Which is the best defense against social engineering. Social engineering

Social engineering methods are about this there will be a speech in this article, as well as everything related to human manipulation, phishing and theft of customer bases and more. The information was kindly provided to us by Andrey Serikov, the author of which he is, for which many thanks to him.

A. SERIKOV

A.B. BOROVSKY

INFORMATION TECHNOLOGIES OF SOCIAL HACKING

Introduction

The desire of mankind to achieve the perfect fulfillment of the tasks set has served the development of modern computer technology, and attempts to meet the conflicting demands of people have led to the development of software products. These software products not only support performance hardware but also control it.

The development of knowledge about a person and a computer led to the emergence of a fundamentally new type of systems - "man-machine", where a person can be positioned as hardware running under the control of a stable, functional, multitasking operating system called "psyche".

The subject of the work is the consideration of social hacking as a branch of social programming, where a person is manipulated with the help of human weaknesses, prejudices and stereotypes in social engineering.

Social engineering and its methods

Methods of manipulating a person have been known for a long time, they mainly came to social engineering from the arsenal of various special services.

The first known case of competitive intelligence dates back to the 6th century BC, in China, when the Chinese lost the secret of silk making, which was tricked by Roman spies.

Social engineering is a science that is defined as a set of methods for manipulating human behavior based on the use of the weaknesses of the human factor, without using technical means.

According to many experts, the biggest threat information security represent precisely the methods of social engineering, if only because the use of social hacking does not require significant financial investments and thorough knowledge computer technology and also because people have some behavioral tendencies that can be used for careful manipulation.

And no matter how we improve technical systems protection, people will remain people with their weaknesses, prejudices, stereotypes, with the help of which management takes place. Setting up a human "security program" is the most difficult and not always leading to guaranteed results, since this filter must be constantly adjusted. Here the main motto of all security experts sounds more relevant than ever: "Safety is a process, not a result."

Areas of application of social engineering:

1. general destabilization of the organization's work in order to reduce its influence and the possibility of the subsequent complete destruction of the organization;
2. financial fraud in organizations;
3. phishing and other methods of stealing passwords in order to access personal banking data of individuals;
4. theft of customer databases;
5. competitive intelligence;
6. general information about the organization, about its strengths and weaknesses, with the aim of the subsequent destruction of this organization in one way or another (often used for raider attacks);
7. information about the most promising employees with a view to their further "enticement" to your organization;

Social programming and social hacking

Social programming can be called an applied discipline that deals with the targeted impact on a person or a group of people in order to change or keep their behavior in the right direction. Thus, the social programmer sets a goal for himself: mastering the art of managing people. The basic concept of social programming is that many of the actions of people and their reactions to one or another external influence in many cases are predictable.

Social programming methods are attractive because either no one will ever know about them, or even if someone guesses about something, it is very difficult to prosecute such a person, and also in some cases it is possible to “program” the behavior of people, and one person, and a large group. These opportunities belong to the category of social hacking precisely for the reason that in all of them people perform someone else's will, as if submitting to a "program" written by a social hacker.

Social hacking as an opportunity to hack a person and program him to commit necessary actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers- use techniques psychological impact and acting, borrowed from the arsenal of the secret services.

Social hacking is used in most cases when it comes to attacking a person who is part of a computer system. A computer system that is hacked does not exist on its own. It contains an important component - a person. And in order to get information, a social hacker needs to hack a person who works with a computer. In most cases, it is easier to do this than to hack the victim's computer, thus trying to find out the password.

A typical algorithm for impact in social hacking:

All attacks by social hackers fit into one fairly simple scheme:

1. the goal of influencing a particular object is formulated;
2. information about the object is collected in order to find the most convenient targets of impact;
3. on the basis of the collected information, a stage is implemented, which psychologists call attraction. Attraction (from Lat. Attrahere - to attract, attract) is the creation of the necessary conditions for influencing an object;
4. coercion into the action necessary for a social hacker;

Coercion is achieved by performing the previous stages, that is, after the attraction has been achieved, the victim himself makes the actions necessary for the social engineer.

Based on the information collected, social hackers predict the psycho and sociotype of the victim quite accurately, identifying not only the needs for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc.

And really, why try to infiltrate a particular company, hack computers, ATMs, organize complex combinations when everything can be done easier: to fall in love with a person who, of his own free will, will transfer money to a specified account or every time share the necessary information?

Based on the fact that people's actions are predictable and also obey certain laws, social hackers and social programmers use both original multi-moves and simple positive and negative techniques based on the psychology of human consciousness, behavior programs, vibrations of internal organs to accomplish their tasks. logical thinking, imagination, memory, attention. These techniques include:

Wood's generator - generates oscillations of the same frequency as the oscillation frequency of internal organs, after which a resonance effect is observed, as a result of which people begin to feel severe discomfort and anxiety;

impact on the geography of the crowd - for the peaceful disbandment of extremely dangerous aggressive, large groups people;

high-frequency and low-frequency sounds - to provoke panic and its opposite effect, as well as other manipulations;

social imitation program - a person determines the correctness of actions, finding out what actions are considered correct by other people;

claque program - (based on social imitation) the organization of the necessary reaction of the audience;

queuing - (based on social imitation) a simple but effective advertising move;

mutual assistance program - a person seeks to repay with good those people who have done something good to him. The desire to fulfill this program often exceeds all the arguments of reason;

Social hacking on the internet

With the emergence and development of the Internet - a virtual environment consisting of people and their interactions, the environment for manipulating a person has expanded, for obtaining the information you need and taking the necessary action. Today, the Internet is the medium of worldwide broadcasting, a medium for collaboration, communication and covers the entire globe. This is what social engineers use to achieve their goals.

