Social engineering training. Social engineering methods

Don't lose it. Subscribe and receive a link to the article in your email.

Since the advent of computers and the beginning of the development of the Internet, programmers have strived with all their might to ensure computer security. But even today no one has managed to achieve this 100%. However, let's imagine that this result was still achieved thanks to the most powerful cryptography, enhanced security protocols, reliable software and other security elements. As a result, we get an absolutely secure network, and we can safely work in it.

"Wonderful! – you will say, “it’s in the bag!”, but you will be wrong, because this is not enough. Why? Yes, because the benefits of any computer system can only be obtained with the participation of users, i.e. people. And it is precisely this interaction between a computer and a person that carries a serious danger, and a person often turns out to be the weakest link in the chain of security measures. Moreover, he himself is the reason why security is ineffective.

In the information age, it has become easier to manipulate people, because there is the Internet and mobile communications, which allow you to interact without direct contact. There are even special methods that help attackers “operate” with people the way they want. Their complex is called social engineering, and in this article we will try to find out what it is.

Social engineering: what is it and how did it appear?

It’s easy to guess that even the most sophisticated security system is vulnerable when it is controlled by a person, especially if that person is gullible, naive, etc. And when an attack is made on a machine (PC), the victim can be not only the computer, but also the person who works on it.

This kind of attack is called social engineering in the slang of social hackers. In its traditional form, it looks like a telephone call, where the caller pretends to be someone else, wanting to extract confidential information from the subscriber, most often passwords. But in our article we will consider the phenomenon of social engineering in a broader sense, meaning by it any possible methods of psychological manipulation, such as blackmail, playing on feelings, deception, etc.

In this understanding, social engineering is a method of controlling people's actions without the use of technical means. Most often it is perceived as an illegal method of obtaining various valuable information. It is used mainly on the Internet. If you are interested in examples of social engineering, here is one of the most striking:

EXAMPLE: An attacker wants to find out the password for a person’s personal Internet banking account. He calls the victim by phone and introduces himself as a bank employee, asking for the password, citing serious technical problems in the organization’s system. For greater persuasiveness, he names the fictitious (or the real one found out in advance) name of the employee, his position and powers (if necessary). To make the victim believe, a social hacker can fill his story with believable details and play on the feelings of the victim himself. After the attacker has received the information, he still skillfully says goodbye to his “client”, and then uses the password to enter his personal account and steal funds.

Oddly enough, even in our time there are people who fall for such bait and trustingly tell social hackers everything they need. And in the arsenal of the latter there may be many techniques and techniques. We will also tell you about them, but a little later.

Social engineering is a science (direction) that appeared relatively recently. Its sociological significance lies in the fact that it operates with specific knowledge that guides, systematizes and optimizes the process of creation, modernization and application of new social realities. In a sense, it complements sociological knowledge, transforming scientific knowledge into algorithms of activity and behavior.

People have been using social engineering in some form since ancient times. For example, in Ancient Rome and Ancient Greece specially trained rhetoricians who were able to convince an interlocutor that he was “wrong” were highly respected. These people participated in diplomatic negotiations and solved state problems. Later, social engineering was adopted by intelligence agencies such as the CIA and the KGB, whose agents successfully impersonated anyone and found out state secrets.

By the early 1970s, telephone hooligans began to appear, disturbing the peace of various companies for the sake of a joke. But over time, someone realized that if you use a technical approach, you can quite easily obtain various important information. And by the end of the 70s, former telephone hooligans turned into professional social engineers (they began to be called singers), capable of masterfully manipulating people, determining their complexes and fears by just intonation.

When computers appeared, most singers changed their profile, becoming social hackers. Now the concepts of “social engineering” and “social hackers” are synonymous. And with the powerful development of social engineering, new types began to appear and the arsenal of techniques expanded.

Watch this short video to see how social hackers manipulate people.

