee workplaces, toilets). In order for the employee to develop an interest in to this medium, an attacker can put a company logo and some kind of signature on the media. For example, “sales data”, “employee salaries”, “tax report” and more.

Reverse social engineering- this type of attack is aimed at creating a situation in which the victim will be forced to turn to the attacker for “help.” For example, an attacker can send a letter with telephone numbers and contacts of the “support service” and after some time create reversible problems in the victim’s computer. In this case, the user will call or email the attacker himself, and in the process of “fixing” the problem, the attacker will be able to obtain the data he needs.

Figure 1 – Main types of social engineering

Countermeasures

The main way to protect against social engineering methods is to train employees. All company employees must be warned about the dangers of disclosure personal information and confidential company information, as well as ways to prevent data leakage. In addition, each company employee, depending on the department and position, should have instructions on how and on what topics one can communicate with the interlocutor, what information can be provided to the technical support service, how and what a company employee must communicate to receive that information. or other information from another employee.

In addition, the following rules can be distinguished:

User credentials are the property of the company.

personal mail

It is necessary to conduct introductory and regular training for company employees aimed at increasing knowledge of information security.

existing methods

information security

It is mandatory to have safety regulations, as well as instructions to which the user must always have access. The instructions should describe the actions of employees if a particular situation arises.
Employees' computers should always have up-to-date antivirus software.
IN corporate network the company needs to use attack detection and prevention systems.
All employees must be instructed how to behave with visitors.
It is necessary to limit user rights in the system as much as possible.

removable media

Trojan horse

Based on all of the above, we can conclude: the main way to protect against social engineering is to train employees. It is necessary to know and remember that ignorance is not an excuse from responsibility. Each user of the system should be aware of the dangers of disclosing confidential information and know ways to help prevent leakage. Forewarned is forearmed!

Hello, dear friends! It’s been a long time since we discussed security with you, or, more precisely, the data that is stored not only on your computers, but even on your friends and colleagues. Today I will tell you about such a concept as social engineering. You will learn what social engineering is and how to protect yourself.

Social engineering is a method of unauthorized access to information systems, which was based on the characteristics of human psychological behavior. Any hacker, in a direct or indirect sense, is interested in gaining access to protected information, passwords, data about bank cards

and so on.

Pretexting The main difference of this method is that the target of the attack is not the machine, but its user. Social engineering methods are based on the use of the human factor. The attacker obtains the information he needs in a telephone conversation or by entering an office under the guise of an employee. is a set of actions that correspond to a specific scenario prepared in advance (pretext). To obtain information, this technique uses voice means (telephone, Skype). By introducing himself as a third party and pretending that he needs help, the fraudster forces the interlocutor to provide a password or register on a phishing web page and thereby receive.

Let's imagine the situation. You work in a large organization for about six months. You receive a call from a person who introduces himself as an employee from some branch. “Hello, your name or position, we cannot access the mailbox that is used to receive applications in our company. We recently received an application from our city, and the boss would simply kill for such an oversight, tell me the password for the mail.

Of course, when you read his request now, it seems a little stupid to give the password to a person you are hearing for the first time. But since people like to help with little things, (isn’t it difficult for you to say 8-16 characters of a password?) anyone can make a mistake here.

Phishing(fishing) – this type of Internet fraud is aimed at obtaining logins and passwords. The most popular type of phishing is sending the victim an email message under the guise of an official letter, for example, from a payment system or bank. The letter, as a rule, informs about the loss of data, about malfunctions in the system and contains a request to enter confidential information by following a link.

The link redirects the victim to a phishing page that is exactly similar to the page on the official website. It is difficult for an untrained person to recognize a phishing attack, but it is quite possible. Such messages, as a rule, contain information about threats (for example, about closing a bank account) or, conversely, a promise of a cash prize for free, requests for help on behalf of a charitable organization. Phishing messages can also be recognized by the address they ask you to visit.

The most popular phishing attacks include fraud using the brand of a well-known company. Mailing is carried out on behalf of a well-known company emails, which contain congratulations on a certain holiday (for example) and information about the competition. To participate in the competition, you need to urgently change your data account.

I'll tell you personal experience. Don't throw stones at me 😉 . It was a long time ago when I was interested in... Yes, yes, phishing. At that time it was very fashionable to sit in My world and I took advantage of it. Once I saw an offer from mail.ru to install a “golden agent” for money. When they tell you to buy, you think, but when they tell you that you have won, people immediately get carried away.