Ways to manipulate a person via the Internet:

V modern world the owners of almost every company have already realized that the Internet is a very effective and convenient means for expanding a business and its main task is to increase the profits of the entire company. It is known that advertising is used without information aimed at attracting attention to the desired object, generating or maintaining interest in it and promoting it on the market. Only due to the fact that the advertising market has long been divided, most types of advertising for most entrepreneurs are wasted money. Internet advertising is not just one of the types of advertising in the media, it is something more, because with the help of Internet advertising, people interested in cooperation come to the organization's website.

Online advertising, in contrast to advertising in the media, has much more possibilities and control parameters advertising company... Most important indicator internet advertising is that Internet advertising fees are debited only upon transition interested user through the advertising link, which of course makes advertising on the Internet more effective and less costly than advertising in the media. So after submitting an advertisement on television or in print media, they pay for it in full and just wait potential clients, but clients can respond to advertising or not - it all depends on the quality of production and delivery of advertising on television or newspapers, however, the advertising budget has already been spent and if the advertising did not work, it was wasted. Unlike such advertising in the media, online advertising has the ability to track audience response and manage online advertising before its budget is spent, moreover, online advertising can be paused - when demand for products has increased and resumed - when demand begins to fall.

Another method of influence is the so-called "Killing of forums" where, with the help of social programming, they create anti-advertising for a particular project. The social programmer in this case, with the help of obvious provocative actions alone, destroys the forum, using several pseudonyms ( nickname) to create an anti-leader group around him, and to attract regular visitors to the project who are dissatisfied with the behavior of the administration. At the end of such events, it becomes impossible to promote products or ideas in the forum. For what the forum was originally developed.

To methods of influencing a person via the Internet for the purpose of social engineering:

Phishing is a type of Internet fraud aimed at gaining access to confidential user data - logins and passwords. This operation is achieved by performing mass mailings emails on behalf of popular brands, and private messages inside various services (Rambler), banks or inside social networks(Facebook). The letter often contains a link to a site that is outwardly indistinguishable from the real one. After a user lands on a fake page, social engineers use various tricks to induce the user to enter their username and password on the page, which he uses to access a specific site, which allows him to gain access to accounts and bank accounts.

More dangerous species fraud than phishing is so-called pharming.

Pharming is a mechanism for covertly redirecting users to phishing sites. The social engineer distributes special malicious programs to users' computers, which, after being launched on the computer, redirect requests from the necessary sites to fake ones. Thus, a high stealthiness of the attack is ensured, and user participation is minimized - it is enough to wait until the user decides to visit the sites of interest to the social engineer.

Conclusion

Social engineering is a science that emerged from sociology and claims to be a collection of knowledge that directs, puts in order and optimizes the process of creating, modernizing and reproducing new ("artificial") social realities. In a certain way, it “completes” sociological science, completes it at the stage of transforming scientific knowledge into models, projects and structures of social institutions, values, norms, algorithms of activity, relations, behavior, etc.

Despite the fact that Social Engineering is a relatively young science, it does a lot of damage to the processes that take place in society.

The simplest methods of protection from the effects of this destructive science can be called:

Drawing people's attention to safety issues.

Awareness by users of the seriousness of the problem and the adoption of a system security policy.

Literature

1.R. Petersen Linux: The complete guide: per. from English - 3 - ed. - К .: Publishing group BHV, 2000. - 800 p.

2. From Grodnev Internet in your home. - M .: "RIPOL CLASSIC", 2001. -480 p.

3. MV Kuznetsov Social engineering and social hacking. SPb .: BHV-Petersburg, 2007 .-- 368 p .: ill.

Hello dear friends! We haven't discussed security with you for a long time, or, to be more precise, the data that is stored not only on your computers, but even on your friends and colleagues. Today I will tell you about such a concept as social engineering. You will learn what social engineering is and how to prevent yourself.

Social engineering is a method of unauthorized access to information systems, which was based on the characteristics of the psychological behavior of a person. Any hacker, in the direct or indirect sense, is interested in gaining access to protected information, passwords, data on bank cards etc.

The main difference this method is that the target of the attack is not the machine, but its user. Social engineering methods are based on the use of the human factor. An attacker gets hold of the information he needs by talking on the phone or by entering the office disguised as an employee.

Pretext is a set of actions that correspond to a certain scenario prepared in advance (pretext). To obtain information in this technique, voice means (telephone, Skype) are used. By posing as a third party and pretending to need help, the fraudster forces the other person to provide a password or register on a phishing web page and thereby obtain the necessary information.

Let's imagine the situation. You work for a large organization for about six months. You are called by a person who introduces himself as an employee from some branch. “Hello, your name or position, we cannot go to the mail, which serves to receive applications in our company. We recently received an application from our city, and the boss will simply kill for such an oversight, tell me the password from the mail.