Social engineering methods

All real examples of social engineering indicate that it easily adapts to any conditions and to any situation, and victims of social hackers, as a rule, do not even suspect that some kind of technique is being used against them, much less know who does it.

All social engineering methods are based on . This is the so-called cognitive basis, according to which people in a social environment always tend to trust someone. Among the main methods of social engineering are:

"Trojan Horse"
Pretexting
"Road Apple"
Phishing
Qui about quo

Let's talk about them in more detail.

"Trojan Horse"

When using a “Trojan horse,” a person’s curiosity and desire to gain benefit are exploited. Social hackers send a letter to the victim’s e-mail containing some interesting attachment, for example, an upgrade for some program, a screen saver with erotic content, exciting news, etc. The method is used to force the user to click on a file that can infect the computer with a virus. Often, as a result, banners appear on the screen, which can be closed only in two ways: by reinstalling the operating system or by paying the attackers a certain amount.

Pretexting

The term “pretexting” means an action that the user performs based on a previously prepared pretext, i.e. script. The goal is for a person to provide specific information or perform a specific action. In most cases, pretexting is used during phone calls, although there are examples of similar attacks on Skype, Viber, ICQ and other instant messengers. But to implement the method, a singer or hacker must not only conduct research on the object in advance - find out his name, date of birth, place of work, amount in the account, etc. With the help of such details, the singer increases the victim's confidence in himself.

"Road Apple"

The road apple method consists of adapting a “Trojan horse” and requires the mandatory use of some kind of physical storage medium. Social hackers can plant bootable flash drives or disks counterfeited as media with interesting and/or unique content. All that is needed is to discreetly place a “road apple” on the victim, for example, in a car in a parking lot, in a bag in an elevator, etc. Or you can simply leave this “fruit” where the victim is likely to see it and take it himself.

Phishing

Phishing is a very common method for obtaining confidential information. In the classic version, this is an “official” email (from a payment service, bank, high-ranking individual, etc.), equipped with signatures and seals. The recipient is required to follow a link to a fake website (there is also everything that speaks about the “officiality and reliability” of the resource) and enter some information, for example, full name, home address, phone number, social network profile addresses, bank number cards (and even CVV code!). Having trusted the site and entered the data, the victim sends it to the scammers, and what happens next is easy to guess.

Qui about quo

The Qui Pro Quo method is used to introduce malware into the systems of various companies. Social hackers call the desired (sometimes any) company, introduce themselves as technical support employees and interview employees for any technical problems in the computer system. If there are malfunctions, the attackers begin to “eliminate” them: they ask the victim to enter a certain command, after which it becomes possible to launch virus software.

The above methods of social engineering are most often encountered in practice, but there are others. In addition, there is also a special type of social engineering, which is also designed to influence a person and his actions, but is done according to a completely different algorithm.

Reverse social engineering

Reverse social engineering and social hackers specializing in it build their activities in three directions:

Situations are created that force people to seek help
Problem-solving services are advertised (this also includes advance assistance from real specialists)
There is “help” and influence

In the case of this type of social engineering, attackers initially study the person or group of people they plan to influence. Their passions, interests, desires and needs are explored, and influence is exerted through them with the help of programs and any other methods of electronic influence. Moreover, programs must first work without failures so as not to cause concern, and only then switch to malicious mode.

Examples of reverse social engineering are also not uncommon, and here is one of them:

Social hackers develop a program for a specific company based on its interests. The program contains a slow-acting virus - after three weeks it is activated, and the system begins to malfunction. Management is contacting the developers to help fix the problem. Being prepared for such a development of events, the attackers send their “specialist” who, while “solving the problem”, gains access to confidential information. The goal has been achieved.

Unlike conventional social engineering, reverse engineering is more labor-intensive, requires special knowledge and skills, and is used to influence a wider audience. But the effect it produces is amazing - sacrifice without resistance, i.e. of his own free will, reveals all his cards to hackers.