I don’t remember everything exactly down to the smallest detail, but it was something like this.

Wrote a message: “Hello, NAME! The Mail.RU team is pleased to congratulate you. You have won the “golden agent”. Every 1000th of our users receives it for free. To activate it, you need to go to your page and activate it in Settings - blah blah blah.”

Well, how do you like the offer? Do you want a golden Skype, dear readers? I’m not talking about all the technical details, because there are young people who are just waiting detailed instructions. But it should be noted that 30% of My World users followed the link and entered their username and password. I deleted these passwords because it was just an experiment.

Smishing. Very popular now Cell Phones, and to find out your number, it won’t be difficult even for a schoolchild who sits with your son or daughter at the same desk. The scammer, having learned the number, sends you a phishing link where he asks you to go to activate bonus money on your map. Where naturally there are fields for entering personal data. They may also ask you to send an SMS with your card details.

It seems like a normal situation, but the catch is very close.

Quiz pro quo (“quid pro quo”) is a type of attack that involves a scammer calling, for example, on behalf of the technical support service. An attacker, while questioning an employee about possible technical problems, forces him to enter commands that allow him to launch malicious software. Which can be posted on open resources: social networks, company servers, etc.

Watch the video for an example:

They may send you a file (virus) by email, then call you and say that an urgent document has arrived and you need to look at it. By opening the file attached to the letter, the user himself installs a malicious program on the computer, which allows access to confidential data.

Take care of yourself and your data. See you soon!

In this article we will pay attention to the concept of “social engineering”. Here we will look at the general ones. We will also learn about who was the founder of this concept. Let's talk separately about the main social engineering methods used by attackers.

Introduction

Methods that make it possible to correct human behavior and manage his activities without the use of a technical set of tools form general concept social engineering. All methods are based on the statement that the human factor is the most destructive weakness of any system. Often this concept are considered at the level of illegal activity, through which the criminal commits an action aimed at obtaining information from the subject-victim by dishonest means. For example it could be certain type manipulation. However, social engineering is also used by humans in legitimate activities. Today, it is most often used to access resources with closed or valuable information.

Founder

The founder of social engineering is Kevin Mitnick. However, the concept itself came to us from sociology. It denotes a general set of approaches used by applied social media. sciences focused on changing the organizational structure capable of determining human behavior and exercising control over it. Kevin Mitnick can be considered the founder of this science, since it was he who popularized social media. engineering in the first decade of the 21st century. Kevin himself was previously a hacker, targeting a wide variety of databases. He argued that the human factor is the most vulnerable point of a system of any level of complexity and organization.

If we talk about social engineering methods as a way of obtaining (usually illegal) rights to use confidential data, then we can say that they have been known for a very long time. However, it was K. Mitnik who was able to convey the importance of their meaning and features of application.

Phishing and non-existent links

Any social engineering technique is based on the presence of cognitive distortions. Behavioral errors become a “weapon” in the hands of a skilled engineer, who in the future can create an attack aimed at obtaining important data. Social engineering methods include phishing and non-existent links.

Phishing is an Internet fraud designed to obtain personal information, for example, login and password.

Non-existent link - the use of a link that will lure the recipient with certain benefits that can be obtained by clicking on it and visiting a specific site. Most often used names large firms, making subtle adjustments to their names. The victim, by clicking on the link, will “voluntarily” transfer his personal data to the attacker.

Methods using brands, defective antiviruses and fraudulent lotteries

Social engineering also uses methods of fraud using famous brands, defective antiviruses and fraudulent lotteries.

“Fraud and brands” is a method of deception, which also belongs to the phishing section. This includes emails and websites that contain the name of a large and/or "promoted" company. Messages are sent from their pages notifying you of your victory in a particular competition. Next, you need to enter important account information and steal it. Also this form scams can be carried out over the phone.

A fake lottery is a method in which the victim is sent a message with a text stating that he/she has won the lottery. Most often, the notification is disguised using the names of large corporations.

False antiviruses are software scams. It uses programs that look like antiviruses. However, in reality, they lead to the generation of false notifications about a specific threat. They also try to attract users into the transactional sphere.

Vishing, phreaking and pretexting

When talking about social engineering for beginners, it is also worth mentioning vishing, phreaking and pretexting.