Of course, when you are now reading his request, it seems a little silly to give the password to the person you hear for the first time. But since people like to help on trifles, (is it not difficult for you to say 8-16 characters from the password?) Every person can be punctured here.

Phishing(fishing) - this type of Internet fraud is aimed at obtaining usernames and passwords. The most popular type of phishing is sending an e-mail to a victim under the guise of an official letter, for example, from a payment system or a bank. The letter, as a rule, informs about the loss of data, about malfunctions in the system and contains a request to enter confidential information by following the link.

The link redirects the victim to a phishing page that looks exactly like the official website page. It is difficult for an untrained person to recognize a phishing attack, but it is quite possible. These messages usually contain information about threats (for example, about closing a bank account) or, conversely, a promise cash prize for nothing, requests for help on behalf of a charitable organization. Also, phishing messages can be recognized by the address where you are asked to go.

The most popular phishing attacks include fraudulent use of the brand name of a well-known company. On behalf of a well-known company, e-mails are sent out, which contain congratulations on a certain holiday (for example) and information about the competition. To participate in the competition, you need to urgently change your account information.

I'll tell you personal experience... Don't throw stones at me 😉. It was a long time ago, when I was interested in ... ... Yes, yes, phishing. At that time it was very fashionable to sit in My world and I took advantage of it. Once I saw an offer from mail.ru to install a "golden agent" for money. When they tell you to buy, you think, but when they tell you that you won, people are immediately fooled.

I don’t remember everything exactly to the smallest detail, but it was something like this.

I wrote a message: “Hello, NAME! The Mile.RU team is glad to congratulate you. You have won the "golden agent". Every 1000th of our users gets it for free. To activate it, you need to go to your page and activate it in Settings - blah blah blah. "

Well, how do you like the offer? Do you want gold Skype, dear readers? I will not tell you about all the technical subtleties, as there are young people who are just waiting for detailed instructions. But it should be noted that 30% of users of "My World" followed the link and entered their username and password. I deleted these passwords as it was just an experiment.

Smishing... Very popular now Cell Phones, and to find out your number, it will not be difficult even for a schoolchild who sits with your son or daughter at the same desk. The scammer, having learned the number, sends you a phishing link, where he asks you to go to activate bonus money on your map. Where naturally there are fields for entering personal data. They may also be asked to send an SMS with your data from the card.

It seems to be a normal situation, but the catch is just around the corner.

Qui pro quo ("quid pro quo") is a type of attack that involves a fraudulent call, for example, on behalf of a service technical support... An attacker, while polling an employee about possible technical problems, forces him to enter commands that allow him to run malicious software. Which can be placed on open resources: social networks, company servers, etc.

Watch the video for an example:

They can send you a file (virus) by mail, then call and say that an urgent document has come and you need to look at it. By opening the file attached to the letter, the user himself installs on the computer malware which allows you to access confidential data.

Take care of yourself and your data. See you soon!

Social engineering

Social engineering is a method of unauthorized access to information or information storage systems without the use of technical means. The main goal of social engineers, like other hackers and crackers, is to gain access to protected systems in order to steal information, passwords, data on credit cards etc. The main difference from simple hacking is that in this case, it is not the machine that is selected as the object of attack, but its operator. That is why all the methods and techniques of social engineers are based on the use of the weaknesses of the human factor, which is considered extremely destructive, since the attacker obtains information, for example, using the usual telephone conversation or by infiltrating an organization disguised as an employee. To protect against attacks of this type, you should be aware of the most common types of fraud, understand what crackers really want and organize suitable policy security.

Story

Despite the fact that the concept of "social engineering" appeared relatively recently, people in one form or another have used its techniques from time immemorial. V Ancient Greece and Rome was held in high esteem for people who could different ways convince the interlocutor of his obvious wrong. Speaking on behalf of the leaders, they conducted diplomatic negotiations. Skillfully using lies, flattery and lucrative arguments, they often solved problems that, it seemed, could not be solved without the help of a sword. Among spies, social engineering has always been the main weapon. Posing as another person, KGB and CIA agents could ferret out secret state secrets... In the early 70s, during the heyday of phreaking, some telephone bullies called telecom operators and tried to squeeze out confidential information from the technical staff of the companies. After various experiments with tricks, by the end of the 70s, phreakers had worked out techniques for manipulating untrained operators so much that they could easily learn from them almost everything they wanted.

Principles and Techniques of Social Engineering

There are several common attack techniques and types used by social engineers. All of these techniques are based on human decision-making patterns known as cognitive (see also Cognitiveness) biases. These prejudices are used in various combinations to create the most appropriate deception strategy in each case. But a common feature of all these methods is misleading, in order to force a person to perform any action that is not beneficial to him and is necessary for a social engineer. To achieve the desired result, the attacker uses a number of all kinds of tactics: impersonating another person, distracting attention, building up psychological stress, etc. The ultimate goals of deception can also be quite varied.

Social engineering techniques

Pretext

Pretext is a set of actions carried out according to a certain, in advance ready script(pretext). This technique involves the use of voice aids such as telephone, Skype, etc. to get the information you need. Typically, posing as a third party or pretending that someone needs help, the attacker asks the victim for a password or log in to a phishing web page, thereby forcing the target to commit necessary action or provide certain information. In most cases, this technique requires some initial data about the target of the attack (for example, personal data: date of birth, phone number, account numbers, etc.) The most common strategy is to use small queries at first and mention names real people In the organisation. Later, during the conversation, the attacker explains that he needs help (most people can and are ready to perform tasks that are not perceived as suspicious). Once the trust is established, the fraudster may ask for something more substantial and important.