Thus, any type of social engineering is almost always used with malicious intent. Some people, of course, talk about its benefits, pointing out that it can be used to solve social problems, maintain social activity, and even adapt social institutions to changing conditions. But despite this, it is most successfully used for:

Deceiving people and obtaining confidential information
Manipulating and blackmailing people
Destabilizing the work of companies for their subsequent destruction
Database theft
Financial fraud
Competitive Intelligence

Naturally, this could not go unnoticed, and methods to counter social engineering appeared.

Protection against social engineering

Today, large companies systematically conduct all kinds of tests for resistance to social engineering. Almost never, the actions of people who come under attack from social hackers are intentional. But that’s what makes them dangerous, because while it’s relatively easy to defend against an external threat, it’s much more difficult to defend against an internal one.

To increase security, company management conducts specialized training, monitors the level of knowledge of its employees, and also initiates internal sabotage itself, which makes it possible to determine the degree of preparedness of people for attacks by social hackers, their reaction, integrity and honesty. Thus, “infected” letters can be sent to E-Mail, contacts can be made on Skype or social networks.

The protection against social engineering itself can be either anthropogenic or technical. In the first case, people's attention is drawn to security issues, the seriousness of this problem is conveyed and measures are taken to instill a security policy, methods and actions that increase the protection of information security are studied and implemented. But all this has one drawback - all these methods are passive, and many people simply ignore the warnings.

As for technical protection, this includes means that impede access to information and its use. Considering that the most “popular” attacks of social hackers on the Internet have become emails and messages, programmers are creating special software that filters all incoming data, and this applies to both private mailboxes and internal mail. Filters analyze the texts of incoming and outgoing messages. But there is a difficulty here - such software loads the servers, which can slow down and disrupt the system. In addition, it is impossible to provide for all variations in the writing of potentially dangerous messages. However, technology is improving.

And if we talk specifically about the means that prevent the use of the obtained data, they are divided into:

Blocking the use of information everywhere except the user’s workplace (authentication data is tied to electronic signatures and serial numbers of PC components, physical and IP addresses)
Blocking the automatic use of information (this includes the familiar Captcha, where the password is a picture or a distorted part of it)

Both of these methods block the possibility of automation and shift the balance between the value of information and the work of obtaining it towards work. Therefore, even with all the data given out by unsuspecting users, social hackers face serious difficulties in putting it to practical use.

And to protect against social engineering, we advise any ordinary person to simply remain vigilant. When you receive a letter by email, be sure to carefully read the text and links, try to understand what is in the letter, who it came from and why. Don't forget to use antivirus software. If unknown people call from an unfamiliar number, never give out your personal information, especially those related to your finances.

By the way, this video, albeit briefly, but interestingly, talks about how to protect yourself from social engineering.

And finally, we want to introduce you to some of the books on social engineering, including as a field of sociological knowledge, so that if you wish, you can get to know the topic in more detail.

These books contain many practical recommendations on how to master common manipulative techniques and techniques. You will also learn about the most effective methods of social engineering and learn how to recognize them and protect yourself from attacks.

Books on social engineering:

Kevin Mitnick "Ghost in the Net"
Kevin Mitnick, William Simon "The Art of Invasion"
Kevin Mitnick, William Simon "The Art of Deception"
Chris Kaspersky "The Secret Weapon of Social Engineering"

Remember that everyone can master the art of managing the actions of others, but these skills must be used for the benefit of people. Sometimes guiding a person and pushing him towards decisions that are beneficial to us is useful and convenient. But it is much more important to be able to identify social hackers and deceivers so as not to become their victim; It’s much more important not to be one of them yourself. We wish you wisdom and useful life experience!

Lying is a whole technology called “Social Engineering”. High-quality lies are an integral part of “Social Engineering”, without the use of which in modern conditions not a single burglar, both beginner and experienced, can do.

