Social engineering methods - this is exactly what will be discussed in this article, as well as everything related to the manipulation of people, phishing and theft of client databases and more. Andrey Serikov kindly provided us with information, the author of which he is, for which we thank him very much.

A. SERIKOV

A.B.BOROVSKY

INFORMATION TECHNOLOGIES OF SOCIAL HACKING

Introduction

The desire of mankind to achieve perfect fulfillment of assigned tasks served as the development of modern computer equipment, and attempts to satisfy the conflicting demands of people led to the development of software products. These software products not only maintain the functionality of the hardware, but also manage it.

The development of knowledge about man and computer has led to the emergence of a fundamentally new type of system - “human-machine”, where a person can be positioned as a hardware operating under the control of a stable, functional, multi-tasking operating system called “psyche”.

The subject of the work is the consideration of social hacking as a branch of social programming, where a person is manipulated with the help of human weaknesses, prejudices and stereotypes in social engineering.

Social engineering and its methods

Methods of human manipulation have been known for a long time; they mainly came to social engineering from the arsenal of various intelligence services.

The first known case of competitive intelligence dates back to the 6th century BC and occurred in China, when the Chinese lost the secret of making silk, which was fraudulently stolen by Roman spies.

Social engineering is a science that is defined as a set of methods for manipulating human behavior, based on exploiting the weaknesses of the human factor, without using technical means.

According to many experts, the biggest threat information security represent precisely the methods of social engineering, if only because the use of social hacking does not require significant financial investments and thorough knowledge of computer technology, and also because people have certain behavioral inclinations that can be used for careful manipulation.

And no matter how much we improve technical systems protection, people will remain people with their weaknesses, prejudices, stereotypes, with the help of which management takes place. Setting up a human “security program” is the most difficult task and does not always lead to guaranteed results, since this filter must be constantly adjusted. Here, the main motto of all security experts sounds more relevant than ever: “Security is a process, not a result.”

Areas of application of social engineering:

1. general destabilization of the organization’s work in order to reduce its influence and the possibility of subsequent complete destruction of the organization;
2. financial fraud in organizations;
3. phishing and other methods of stealing passwords in order to access personal banking data of individuals;
4. theft of client databases;
5. competitive intelligence;
6. general information about the organization, its strengths and weaknesses, with the aim of subsequently destroying this organization in one way or another (often used for raider attacks);
7. information about the most promising employees with the aim of further “enticing” them to your organization;

Social programming and social hacking

Social programming can be called an applied discipline that deals with targeted influence on a person or group of people in order to change or maintain their behavior in the desired direction. Thus, the social programmer sets himself a goal: mastering the art of managing people. The basic concept of social programming is that many people’s actions and their reactions to one or another external influence are in many cases predictable.

Social programming methods are attractive because either no one will ever know about them, or even if someone guesses about something, it is very difficult to bring such a figure to justice, and in some cases it is possible to “program” people’s behavior, and one person, and a large group. These opportunities fall into the category of social hacking precisely because in all of them people carry out someone else’s will, as if obeying a “program” written by a social hacker.

Social hacking as the ability to hack a person and program him to perform the desired actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers - use techniques of psychological influence and acting, borrowed from the arsenal of the intelligence services.

Social hacking is used in most cases when it comes to attacking a person who is part of a computer system. The computer system that is hacked does not exist in itself. It contains an important component - a person. And to get information, a social hacker needs to hack a person who works with a computer. In most cases, it is easier to do this than to hack into the victim's computer in an attempt to find out the password.

Typical influence algorithm in social hacking:

All attacks by social hackers fit into one fairly simple scheme:

1. the purpose of influencing a particular object is formulated;
2. information about the object is collected in order to detect the most convenient targets of influence;
3. Based on the collected information, a stage is implemented that psychologists call attraction. Attraction (from Latin Attrahere - to attract, attract) is the creation of the necessary conditions for influencing an object;
4. forcing a social hacker to take action;

Coercion is achieved by performing the previous stages, i.e., after the attraction is achieved, the victim himself takes the actions necessary for the social engineer.