Phishing

Example of a phishing email sent from an email service requesting "account reactivation"

Phishing (English phishing, from fishing - fishing, fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is perhaps the most popular social engineering scheme today. No major personal data breach is complete without a wave of phishing emails that follow. The purpose of phishing is to illegally obtain confidential information. The most striking example of a phishing attack is a message sent to a victim by e-mail and forged as an official letter - from a bank or payment system- requiring verification certain information or taking certain actions. The reasons can be named very different. This can be a loss of data, a breakdown in the system, etc. Such emails usually contain a link to a fake web page that looks exactly like the official one, and contains a form that requires you to enter confidential information.

One of the best-known examples of global phishing scams was the 2003 scam in which thousands of eBay users received emails claiming that their account had been blocked and required to update their credit card information to unblock it. All of these emails included a link leading to a fake web page that looked exactly like the official one. According to experts, losses from this scam amounted to several hundred thousand dollars.

How to recognize a phishing attack

New fraudulent schemes emerge almost every day. Most people can learn to recognize fraudulent messages on their own by familiarizing themselves with some of them. distinctive features... Most often, phishing messages contain:

• Information of concern or threats, such as the closure of user bank accounts.
• promises of a huge cash prize with minimal effort or even without them.
• requests for voluntary donations on behalf of charitable organizations.
• grammatical, punctuation and spelling errors.

Popular phishing schemes

The most popular phishing scams are described below.

Fraudulent use of well-known corporate brands

These phishing schemes use fake messages Email or websites containing the names of large or well-known companies. Messages may include congratulations on winning a competition held by the company, that an urgent need to change your credentials or password. Such fraudulent schemes on behalf of the technical support service can also be carried out over the phone.

Fraudulent lotteries

The user can receive messages stating that he has won a lottery that was run by a well-known company. Outwardly, these messages may look like they were sent on behalf of one of the high-ranking employees of the corporation.

Fake antivirus and security software

IVR or phone phishing

The principle of operation of IVR systems

Qwi pro quo

Qui pro quo (from the Latin Quid pro quo - "then for this") is an abbreviation usually used in English language in the meaning of quid pro quo. This type of attack involves a call from an attacker to a company via corporate phone... In most cases, the attacker introduces himself as a technical support employee asking if there are any technical problems... In the process of “solving” technical problems, the fraudster “forces” the target to enter commands that allow the hacker to launch or install malicious software on the user's machine.

Trojan horse

Sometimes the use of Trojans is only part of a planned multi-stage attack on certain computers, networks or resources.

Types of Trojans

Trojans are most often designed for malicious purposes. There is a classification where they are broken down into categories based on how trojans infiltrate and harm the system. There are 5 main types:

• remote access
• data destruction
• loader
• server
• security program deactivator

Goals

The Trojan program can target:

• uploading and downloading files
• copying false links leading to fake websites, chat rooms or other registration sites
• interfering with the user's work
• theft of data of value or secret, including information for authentication, for unauthorized access to resources, extraction of details regarding bank accounts that can be used for criminal purposes
• the spread of other malware such as viruses
• destruction of data (erasing or overwriting data on a disk, hard-to-see damage to files) and equipment, disabling or denying service of computer systems, networks
• collecting email addresses and using them to send spam
• spying on the user and secretly communicating information to third parties, such as, for example, the habit of visiting sites
• logging keystrokes to steal information such as passwords and credit card numbers
• deactivation or interference with work antivirus software and firewall

Disguise

Many Trojans reside on users' computers without his knowledge. Sometimes Trojans are registered in the Registry, which leads to their automatic launch at startup. operating system... Trojans can also be combined with legitimate files. When a user opens such a file or launches an application, a trojan is launched along with it.

How the Trojan works

Trojans usually consist of two parts: Client and Server. The Server runs on the victim machine and monitors connections from the Client. While the Server is running, it monitors a port or several ports looking for a connection from the Client. In order for the attacker to connect to the Server, it must know the IP address of the machine on which it is running. Some Trojans send the IP address of the victim machine to the attacking party via email or in some other way. As soon as a connection to the Server is established, the Client can send commands to it, which the Server will execute. Currently, thanks to NAT technology, it is impossible to access most computers through their external IP address. Therefore, today many Trojans connect to the attacker's computer, which is responsible for accepting connections, instead of the attacker trying to connect to the victim itself. Many modern Trojans can also easily bypass firewalls on users' computers.

Collection of information from open sources

The use of social engineering techniques requires not only knowledge of psychology, but also the ability to collect the necessary information about a person. A relatively new way of obtaining such information has become its collection from open sources, mainly from social networks. For example, sites such as livejournal, Odnoklassniki, Vkontakte contain a huge amount of data that people do not even try to hide. , users do not pay due attention to security issues, leaving in free access data and information that can be used by an intruder.

An illustrative example is the story of the kidnapping of Yevgeny Kaspersky's son. During the investigation, it was found that the criminals learned the schedule of the day and the routes of the teenager from his notes on the page on the social network.