There are different types of hackers: computer workstation hacker, server hacker, computer network hacker, telephone network hacker, hacker ( porter) just the brain, etc. - and all of them use “Social Engineering” or simply a lie as an auxiliary tool, on which “Social Engineering”, and indeed most of the life of all mankind, is basically built.

As children, we were taught that it is impossible to lie. Nobody cares. However, as often happens, life crosses out all school lessons and persistently pokes us into the fact that without lies there is neither here nor there - “If you don’t lie, you won’t live.” The best liars lie, surprisingly, sometimes and almost never admit it. We will talk about other secrets of the art of lying in this article.

Lies permeate almost all spheres of human life, including religion, and the restless British researchers of everything in the whole wide world and its adjacent galaxies also add: “It turns out that every person lies approximately more than 88 thousand times in his life! "

The list of the most popular lies, of course, includes the well-worn ones: “There’s no money, I’m broke now,” “I’m very glad to see you,” “We’ll call you back,” and “Thank you very much, I’m really very happy.” like ". It turns out that everyone lies, to everyone, every time. But some people lie wonderfully, amusing those around them and making their lives easier, while others lie not at all, bringing pain and suffering to everyone around them.

So, how can you learn to simply, safely and beautifully “powder your brains” ( to hang noodles on one's ears, to drive a blizzard, to deceive)? This craft, like any other, has its own unwritten laws and secrets.

“The professor, of course, is a mug, but the equipment is with him, with him. How can you hear? »

Big and small lies require equally scrupulous attitude.

This is one of the basic rules that the upcoming master of lies must memorize. Each of your lies, regardless of its meaning, will have to be remembered forever and subsequent lies will have to be built taking into account the previous one. However, some may think that it is enough to just remember the most basic lie, and a lie based on minor formalities is not worthy of memorization. This is how, as a rule, inexperienced liars burn - having piled up a mountain of lies, they then forget who, when and how they “combed their hair.”

That’s why you strive to remember every lie, even the smallest one. And because human memory is not infinite and you certainly won’t be able to remember all your “gonilov”, the basic rule follows from this conclusion: Lie as little as possible, IMHO that’s the only way you can achieve credibility.

Sand in the eyes, noodles in the ears

A true master (persecutor) of lies is like a Spanish bullfighter, who draws his sword only at the most decisive moment and delivers just one blow. The rest of the time, he skillfully distracts the victim with the help of deft manipulations of his red cloak. In the course of hanging noodles on one's ears, similar methods are used, and deftly switching the interlocutor's attention to another object or changing the topic of conversation from time to time completely relieves you of the need to lie. Think over your behavior strategy in advance so that you don’t have to drive out any snowstorm at all. But be careful not to overdo it, because awkward use of the muleta can cost the bullfighter his life!

Hard at school, easy at work

Any profession requires practical training, and in a profession such as a liar, you definitely cannot do without practice. But since practicing on living people is very inhumane, we will practice on ourselves. Let's stand in front of the mirror and repeat our lies until they begin to look completely natural. Ideally, we should convince ourselves of the truth of our lies. An impeccable deception is one that we ourselves believe in.

And I am not me, and the nonsense is not mine

If you are suspected of lying, then the worst thing you can do in such a situation is to start justifying yourself and start coming up with more and more new lies. When the house begins to shake, you need to escape from it as soon as possible, and not urgently add additional floors. That’s why you need to respond to any accusations with offended and proud silence, or move on to a different topic.

Regarding “voluntary surrender to anal captivity,” such surrender is tantamount to a direct shot to the temple. There are often circumstances when the truth is equally detrimental to both sides and the other side, despite its accusations of lying, like the liar himself, would not want to hear it. Don't back down and don't give up, even when you're literally pushed against the wall. Follow your line against confirmation, logic and common sense ( There are no our troops in Crimea - this is all people's self-defense).