Based on the information collected, social hackers quite accurately predict the psycho- and sociotype of the victim, identifying not only needs for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc., etc.

And indeed, why try to penetrate this or that company, hack computers, ATMs, organize complex combinations, when you can do everything easier: make a person fall in love with you, who, of his own free will, will transfer money to the specified account or share the necessary money every time information?

Based on the fact that people’s actions are predictable and also subject to certain laws, social hackers and social programmers use both original multi-steps and simple positive and negative techniques based on the psychology of human consciousness, behavioral programs, vibrations of internal organs, logical thinking, imagination, memory, attention. These techniques include:

Wood generator - generates oscillations of the same frequency as the frequency of oscillations of internal organs, after which a resonance effect is observed, as a result of which people begin to feel severe discomfort and a state of panic;

impact on the geography of the crowd - for the peaceful disbandment of extremely dangerous aggressive, large groups of people;

high-frequency and low-frequency sounds - to provoke panic and its reverse effect, as well as other manipulations;

social imitation program - a person determines the correctness of actions by finding out what actions other people consider correct;

claquering program - (based on social imitation) organization of the necessary reaction from the audience;

formation of queues - (based on social imitation) a simple but effective advertising move;

mutual assistance program - a person seeks to repay kindness to those people who have done some kindness to him. The desire to fulfill this program often exceeds all reason;

Social hacking on the Internet

With the advent and development of the Internet - a virtual environment consisting of people and their interactions, the environment for manipulating a person to obtain the necessary information and perform the necessary actions has expanded. Nowadays, the Internet is a means of worldwide broadcasting, a medium for collaboration, communication and covers the entire globe. This is exactly what social engineers use to achieve their goals.

Ways to manipulate a person via the Internet:

IN modern world the owners of almost every company have already realized that the Internet is a very effective and convenient means for expanding their business and its main task is to increase the profits of the entire company. It is known that without information aimed at attracting attention to the desired object, generating or maintaining interest in it and promoting it on the market, advertising is used. Only, due to the fact that the advertising market has long been divided, most types of advertising for most entrepreneurs are wasted money. Internet advertising is not just one of the types of advertising in the media, it is something more, since with the help of Internet advertising people interested in cooperation come to the organization’s website.

Internet advertising, unlike advertising in the media, has many more opportunities and parameters for managing an advertising company. The most important indicator of Internet advertising is that Internet advertising fees are debited only when you switch interested user via an advertising link, which of course makes advertising on the Internet more effective and less costly than advertising in the media. Thus, having submitted advertising on television or in print media, they pay for it in full and simply wait for potential clients, but clients can respond to advertising or not - it all depends on the quality of production and presentation of advertising on television or newspapers, however, the advertising budget has already been spent in the case If the advertising did not work, it was wasted. Unlike such media advertising, Internet advertising has the ability to track audience response and manage Internet advertising before its budget is spent; moreover, Internet advertising can be suspended when demand for products has increased and resumed when demand begins to fall.

Another method of influence is the so-called “Killing of forums” where, with the help of social programming, they create anti-advertising for a particular project. In this case, the social programmer, with the help of obvious provocative actions, destroys the forum alone, using several pseudonyms ( nickname) to create an anti-leader group around itself, and attract regular visitors to the project who are dissatisfied with the behavior of the administration. At the end of such events, it becomes impossible to promote products or ideas on the forum. This is what the forum was originally developed for.

Methods of influencing a person via the Internet for the purpose of social engineering:

Phishing is a type of Internet fraud aimed at gaining access to confidential user data - logins and passwords. This operation is achieved by carrying out mass mailings emails on behalf of popular brands, as well as personal messages within various services (Rambler), banks or within social networks (Facebook). The letter often contains a link to a website that is outwardly indistinguishable from the real one. After the user lands on a fake page, social engineers use various techniques to encourage the user to enter his login and password on the page, which he uses to access a specific site, which allows him to gain access to accounts and bank accounts.