Even by restricting access to information on his page on the social network, the user cannot be sure that it will never fall into the hands of scammers. For example, a Brazilian researcher on computer security showed that it is possible to become a friend of any Facebook user within 24 hours using social engineering techniques. During the experiment, researcher Nelson Novaez Neto chose a "victim" and created a fake account of a person from her environment - her boss. First, Neto sent friendship requests to friends of the victim's boss's friends, and then directly to his friends. After 7.5 hours, the researcher got a friend from the "victim". Thus, the researcher gained access to the user's personal information, which he shared only with his friends.

Travel apple

This attack method is an adaptation trojan horse, and consists in the use of physical media. An attacker drops an "infected", or flash, in a place where the carrier can be easily found (toilet, elevator, parking lot). The medium is forged as an official one, and is accompanied by a signature designed to arouse curiosity. For example, a fraudster can throw up, provided with a corporate logo and a link to the official website of the company, providing it with the inscription " Wage management staff. "The disc can be left on the floor of the elevator, or in the lobby. An employee unknowingly can pick up a disc and insert it into a computer to satisfy his curiosity.

Reverse social engineering

Reverse social engineering is mentioned when the victim offers the attacker the information he needs. It may sound absurd, but in fact, people with authority in the technical or social sphere often receive user IDs and passwords and other important personal information simply because no one doubts their decency. For example, support staff never ask users for an ID or password; they don't need this information to solve problems. However, many users voluntarily submit this confidential information in order to resolve problems as soon as possible. It turns out that the attacker doesn't even need to ask about it.

An example of reverse social engineering is the following simple scenario. The attacker working with the victim changes the file name on her computer or moves it to a different directory. When the victim notices that the file is missing, the attacker claims that he can fix it. Wanting to finish the job faster or avoid punishment for the loss of information, the victim agrees to this offer. The attacker claims that the only solution to the problem is by logging in with the victim's credentials. Now the victim asks the attacker to log in under her name in order to try to recover the file. The attacker reluctantly agrees and restores the file, and along the way steals the victim's ID and password. Having successfully carried out the attack, he even improved his reputation, and it is quite possible that after that other colleagues will turn to him for help. This approach does not interfere with the usual procedures for providing support services and makes it difficult to catch the attacker.

Notable social engineers

Kevin Mitnick

Kevin Mitnick. Worldwide famous hacker and security consultant

One of the most famous social engineers in history is Kevin Mitnick. An internationally renowned computer hacker and security consultant, Mitnick is also the author of numerous books on computer security, focusing mainly on social engineering and methods of psychological influence on humans. In 2002, the book "The Art of Deception" was published under his authorship, which tells about real stories application of social engineering. Kevin Mitnick argued that it is much easier to get a password by deceiving than trying to hack a security system.

Brothers Badir

Although the brothers Mundir, Mushid and Shadi Badir were blind from birth, they managed to implement several major fraudulent schemes in Israel in the 1990s using social engineering and voice forgery. In a TV interview, they said: "Only those who do not use a telephone, electricity or laptop are fully insured against network attacks." The brothers have already been to prison for being able to hear and decipher the secret interference tones of providers. telephone connection... They made long calls abroad at someone else's expense, reprogramming the computers of cellular providers with interference tones.

Archangel

Cover of "Phrack" magazine

Famous computer hacker and a security consultant for the well-known English-language Internet magazine "Phrack Magazine", Archangel demonstrated the capabilities of social engineering techniques by obtaining passwords from a huge number different systems by deceiving several hundred victims.

Other

Lesser known social engineers are Frank Abagnale, David Bannon, Peter Foster, and Stephen Jay Russell.

Methods of protection against social engineering

To carry out their attacks, attackers using social engineering techniques often exploit the gullibility, laziness, courtesy, and even enthusiasm of users and employees of organizations. Defending against such attacks is challenging because their victims may not suspect that they have been tricked. Social engineering attackers generally have the same goals as any other attacker: they need money, information, or IT resources from the victim company. To protect against such attacks, you need to study their varieties, understand what the attacker needs and assess the damage that can be caused to the organization. With all this information, you can integrate the necessary protections into your security policy.

Classification of threats

Email Threats

Many employees receive daily through corporate and private postal systems dozens and even hundreds of emails. Of course, with such a flow of correspondence, it is impossible to pay due attention to each letter. This makes it much easier to carry out attacks. Most users of e-mail systems are comfortable with the processing of such messages, perceiving this work as an electronic analogue of transferring papers from one folder to another. When an attacker sends a simple request by mail, the victim often does what is asked of her without thinking about what she is doing. Emails may contain hyperlinks that induce employees to compromise the security of the corporate environment. Such links do not always lead to the claimed pages.

Most security measures are designed to prevent unauthorized users from accessing corporate resources. If, after clicking a hyperlink sent by an attacker, the user uploads to corporate network Trojan horse or virus, this will make it easy to bypass many types of protection. A hyperlink can also point to a site with pop-up applications requesting information or offering help. As with other types of fraud, the most effective defense against malicious attacks is to be skeptical about any unexpected incoming email. To disseminate this approach throughout your organization, specific email guidelines should be included in the security policy, covering the following elements.

• Attachments to documents.
• Hyperlinks in documents.
• Personal or corporate information coming from within the company.
• Requests for personal or corporate information originating from outside the company.