Vishing is a form of deception that uses telephone networks. This uses pre-recorded voice messages, the purpose of which is to recreate the “official call” of a banking structure or any other IVR system. Most often you are asked to enter a login and/or password in order to confirm any information. In other words, the system requires the user to authenticate using PIN codes or passwords.

Phreaking is another form of telephone deception. It is a hacking system using sound manipulation and tone dialing.

Pretexting is an attack using a pre-thought-out plan, the essence of which is to present it to another subject. Extremely the hard way deception, since it requires careful preparation.

Quid-pro-quo and the “road apple” method

The theory of social engineering is a multifaceted database that includes both methods of deception and manipulation, and ways to combat them. The main task Intruders, as a rule, are fishing out valuable information.

Other types of scams include: quid-pro-quo, the “road apple” method, shoulder surfing, the use of open sources and reverse social media. engineering.

Quid-pro-quo (from Latin - “this for this”) is an attempt to extract information from a company or firm. This happens by contacting her by phone or by sending messages by email. Most often, attackers introduce themselves as technical staff. support who report availability specific problem at the employee's workplace. They further suggest ways to eliminate it, for example, by establishing software. The software turns out to be defective and contributes to the advancement of the crime.

Road apple is an attack method that is based on the idea of a Trojan horse. Its essence is to use physical media and substitution of information. For example, they can provide a memory card with a certain “good” that will attract the victim’s attention, make them want to open and use the file or follow the links specified in the flash drive documents. The “road apple” object is dropped in social places and waits until some entity implements the attacker’s plan.

Collecting and searching for information from open sources is a scam in which obtaining data is based on psychological methods, the ability to notice little things and analysis of available data, for example, pages from a social network. This is enough new way social engineering.

Shoulder surfing and reverse social. engineering

The concept of "shoulder surfing" defines itself as literally watching a subject live. With this type of data mining, the attacker goes to public places, for example, a cafe, airport, train station and monitors people.

Should not be underestimated this method, as many surveys and studies show that an attentive person can obtain a lot of sensitive information simply by being observant.

Social engineering (as a level of sociological knowledge) is a means to “capture” data. There are ways to obtain data in which the victim herself offers the attacker the necessary information. However, it can also serve for the benefit of society.

Reverse social Engineering is another method of this science. The use of this term becomes appropriate in the case that we mentioned above: the victim herself will offer the attacker the necessary information. This statement should not be taken as absurd. The fact is that subjects endowed with authority in certain areas of activity often gain access to identification data at the subject’s own discretion. The basis here is trust.

Important to remember! Support staff will never ask the user for a password, for example.

Awareness and protection

Social engineering training can be carried out by an individual both on the basis of personal initiative and on the basis of manuals that are used in special training programs.

Criminals can use a wide variety of types of deception, ranging from manipulation to laziness, gullibility, user kindness, etc. It is extremely difficult to protect yourself from this type of attack, which is due to the victim’s lack of awareness that he (she) has been deceived. To protect their data at this level of danger, various firms and companies often assess general information. Next, the necessary protection measures are integrated into the security policy.

Examples

An example of social engineering (its act) in the field of global phishing mailings is an event that occurred in 2003. As part of this scam, eBay users were sent emails to: email addresses. They claimed that accounts belonging to them had been blocked. To cancel the blocking, you had to re-enter your account information. However, the letters were fake. They redirected to a page identical to the official one, but fake. By expert assessments, the loss was not too significant (less than a million dollars).

Definition of responsibility

Social engineering may be punishable in some cases. In a number of countries, such as the United States, pretexting (deception by impersonating another person) is equated to an invasion of privacy. However, this may be punishable by law if the information obtained during pretexting was confidential from the point of view of the subject or organization. Record telephone conversation(as a method of social engineering) is also provided for by law and requires payment of a fine of $250,000 or imprisonment for up to ten years for individuals. persons Entities are required to pay $500,000; the deadline remains the same.

Social engineering methods are exactly about this we'll talk in this article, as well as about everything related to the manipulation of people, phishing and theft client bases and not only. Andrey Serikov kindly provided us with information, the author of which he is, for which we thank him very much.

A. SERIKOV

A.B.BOROVSKY

INFORMATION TECHNOLOGIES OF SOCIAL HACKING

Introduction

The desire of mankind to achieve perfect fulfillment of assigned tasks served as the development of modern computer equipment, and attempts to satisfy the conflicting demands of people led to the development of software products. Data software products not only support performance hardware, but also manage it.