Only you, and only me

You can think over a strategy of behavior for many moves ahead, you can practice brilliant acting skills near the mirror and practice the truthful intonations of a conversation, come up with an excuse, provide yourself with witnesses, escape routes and a second line of defense.

But family and friends can still find out the truth. This is not amenable to scientific explanation, because we don’t believe in things like “I dreamed it” or “I feel it in my heart”... “that you’re a fucking science fiction liar.” Let's put it another way, a kind of psychophysiological non-verbal (astral) connection can be established between some people, thanks to which they unconsciously sense the smallest modifications of each other's state. That’s why it’s preferable not to even try to lie to family and friends.

In recent years, cybercriminals using social engineering techniques have adopted more advanced methods that make it more likely to gain access to the necessary information, using the modern psychology of enterprise employees, and people in general. The first step in countering this type of trick is to understand the attackers' tactics themselves. Let's look at eight main approaches to social engineering.

Introduction

In the 90s, the concept of “social engineering” was coined by Kevin Mitnick, an iconic figure in the field of information security, a former serious hacker. However, attackers used such methods long before the term itself appeared. Experts are convinced that the tactics of modern cybercriminals are tied to the pursuit of two goals: stealing passwords and installing malware.

Attackers try to use social engineering using telephone, email and the Internet. Let's get acquainted with the main methods that help criminals obtain the confidential information they need.

Tactic 1. The theory of ten handshakes

The main goal of an attacker using a phone for social engineering is to convince his victim of one of two things:

The victim receives a call from a company employee;
A representative of an authorized body (for example, a law enforcement officer or an auditor) calls.

If a criminal sets himself the task of collecting data about a certain employee, he can first contact his colleagues, trying in every possible way to extract the data he needs.

Remember the old theory of six handshakes? Well, security experts say that there can only be ten “handshakes” between a cybercriminal and his victim. Experts believe that in modern conditions you always need to have a little paranoia, since you don’t know what this or that employee wants from you.

Attackers usually target a secretary (or someone holding a similar position) to collect information about people higher up the hierarchy. Experts note that a friendly tone greatly helps scammers. Slowly but surely, criminals are picking up the key to you, which soon leads to you sharing information that you would never have revealed before.

Tactic 2. Learning corporate language

As you know, each industry has its own specific formulations. The task of an attacker trying to obtain the necessary information is to study the features of such a language in order to more skillfully use social engineering techniques.

All the specifics lie in the study of the corporate language, its terms and features. If a cybercriminal speaks a familiar, familiar and understandable language for his purposes, he will more easily gain trust and be able to quickly obtain the information he needs.

Tactic 3: Borrow music to hold on calls during calls

To carry out a successful attack, scammers need three components: time, persistence and patience. Often, cyberattacks using social engineering are carried out slowly and methodically - collecting not only data on the desired people, but also so-called “social signals”. This is done in order to gain trust and fool the target. For example, attackers can convince the person they are communicating with that they are colleagues.

One of the features of this approach is the recording of music that the company uses during calls, while the caller is waiting for an answer. The criminal first waits for such music, then records it, and then uses it to his advantage.

Thus, when there is a direct dialogue with the victim, the attackers at some point say: “Wait a minute, there’s a call on the other line.” Then the victim hears familiar music and is left in no doubt that the caller represents a certain company. In essence, this is just a clever psychological trick.

Tactic 4. Spoofing (substitution) of a telephone number

Criminals often use phone number spoofing, which helps them spoof the caller's number. For example, a criminal may be sitting in his apartment and calling a person of interest, but the caller ID will display a company-owned number, creating the illusion that the fraudster is calling using a corporate number.

Of course, unsuspecting employees will in most cases give away sensitive information, including passwords, to the caller if the caller ID belongs to their company. This approach also helps criminals avoid tracking because if you call back to this number, you will be redirected to the company's internal line.