Threats related to the use of the instant messaging service

Instant Messaging - Comparatively new way data transmission, however, it has already gained wide popularity among corporate users. Due to the speed and ease of use, this method of communication opens up wide opportunities for various attacks: users treat it like a telephone connection and do not associate it with potential software threats. The two main types of attacks based on the use of the instant messaging service are pointing in the body of the message to the malicious program and delivering the program itself. Of course, instant messaging is also one of the ways to request information. One of the features of instant messaging services is the informal nature of communication. Combined with the ability to assign any name to oneself, this factor makes it much easier for an attacker to impersonate another person and greatly increases the chances of a successful attack. instant exchange messages, it is necessary to provide mechanisms for protection against the corresponding threats in corporate security policies. To gain reliable control over instant messaging in corporate environment several requirements must be met.

• Choose one platform for instant messaging.
• Determine the security options that are specified when deploying an instant messaging service.
• Define principles for establishing new contacts
• Set standards for choosing passwords
• Make recommendations for using the instant messaging service.

Layered security model

For guard large companies and their employees from fraudsters using social engineering techniques, complex multi-layered security systems are often applied. Some of the features and responsibilities of such systems are listed below.

• Physical security. Barriers limiting access to company buildings and corporate resources. Keep in mind that company resources, such as dumpsters located outside the company's premises, are not physically protected.
• Data. Business Information: Accounts, postal correspondence etc. When analyzing threats and planning data protection measures, it is necessary to determine the principles of handling paper and electronic media data.
• Applications. User-run programs. To protect your environment, you need to consider how attackers can take advantage of mailers, instant messaging services and other applications.
• Computers. Servers and client systems used in the organization. Protect users from direct attacks on their computers by defining strict guidelines for what programs can be used on corporate computers.
• Internal network. The network through which they interact corporate systems... It can be local, global, or wireless. V last years Due to the growing popularity of remote work methods, the boundaries of internal networks have become largely arbitrary. Company employees need to be educated about what they need to do for the organization safe work in any network environment.
• Network perimeter. The border between internal networks companies and external ones such as the Internet or networks of partner organizations.

A responsibility

Pre-texting and recording of telephone conversations

Hewlett-Packard

Patricia Dunn, President of the Corporation Hewlett Packard, said that she hired a private company to identify those employees of the company who were responsible for the leak of confidential information. Later, the head of the corporation admitted that the research used the practice of pre-texting and other techniques of social engineering.

Notes (edit)

see also

Links

• SocialWare.ru - Private social engineering project
• - Social Engineering: The Basics. Part I: hacker tactics

Social engineering — unauthorized access to confidential information through manipulation of human consciousness. Social engineering methods are based on the characteristics of psychology and are aimed at exploiting human weaknesses (naivety, inattention, curiosity, commercial interests). They are actively used by social hackers both on the Internet and outside it.

However, regarding digital technologies, web resources, computers, smartphones - “brain fogging” of network users happens in a slightly different way. "Snares", "traps" and other tricks are placed by scammers anywhere and in any way, in social networks, on gaming portals, in electronic mailboxes and online services. Here are just a few examples of social engineering techniques:

As a gift for a holiday ... a Trojan horse

Regardless of character, profession, financial solvency, everyone is looking forward to the holidays: New Year, May 1, March 8, Valentine's Day, etc., in order, of course, to celebrate them, relax, fill your spiritual aura with positive and, along the way, exchange congratulations with your fellow comrades.

At this point, social hackers are especially active. On the pre-holiday and holidays they send postcards to the accounts of postal services: bright, colorful, with musical accompaniment and ... dangerous virus a Trojan. The victim, unaware of such insidiousness, is in the euphoria of fun or, simply, curiosity clicks on the postcard. At the same moment, the malware infects the OS, and then waits convenient moment to steal registration data, payment card number, or replace the web page of the online store in the browser with a fake one and steal money from the account.

Favorable discount and virus "on load"

A great example of social engineering. The desire to "save" their hard earned money is quite justified and understandable, but within reasonable limits and under certain circumstances. It is about "not all that glitters is gold."

The crooks disguised as the largest brands, online stores and services, in the appropriate design, offer to buy goods at an incredible discount and plus to the purchase - to receive a gift ... They make fake mailings, create groups in social networks and thematic "threads" on forums.

Naive ordinary people, as they say, are "led" to this bright commercial poster: in a hurry in their head they recalculate how much is left from the salary, advance payment and click the link "buy", "go to the site to buy", etc. After that, in 99 out of 100 cases, instead of a profitable purchase, they receive a virus on their PC or send money to social hackers free of charge.

Gamer donate + 300% to theft skills

In online games, and indeed in multiplayer games, with rare exceptions, the strongest survives: who has stronger armor, damage, stronger magic, more health, mana, etc.

And, of course, every gamer wants by all means to get these cherished artifacts for his Persian, a tank, an airplane and God knows what else. In battles or in campaigns, with your own hand or for real money (donation function) in the virtual store of the game. To be the best, the first ... to reach the last level of development.

Fraudsters know about these "gamer weaknesses" and in every possible way tempt players to acquire cherished artifacts and skills. Sometimes for money, sometimes for free, but this does not change the essence and purpose of the villainous scheme. Tempting offers on fake sites sound something like this: "download this application", "install the patch", "go under the game to get the item."