The development of knowledge about man and computer has led to the emergence of a fundamentally new type of system - “human-machine”, where a person can be positioned as hardware, running a stable, functional, multitasking operating system called "psyche".

The subject of the work is the consideration of social hacking as a branch of social programming, where a person is manipulated with the help of human weaknesses, prejudices and stereotypes in social engineering.

Social engineering and its methods

Methods of human manipulation have been known for a long time; they mainly came to social engineering from the arsenal of various intelligence services.

First known case competitive intelligence dates back to the 6th century BC and occurred in China, when the Chinese lost the secret of making silk, which was fraudulently stolen by Roman spies.

Social engineering is a science that is defined as a set of methods for manipulating human behavior, based on the use of the weaknesses of the human factor, without the use of technical means.

According to many experts, the greatest threat to information security is posed by social engineering methods, if only because the use of social hacking does not require significant financial investments and thorough knowledge computer technology, and also because people have certain behavioral tendencies that can be used for careful manipulation.

And no matter how much we improve technical systems protection, people will remain people with their weaknesses, prejudices, stereotypes, with the help of which management takes place. Setting up a human “security program” is the most difficult task and does not always lead to guaranteed results, since this filter must be constantly adjusted. Here, the main motto of all security experts sounds more relevant than ever: “Security is a process, not a result.”

Areas of application of social engineering:

general destabilization of the organization’s work in order to reduce its influence and the possibility of subsequent complete destruction of the organization;
financial fraud in organizations;
phishing and other methods of stealing passwords in order to access personal banking data of individuals;
theft of client databases;
competitive intelligence;
general information about the organization, its strengths and weaknesses, with the aim of subsequently destroying this organization in one way or another (often used for raider attacks);
information about the most promising employees with the aim of further “enticing” them to your organization;

Social programming and social hacking

Social programming can be called an applied discipline that deals with targeted influence on a person or group of people in order to change or maintain their behavior in the desired direction. Thus, the social programmer sets himself a goal: mastering the art of managing people. The basic concept of social programming is that many people's actions and their reactions to this or that external influence in many cases predictable.

Social programming methods are attractive because either no one will ever know about them, or even if someone guesses about something, it is very difficult to bring such a figure to justice, and in some cases it is possible to “program” people’s behavior, and one person, and large group. These opportunities fall into the category of social hacking precisely because in all of them people carry out someone else’s will, as if obeying a “program” written by a social hacker.

Social hacking as the possibility of hacking a person and programming him to commit necessary actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers - use techniques of psychological influence and acting borrowed from the arsenal of the intelligence services.

Social hacking is used in most cases when it comes to attacking a person who is part of a computer system. Computer system, which is hacked, does not exist in itself. It contains an important component - a person. And to get information, a social hacker needs to hack a person who works with a computer. In most cases, it is easier to do this than to hack into the victim's computer in an attempt to find out the password.

Typical influence algorithm in social hacking:

All attacks by social hackers fit into one fairly simple scheme:

the purpose of influencing a particular object is formulated;
information about the object is collected in order to detect the most convenient targets of influence;
Based on the collected information, a stage is implemented that psychologists call attraction. Attraction (from Latin Attrahere - to attract, attract) is the creation necessary conditions to influence an object;
forcing a social hacker to take action;

Coercion is achieved by performing the previous stages, i.e., after the attraction is achieved, the victim himself takes the actions necessary for the social engineer.

Based on the information collected, social hackers quite accurately predict the psycho- and sociotype of the victim, identifying not only needs for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc., etc.

And indeed, why try to penetrate this or that company, hack computers, ATMs, organize complex combinations, when you can do everything easier: make a person fall in love with you, who, of his own free will, will transfer money to the specified account or share the necessary money every time information?