Tactic 5: Using the news against you

Whatever the current news headlines, attackers use this information as bait for spam, phishing and other fraudulent activities. It’s no wonder that experts have recently noted an increase in the number of spam emails, the topics of which relate to presidential campaigns and economic crises.

An example would be a phishing attack on a bank. The email says something like this:

“Another bank [name of bank] is acquiring your bank [name of bank]. Click this link to ensure your bank information is updated until the deal closes."

Naturally, this is an attempt to obtain information with which scammers can log into your account, steal your money, or sell your information to a third party.

Tactic 6: Leverage Trust in Social Platforms

It's no secret that Facebook, Myspace and LinkedIn are extremely popular social networking sites. According to expert research, people tend to trust such platforms. A recent spear-phishing incident targeting LinkedIn users supports this theory.

Thus, many users will trust an email if it claims to be from Facebook. A common tactic is to claim that the social network is undergoing maintenance and that you need to “click here” to update the information. This is why experts recommend that enterprise employees enter web addresses manually to avoid phishing links.

It is also worth keeping in mind that in very rare cases sites will ask users to change their password or update their account.

Tactic 7. Typesquatting

This malicious technique is notable for the fact that attackers exploit the human factor, namely errors when entering a URL into the address bar. Thus, by making a mistake of just one letter, the user can end up on a website created specifically for this purpose by attackers.

Cybercriminals carefully prepare the ground for typosquatting, so their website will be exactly like the legitimate one you originally wanted to visit. Thus, if you misspell your web address, you end up on a copy of a legitimate site, the purpose of which is either to sell something, or steal data, or distribute malware.

Tactic 8. Using FUD to influence the stock market

FUD is a tactic of psychological manipulation used in marketing and propaganda in general, which consists of presenting information about something (in particular, a product or organization) in such a way as to sow uncertainty and doubt in the audience about its qualities and thus cause fear of it.

According to the latest research from Avert, the security and vulnerabilities of products and even entire companies can affect the stock market. For example, researchers have studied the impact of events such as Microsoft Patch Tuesday on the company's stock, finding a noticeable fluctuation every month after information about vulnerabilities is published.

You can also remember how in 2008, attackers spread false information about the health of Steve Jobs, which led to a sharp drop in Apple shares. This is the most typical example of FUD being used for malicious purposes.

In addition, it is worth noting the use of email to implement the “pump-and-dump” technique (a scheme for manipulating the exchange rate on the stock market or cryptocurrency market with a subsequent collapse). In this case, attackers can send out emails describing the amazing potential of the stocks they bought up in advance.

Thus, many will try to buy up these shares as soon as possible, and they will increase in price.

Conclusions

Cybercriminals are often extremely creative in their use of social engineering. Having become familiar with their methods, we can conclude that various psychological tricks greatly help attackers achieve their goals. Based on this, you should pay attention to any little thing that could unwittingly reveal a scammer, check and double-check information about people contacting you, especially if confidential information is discussed.

In this article we will pay attention to the concept of “social engineering”. Here we will look at the general ones. We will also learn about who was the founder of this concept. Let's talk separately about the main social engineering methods used by attackers.

Introduction

Methods that make it possible to correct human behavior and manage his activities without the use of a technical set of tools form the general concept of social engineering. All methods are based on the statement that the human factor is the most destructive weakness of any system. Often this concept is considered at the level of illegal activity, through which a criminal commits an action aimed at obtaining information from a victim-subject by dishonest means. For example, it could be a certain type of manipulation. However, social engineering is also used by humans in legitimate activities. Today, it is most often used to access resources with classified or valuable information.

Founder

The founder of social engineering is Kevin Mitnick. However, the concept itself came to us from sociology. It denotes a general set of approaches used by applied social media. sciences focused on changing the organizational structure capable of determining human behavior and exercising control over it. Kevin Mitnick can be considered the founder of this science, since it was he who popularized social media. engineering in the first decade of the 21st century. Kevin himself was previously a hacker, targeting a wide variety of databases. He argued that the human factor is the most vulnerable point of a system of any level of complexity and organization.