A more dangerous type of fraud than phishing is the so-called pharming.

Pharming is a mechanism for covertly redirecting users to phishing sites. The social engineer distributes special malicious programs to users’ computers, which, once launched on the computer, redirect requests from the necessary sites to fake ones. Thus, the attack is highly secrecy, and user participation is minimized - it is enough to wait until the user decides to visit the sites of interest to the social engineer.

Conclusion

Social engineering is a science that emerged from sociology and claims to be the body of knowledge that guides, puts in order and optimizes the process of creating, modernizing and reproducing new (“artificial”) social realities. In a certain way, it “completes” sociological science, completes it at the phase of transforming scientific knowledge into models, projects and designs of social institutions, values, norms, algorithms of activity, relationships, behavior, etc.

Despite the fact that Social Engineering is a relatively young science, it causes great damage to the processes that occur in society.

The simplest methods of protection from the effects of this destructive science are:

Drawing people's attention to safety issues.

Users understanding the seriousness of the problem and accepting the system security policy.

Literature

1. R. Petersen Linux: Complete Guide: per. from English — 3rd ed. - K.: BHV Publishing Group, 2000. – 800 p.

2. From Grodnev Internet in your home. - M.: “RIPOL CLASSIC”, 2001. -480 p.

3. M. V. Kuznetsov Social engineering and social hacking. St. Petersburg: BHV-Petersburg, 2007. - 368 pp.: ill.

Social engineering techniques The human brain is a large hard drive, a repository of a huge amount of information. And both the owner and any other person can use this information. As they say, a talker is a godsend for a spy. In order for you to further understand the meaning of the following, you should at least be familiar with the basics of psychology.
Social engineering allows us "use your brain" another person, using various methods, and obtain the necessary information from him.
Wiki says: “Social engineering is a method of controlling human actions without the use of technical means”

Social engineering- This is a kind of young science. There are many methods and techniques for manipulating human consciousness. Kevin Mitnick was right when he said that sometimes it is easier to cheat and get information than to hack access to it. Read the book “The Art of Deception” at your leisure, you will like it.
Exists reverse social engineering, which is aimed at obtaining data from the victim himself. With its help, the victim himself talks about his passwords and data.

There are no gestures, intonation, or facial expressions on the Internet. All communication is based on text messages. And your success in a given situation depends on how your messages influence the interlocutor. What techniques can be used to covertly manipulate a person’s consciousness?

Provoking
Strictly speaking, this is trolling. Infuriating a person, in most cases he treats information uncritically. In this state, you can impose or receive the necessary information.

Love
This is perhaps the most effective technique. In most cases, this is what I used)). In a state of love, a person perceives little, and this is exactly what the manipulator needs.

Indifference
The effect of the manipulator’s indifference to a certain topic is created, and the interlocutor, in turn, tries to convince him, thereby falling into a trap and revealing the information you need.

Rush
Situations often arise when the manipulator is supposedly in a hurry to get somewhere and constantly hints at it, but at the same time he purposefully promotes the information he needs.

Suspicion
The method of suspicion is somewhat similar to the method of indifference. In the first case, the victim proves the opposite; in the second, the victim tries to justify “his suspicion,” thereby not realizing that he is giving away all the information.

Irony
Similar to the technique of provocation. A manipulator makes a person angry by being ironic. He, in turn, in anger is not able to critically evaluate information. As a result, a hole is formed in the psychological barrier, which the manipulator takes advantage of.

Frankness
When the manipulator tells the interlocutor frank information, the interlocutor develops some kind of trusting relationship, which implies a weakening of the protective barrier. This creates a gap in psychological defense.