Based on the fact that people’s actions are predictable and also subject to certain laws, social hackers and social programmers use both original multi-steps and simple positive and negative techniques based on the psychology of human consciousness, behavioral programs, vibrations of internal organs, logical thinking, imagination, memory, attention. These techniques include:

Wood generator - generates oscillations of the same frequency as the frequency of oscillations of internal organs, after which a resonance effect is observed, as a result of which people begin to feel severe discomfort and a state of panic;

impact on the geography of the crowd - for the peaceful disbandment of extremely dangerous aggressive, large groups of people;

high-frequency and low-frequency sounds - to provoke panic and its reverse effect, as well as other manipulations;

social imitation program - a person determines the correctness of actions by finding out what actions other people consider correct;

claquering program - (based on social imitation) organization of the necessary reaction from the audience;

formation of queues - (based on social imitation) a simple but effective advertising move;

mutual assistance program - a person seeks to repay kindness to those people who have done some kindness to him. The desire to fulfill this program often exceeds all reason;

Social hacking on the Internet

With the advent and development of the Internet - virtual environment, consisting of people and their interactions, the environment for manipulating a person has expanded to obtain necessary information and committing necessary actions. Nowadays, the Internet is a means of worldwide broadcasting, a medium for collaboration, communication and covers the entire Earth. This is exactly what social engineers use to achieve their goals.

Ways to manipulate a person via the Internet:

IN modern world the owners of almost every company have already realized that the Internet is a very effective and convenient means for expanding their business and its main task is to increase the profits of the entire company. It is known that without information aimed at attracting attention, the desired object Advertising is used to generate or maintain interest in it and promote it on the market. Only, due to the fact that the advertising market has long been divided, most types of advertising for most entrepreneurs are wasted money. Internet advertising is not just one of the types of advertising in the media, it is something more, since with the help of Internet advertising people interested in cooperation come to the organization’s website.

Internet advertising, unlike advertising in the media, has many more opportunities and parameters for managing an advertising company. Most important indicator Internet advertising is that Internet advertising fees are debited only when you switch interested user via an advertising link, which of course makes advertising on the Internet more effective and less costly than advertising in the media. So, having submitted an advertisement on television or in print publications, they pay for it in full and just wait potential clients, but customers can respond to advertising or not - it all depends on the quality of production and presentation of advertising on television or newspapers, however, the advertising budget has already been spent and if the advertising did not work, it is wasted. Unlike such media advertising, Internet advertising has the ability to track audience response and manage Internet advertising before its budget is spent; moreover, Internet advertising can be suspended when demand for products has increased and resumed when demand begins to fall.

Another method of influence is the so-called “Killing of forums” where, with the help of social programming, they create anti-advertising for a particular project. Social programmer in in this case, with the help of obvious provocative actions alone, destroys the forum, using several pseudonyms ( nickname) to create an anti-leader group around itself, and attract regular visitors to the project who are dissatisfied with the behavior of the administration. At the end of such events, it becomes impossible to promote products or ideas on the forum. This is what the forum was originally developed for.

Methods of influencing a person via the Internet for the purpose of social engineering:

Phishing is a type of Internet fraud aimed at gaining access to confidential user data - logins and passwords. This operation achieved by carrying out mass mailings emails on behalf of popular brands, as well as personal messages within various services(Rambler), banks or inside social networks(Facebook). The letter often contains a link to a website that is outwardly indistinguishable from the real one. After the user lands on a fake page, social engineers use various techniques to encourage the user to enter his login and password on the page, which he uses to access a specific site, which allows him to gain access to accounts and bank accounts.

A more dangerous type of fraud than phishing is the so-called pharming.

Pharming is a mechanism for covertly redirecting users to phishing sites. A social engineer distributes special messages to users’ computers. malware, which, after launching on a computer, redirect requests from necessary sites to fake ones. Thus, the attack is highly secrecy, and user participation is minimized - it is enough to wait until the user decides to visit the sites of interest to the social engineer.

Conclusion

Social engineering is a science that came out of sociology and claims to be the body of knowledge that guides, puts in order and optimizes the process of creating, modernizing and reproducing new (“artificial”) social realities. In a certain way, it “completes” sociological science, completes it at the phase of transforming scientific knowledge into models, projects and designs of social institutions, values, norms, algorithms of activity, relationships, behavior, etc.

Despite the fact that Social Engineering is a relatively young science, it causes great damage to the processes that occur in society.

The simplest methods of protection from the effects of this destructive science are:

Drawing people's attention to safety issues.

Users understanding the seriousness of the problem and accepting the system security policy.

Literature

1. R. Petersen Linux: Complete Guide: per. from English — 3rd ed. - K.: BHV Publishing Group, 2000. – 800 p.

2. From Grodnev Internet in your home. - M.: “RIPOL CLASSIC”, 2001. -480 p.

3. M. V. Kuznetsov Social engineering and social hacking. St. Petersburg: BHV-Petersburg, 2007. - 368 pp.: ill.