If we talk about social engineering methods as a way of obtaining (usually illegal) rights to use confidential data, then we can say that they have been known for a very long time. However, it was K. Mitnik who was able to convey the importance of their meaning and features of application.

Phishing and non-existent links

Any social engineering technique is based on the presence of cognitive distortions. Behavioral errors become a “weapon” in the hands of a skilled engineer, who in the future can create an attack aimed at obtaining important data. Social engineering methods include phishing and non-existent links.

Phishing is an Internet fraud designed to obtain personal information, for example, login and password.

Non-existent link - the use of a link that will lure the recipient with certain benefits that can be obtained by clicking on it and visiting a specific site. Most often they use the names of large companies, making subtle adjustments to their names. The victim, by clicking on the link, will “voluntarily” transfer his personal data to the attacker.

Methods using brands, defective antiviruses and fraudulent lotteries

Social engineering also uses fraud methods using well-known brands, defective antiviruses and fake lotteries.

“Fraud and brands” is a method of deception, which also belongs to the phishing section. This includes emails and websites that contain the name of a large and/or "promoted" company. Messages are sent from their pages notifying you of your victory in a particular competition. Next, you need to enter important account information and steal it. This form of fraud can also be carried out over the phone.

A fake lottery is a method in which the victim is sent a message with a text stating that he/she has won the lottery. Most often, the notification is disguised using the names of large corporations.

False antiviruses are software scams. It uses programs that look like antiviruses. However, in reality, they lead to the generation of false notifications about a specific threat. They also try to attract users into the transactional sphere.

Vishing, phreaking and pretexting

When talking about social engineering for beginners, it is also worth mentioning vishing, phreaking and pretexting.

Vishing is a form of deception that uses telephone networks. It uses pre-recorded voice messages, the purpose of which is to recreate the “official call” of a banking structure or any other IVR system. Most often you are asked to enter a login and/or password in order to confirm any information. In other words, the system requires the user to authenticate using PIN codes or passwords.

Phreaking is another form of telephone deception. It is a hacking system using sound manipulation and tone dialing.

Pretexting is an attack using a pre-thought-out plan, the essence of which is to present it to another subject. An extremely difficult method of deception, as it requires careful preparation.

Quid-pro-quo and the “road apple” method

The theory of social engineering is a multifaceted database that includes both methods of deception and manipulation, and ways to combat them. The main task of attackers, as a rule, is to extract valuable information.

Other types of scams include: quid-pro-quo, the “road apple” method, shoulder surfing, the use of open sources and reverse social media. engineering.

Quid-pro-quo (from Latin - “this for this”) is an attempt to extract information from a company or firm. This happens by contacting her by phone or by sending messages by email. Most often, attackers introduce themselves as technical staff. support that report the presence of a specific problem in the employee’s workplace. They then suggest ways to eliminate it, for example, by installing software. The software turns out to be defective and contributes to the advancement of the crime.

Road apple is an attack method that is based on the idea of a Trojan horse. Its essence lies in the use of physical media and substitution of information. For example, they can provide a memory card with a certain “good” that will attract the victim’s attention, make them want to open and use the file or follow the links specified in the flash drive documents. The “road apple” object is dropped in social places and waits until some entity implements the attacker’s plan.

Collecting and searching for information from open sources is a scam in which obtaining data is based on psychological methods, the ability to notice little things and analysis of available data, for example, pages from a social network. This is a fairly new method of social engineering.

Shoulder surfing and reverse social. engineering

The concept of "shoulder surfing" defines itself as literally watching a subject live. With this type of data mining, the attacker goes to public places, for example, a cafe, airport, train station and monitors people.

This method should not be underestimated, as many surveys and studies show that an attentive person can obtain a lot of confidential information simply by being observant.