In return for the long-awaited bonus, the gamer's account is stolen. If he is perfectly "pumped", the kidnappers sell him or extract payment information from him (if any).

Malicious software + social engineering = an explosive mixture of deceit

Caution icons!

Many users use the mouse in the OS on "autopilot": click there, here; discovered this, that, another. Rarely, who of them looks closely at the type of files, their size and properties. But in vain. Hackers disguise executable files malware for ordinary Windows folders, pictures or trusted applications, that is, externally, visually, you cannot distinguish them. The user clicks on a folder, its contents, of course, do not open, because this is not a folder at all, but a virus installer with the extension.exe. And the malware "quietly" penetrates the OS.

A sure "antidote" to such tricks is the file Total manager Commander. In contrast to the integrated Windows explorer, it displays all the ins and outs of the file: type, size, creation date. The greatest potential threat to the system is represented by unknown files with extensions: ".scr", ".vbs", ".bat", ".exe".

Fear fuels trust

1. The user opens a "scary site", and he is immediately told the most unpleasant news, or even news: "your PC is infected with a dangerous Trojan", "10, 20 ... 30 viruses were found in your OS", "spam is being sent from your computer" etc.
2. And they immediately offer (show "care") to install an antivirus and, therefore, to solve the security problem voiced on the site. And most importantly, it's completely free.
3. If a visitor is overwhelmed by fear for his PC, he follows the link and downloads ... just not an antivirus, but a false antivirus - a fake stuffed with viruses. Installs and launches - the consequences are appropriate.

• First, a website cannot check a visitor's PC and identify malware overnight.
• Secondly, developers distribute their antiviruses, whether paid or free, through their, that is to say, official, sites.
• And finally, thirdly, if there are doubts and fears about a "clean" OS or not, it is better to check system partition, with what is available, that is, the installed antivirus.

Summing up

Psychology and hacking go hand in hand today - a tandem of exploiting human weaknesses and software vulnerabilities. Being on the Internet, on holidays and weekdays, day or night, and no matter what mood, you must be vigilant, suppress naivety, drive away the inspiration of commercial gain and something "free". For, as you know, only cheese is distributed for nothing and only in a mousetrap. Create only passwords, store them in places and stay with us, as, as you know, there is never too much security.

This is a method of managing human actions without the use of technical means. The method is based on exploiting the weaknesses of the human factor and is considered very destructive. Social engineering is often viewed as an illegal method of obtaining information, but this is not entirely true. Social engineering can also be used for legal purposes, and not only to obtain information, but also to perform actions by a specific person. Today, social engineering is often used on the Internet to obtain classified information, or information that is of great value.

An attacker obtains information, for example, by gathering information about the target's employees, using a simple phone call, or by infiltrating an organization disguised as an employee.

An attacker can call a company employee (disguised as technical service) and find out the password, referring to the need to solve a small problem in computer system... This trick often works.

The names of employees can be found out after a series of calls and studying the names of managers on the company's website and other sources. open information(reports, advertisements, etc.).

Using real names in a conversation with technical support, the attacker tells a fictitious story that he cannot get to an important meeting on the site with his account remote access.

Another help in this method is the study of the garbage of organizations, virtual trash cans, theft laptop or storage media.

This method is used when the attacker has targeted a specific company.

Social engineering is a relatively young science, which is part of sociology, and claims to be a collection of those specific knowledge that direct, put in order and optimize the process of creation, modernization and reproduction of new ("artificial") social realities. In a certain way, she “completes” sociological science, completes it at the stage of transforming scientific knowledge into models, projects and structures of social institutions, values, norms, algorithms of activity, relations, behavior, etc. synthetic thinking and knowledge of formalized procedures (technologies) of design and inventive activity. In characterizing the formalized operations that make up this latter, special attention is paid to the operations of complex combinatorics. Ignoring the principle of consistency in the operations of combinatorics have caused and continue to cause great damage at all levels of the transformation processes that take place in our society. Consistent knowledge the fundamental requirements for these operations provide grounds for preventing erroneous distortions in reformatory practice at its macro-, meso- and micro-levels.

Despite the fact that the concept of social engineering has appeared recently, people in one form or another have used its techniques from time immemorial. In the same Ancient Greece and Rome, there were people in high esteem who could hang on their ears any noodles and convince the interlocutor of the "obvious wrong." Speaking on behalf of the leaders, they conducted diplomatic negotiations, and, mixing lies, flattery and advantageous arguments into their words, they often solved problems that, otherwise, could not be solved without the help of the sword. Among spies, social engineering has always been the main weapon. Posing as anyone, KGB and CIA agents could ferret out the most terrible state secrets.

In the early 1970s, during the heyday of phreaking, some telephone bullies amused themselves by calling Ma Bell operators from street booths and teasing them about competence. Then someone, obviously, realized that if you rearrange the phrases a little and lie here and there, you can force those. the staff does not just make excuses, but give out confidential information in a fit of emotion. Phreakers began to experiment with tricks on the sly, and by the end of the 70s they had worked out the techniques of manipulating untrained operators so much that they could easily learn from them almost everything they wanted.