The techniques described above do not fully exhaust the full potential of social engineering. These techniques and methods can be talked about and talked about. After reading these techniques, you should realize that you don’t need to follow everyone’s lead. Learn to control yourself and your anger and then your defense will always be at the proper level.
Ours continues. Wait for new articles))

Social engineering

Social engineering is a method of unauthorized access to information or information storage systems without the use of technical means. The main goal of social engineers, like other hackers and crackers, is to gain access to secure systems in order to steal information, passwords, credit card information, etc. The main difference from simple hacking is that in this case, not the machine, but its operator is chosen as the target of the attack. That is why all methods and techniques of social engineers are based on the use of the weaknesses of the human factor, which is considered extremely destructive, since the attacker obtains information, for example, using the usual telephone conversation or by infiltrating an organization under the guise of an employee. To protect against this type of attack, you should be aware of the most common types of fraud, understand what hackers really want, and organize a suitable security policy in a timely manner.

Story

Despite the fact that the concept of “social engineering” appeared relatively recently, people in one form or another have used its techniques from time immemorial. In Ancient Greece and Rome, people were held in high esteem who could convince their interlocutor in various ways that he was obviously wrong. Speaking on behalf of the leaders, they conducted diplomatic negotiations. Skillfully using lies, flattery and advantageous arguments, they often solved problems that seemed impossible to solve without the help of a sword. Among spies, social engineering has always been the main weapon. By impersonating another person, KGB and CIA agents could find out secret state secrets. In the early 70s, during the heyday of phreaking, some telephone hooligans called telecom operators and tried to extract confidential information from company technical staff. After various experiments with tricks, by the end of the 70s, phreakers had so perfected the techniques of manipulating untrained operators that they could easily learn from them almost everything they wanted.

Principles and techniques of social engineering

There are several common techniques and types of attacks that social engineers use. All of these techniques are based on features of human decision-making known as cognitive (see also Cognitive) biases. These biases are used in various combinations to create the most appropriate deception strategy in each particular case. But the common feature of all these methods is misleading, with the aim of forcing a person to perform some action that is not beneficial to him and is necessary for the social engineer. To achieve the desired result, the attacker uses a number of various tactics: impersonating another person, distracting attention, increasing psychological tension, etc. The ultimate goals of deception can also be very diverse.

Social engineering techniques

Pretexting

Pretexting is a set of actions carried out according to a specific, pre-prepared scenario (pretext). This technique involves the use of voice means such as telephone, Skype, etc. to obtain the necessary information. Typically, by posing as a third party or pretending that someone needs help, the attacker asks the victim to provide a password or log in to a phishing web page, thereby tricking the target into taking a desired action or providing certain information. In most cases, this technique requires some initial data about the target of the attack (for example, personal data: date of birth, phone number, account numbers, etc.) The most common strategy is to use small queries at first and mention the names of real people in the organization. Later, during the conversation, the attacker explains that he needs help (most people are able and willing to perform tasks that are not perceived as suspicious). Once trust has been established, the scammer may ask for something more substantial and important.

Phishing

Example of a phishing email sent from an email service requesting “account reactivation”

Phishing (English phishing, from fishing - fishing, fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is perhaps the most popular social engineering scheme today. Not a single major personal data leak occurs without a wave of phishing emails following it. The purpose of phishing is to illegally obtain confidential information. The most striking example of a phishing attack is a message sent to the victim via e-mail, and forged as an official letter - from a bank or payment system - requiring verification of certain information or performance of certain actions. There can be a variety of reasons. This could be data loss, system failure, etc. These emails usually contain a link to a fake web page that looks exactly like the official one, and contains a form that requires you to enter sensitive information.

One of the most famous examples of global phishing emails was a 2003 scam in which thousands of eBay users received emails claiming that their account had been locked and required updating their credit card information to unlock it. All of these emails contained a link leading to a fake web page that looked exactly like the official one. According to experts, the losses from this scam amounted to several hundred thousand dollars.