Social engineering (as a level of sociological knowledge) is a means to “capture” data. There are ways to obtain data in which the victim herself offers the attacker the necessary information. However, it can also serve for the benefit of society.

Reverse social Engineering is another method of this science. The use of this term becomes appropriate in the case that we mentioned above: the victim herself will offer the attacker the necessary information. This statement should not be taken as absurd. The fact is that subjects endowed with authority in certain areas of activity often gain access to identification data at the subject’s own discretion. The basis here is trust.

Important to remember! Support staff will never ask the user for a password, for example.

Awareness and protection

Social engineering training can be carried out by an individual both on the basis of personal initiative and on the basis of manuals that are used in special training programs.

Criminals can use a wide variety of types of deception, ranging from manipulation to laziness, gullibility, user kindness, etc. It is extremely difficult to protect yourself from this type of attack, which is due to the victim’s lack of awareness that he (she) has been deceived. Various firms and companies often evaluate general information to protect their data at this level of danger. Next, the necessary protection measures are integrated into the security policy.

Examples

An example of social engineering (its act) in the field of global phishing mailings is an event that occurred in 2003. During this scam, emails were sent to eBay users. They claimed that accounts belonging to them had been blocked. To cancel the blocking, you had to re-enter your account information. However, the letters were fake. They redirected to a page identical to the official one, but fake. According to expert estimates, the loss was not too significant (less than a million dollars).

Definition of responsibility

There may be penalties for using social engineering in some cases. In a number of countries, such as the United States, pretexting (deception by impersonating another person) is equated to an invasion of privacy. However, this may be punishable by law if the information obtained during pretexting was confidential from the point of view of the subject or organization. Recording a telephone conversation (as a method of social engineering) is also provided for by law and requires payment of a fine of $250,000 or imprisonment for up to ten years for individuals. persons Entities are required to pay $500,000; the deadline remains the same.

Social engineering

Social engineering is a method of unauthorized access to information or information storage systems without the use of technical means. The main goal of social engineers, like other hackers and crackers, is to gain access to secure systems in order to steal information, passwords, credit card information, etc. The main difference from simple hacking is that in this case, not the machine, but its operator is chosen as the target of the attack. That is why all methods and techniques of social engineers are based on the use of the weaknesses of the human factor, which is considered extremely destructive, since the attacker obtains information, for example, through a regular telephone conversation or by infiltrating an organization under the guise of an employee. To protect against this type of attack, you should be aware of the most common types of fraud, understand what hackers really want, and organize a suitable security policy in a timely manner.

Story

Despite the fact that the concept of “social engineering” appeared relatively recently, people in one form or another have used its techniques from time immemorial. In Ancient Greece and Rome, people were held in high esteem who could convince their interlocutor in various ways that he was obviously wrong. Speaking on behalf of the leaders, they conducted diplomatic negotiations. Skillfully using lies, flattery and advantageous arguments, they often solved problems that seemed impossible to solve without the help of a sword. Among spies, social engineering has always been the main weapon. By impersonating another person, KGB and CIA agents could find out secret state secrets. In the early 70s, during the heyday of phreaking, some telephone hooligans called telecom operators and tried to extract confidential information from the company's technical staff. After various experiments with tricks, by the end of the 70s, phreakers had so perfected the techniques of manipulating untrained operators that they could easily learn from them almost everything they wanted.

Principles and techniques of social engineering

There are several common techniques and types of attacks that social engineers use. All of these techniques are based on features of human decision-making known as cognitive (see also Cognitive) biases. These biases are used in various combinations to create the most appropriate deception strategy in each particular case. But the common feature of all these methods is misleading, with the aim of forcing a person to perform some action that is not beneficial to him and is necessary for the social engineer. To achieve the desired result, the attacker uses a number of various tactics: impersonating another person, distracting attention, increasing psychological tension, etc. The ultimate goals of deception can also be very diverse.