Talking to people on the phone to get some information or just to get them to do something was equated with art. The professionals in this field took great pride in their craftsmanship. The most skilled social engineers (sinners) have always acted impromptu, relying on their instincts. By leading questions, by the intonation of the voice, they could determine the complexes and fears of a person and, instantly orienting themselves, play on them. If there was a young, recently hired girl on the other end of the line - the phreaker hinted at possible troubles with the boss, if it was some kind of self-confident mattress - it was enough to introduce myself as a novice user who needed to be shown and told everything. Each had its own key. With the advent of computers, many phreakers migrated to computer networks and became hackers. SI skills in the new field are now even more useful. If earlier the brains of the operator were powdered mainly to obtain pieces of information from corporate directories, now it has become possible to find out the password for entering a closed system and download a bunch of the same directories or something secret from there. Moreover, this method was much faster and easier technical. No need to look for holes in a fancy defense system, no need to wait for Jack the Ripper to guess correct password, it is not necessary to play cat and mouse with the admin. It is enough to call by phone and, with the right approach, at the other end of the line they themselves will call the cherished word.

Social Engineering Techniques and Terms

All social engineering techniques are based on the peculiarities of human decision making, called the cognitive basis. They can also be called a feature of decision-making in human and social psychology, based on the fact that a person must trust someone in the social environment of upbringing.

Pretext

Pretext is an action worked out according to a pre-written script (pretext). As a result, the target must give out certain information or perform a certain action. This type of attack is usually used over the phone. More often than not, this technique involves more than just lies and requires some preliminary research (for example, personalization: date of birth, last invoice amount, etc.) in order to ensure the credibility of the target. This type also includes attacks on online messengers, for example, on ICQ.

Phishing

Phishing is a technique designed to fraudulently obtain confidential information. Typically, the attacker sends the target an e-mail, forged under an official letter - from a bank or payment system - requiring "verification" of certain information or performing certain actions. This letter usually contains a link to a fake web page that mimics the official one, with a corporate logo and content, and contains a form that requires you to enter confidential information - from your home address to your bank card PIN.

Trojan horse

This technique exploits the curiosity or greed of the target. The attacker sends an e-mail containing a "cool" or "sexy" screen saver, an important upgrade of the antivirus, or even fresh incriminating evidence on an employee. This technique remains effective as long as users blindly click on any attachments.

Travel apple

This attack method is an adaptation of a Trojan horse and consists of the use of physical media. An attacker can plant an infected CD or flash drive in a place where the media can be easily found (toilet, elevator, parking lot). The medium is forged as an official one and is accompanied by a signature designed to arouse curiosity.

Example: An attacker can plant a CD with a corporate logo and a link to the target company’s official website and label it “Q1 2007 management salaries”. The disc can be left on the floor of the elevator or in the lobby. An employee unknowingly can pick up a disc and insert it into a computer to satisfy his curiosity, or simply a "good Samaritan" will take the disc to the company.

Qwi pro quo

An attacker can call random number to the company and introduce yourself as a technical support employee asking if there are any technical problems. If there are any, in the process of “solving” them, the target introduces commands that allow the hacker to launch malicious software.

Reverse social engineering

The goal of reverse social engineering is to make the goal itself turn to an attacker for "help." To this end, a hacker can use the following techniques:

* Sabotage. Create a reversible problem on the victim's computer.

Protecting users from social engineering

Both technical and anthropogenic means can be used to protect users from social engineering.

Anthropogenic protection

The simplest methods of anthropogenic protection can be called:

* Drawing people's attention to safety issues.

* Awareness by users of the seriousness of the problem and the adoption of system security policy.

* Study and implementation of the necessary methods and actions to improve the protection of information security.

These tools have one common drawback: they are passive. A huge percentage of users are oblivious to warnings, even in the most prominent font.

Technical protection

Technical protection can include means that prevent you from obtaining information and means that prevent you from using the information received.

The most common attacks in the information space of social networks using the weaknesses of the human factor are attacks using e-mails, such as e-mail and internal mail of the network. It is to such attacks that both methods can be most effectively applied. technical protection... It is possible to prevent an attacker from obtaining the requested information by analyzing both the text of incoming letters (presumably, the attacker) and outgoing (presumably, the target of the attack) by keywords... The disadvantages of this method include a very heavy load on the server and the inability to provide for all variants of the spelling of words. For example, if an attacker becomes aware that the program responds to the word "password" and the word "specify", the attacker can replace them with a "password" and, accordingly, "enter". It is also worth taking into account the possibility of writing words with replacing Cyrillic letters with Latin for matching characters (a, c, e, o, p, x, y, A, B, C, E, H, K, M, O, P, T, X) and the use of the so-called language t + [unknown term].

Means that prevent the use of the information received can be divided into those that completely block the use of data, anywhere, except for the user's workplace (binding authentication data to serial numbers and electronic signatures of computer components, ip and physical addresses), and those that make it impossible (or difficult to implement) automatic use of the resources received (for example, authorization via the Captcha system, when you need to select the previously specified image or part of the image as a password, but in strongly distorted form). In both the first and second cases, the well-known balance between the value of the required information and the work required to obtain it is shifted, generally speaking, towards work, since the possibility of automation is partially or completely blocked. Thus, even with all the data issued by an unsuspecting user, for example, in order to send out massively advertising message(spam), the attacker will have to independently enter the received details at the stage of each iteration.