How to recognize a phishing attack

Almost every day new fraud schemes appear. Most people can learn to recognize fraudulent messages on their own by becoming familiar with some of their distinguishing features. Most often, phishing messages contain:

• information causing concern or threats, such as the closure of user bank accounts.
• promises of huge cash prizes with little or no effort.
• requests for voluntary donations on behalf of charitable organizations.
• grammatical, punctuation and spelling errors.

Popular phishing schemes

The most popular phishing scams are described below.

Fraud using brands of famous corporations

These phishing scams use fake emails or websites containing the names of large or well-known companies. The messages may include congratulations about winning a competition held by the company, or about the urgent need to change your credentials or password. Similar fraudulent schemes on behalf of technical support can also be carried out over the phone.

Fraudulent lotteries

The user may receive messages indicating that he has won a lottery that was conducted by some well-known company. On the surface, these messages may appear as if they were sent on behalf of a senior corporate employee.

False antivirus and security programs

IVR or telephone phishing

Operating principle of IVR systems

Qui about quo

Quid pro quo (from the Latin Quid pro quo - “this for this”) is an abbreviation commonly used in English language in the sense of "service for service". This type of attack involves an attacker calling a company on a corporate phone. In most cases, the attacker poses as a technical support employee asking if there are any technical problems. In the process of "solving" technical problems, the scammer "forces" the target to enter commands that allow the hacker to launch or install malicious software. software to the user's machine.

Trojan horse

Sometimes the use of Trojans is only part of a planned multi-stage attack on certain computers, networks or resources.

Types of Trojans

Trojans are most often developed for malicious purposes. There is a classification where they are divided into categories based on how Trojans infiltrate the system and cause harm to it. There are 5 main types:

• remote access
• data destruction
• loader
• server
• security program deactivator

Goals

The purpose of the Trojan program can be:

• uploading and downloading files
• copying false links leading to fake websites, chat rooms or other registration sites
• interfering with the user's work
• stealing data of value or secrets, including authentication information, for unauthorized access to resources, obtaining details of bank accounts that could be used for criminal purposes
• distribution of other malware such as viruses
• destruction of data (erasing or overwriting data on a disk, hard-to-see damage to files) and equipment, disabling or failure of service of computer systems, networks
• collecting email addresses and using them to send spam
• spying on the user and secretly communicating information to third parties, such as browsing habits
• Logging keystrokes to steal information such as passwords and credit card numbers
• deactivating or interfering with the operation of anti-virus programs and firewalls

Disguise

Many Trojan programs are located on users' computers without their knowledge. Sometimes Trojans are registered in the Registry, which leads to their automatic launch at startup operating system. Trojans can also be combined with legitimate files. When a user opens such a file or launches an application, the Trojan is launched along with it.

How the Trojan works

Trojans usually consist of two parts: Client and Server. The Server runs on the victim machine and monitors connections from the Client. While the Server is running, it monitors a port or multiple ports for a connection from the Client. In order for an attacker to connect to the Server, it must know the IP address of the machine on which it is running. Some Trojans send the IP address of the victim machine to the attacking party via email or some other method. As soon as a connection to the Server occurs, the Client can send commands to it, which the Server will execute. Currently, thanks to NAT technology, it is impossible to access most computers via their external IP address. That's why many Trojans today connect to the attacker's computer, which is responsible for receiving connection connections, instead of the attacker itself trying to connect to the victim. Many modern Trojans can also easily bypass firewalls on user computers.

Collection of information from open sources

The use of social engineering techniques requires not only knowledge of psychology, but also the ability to collect the necessary information about a person. A relatively new way of obtaining such information was its collection from open sources, mainly from social networks. For example, sites such as livejournal, Odnoklassniki, Vkontakte contain a huge amount of data that people do not try to hide. As a rule, , users do not pay enough attention to security issues, leaving data and information in the public domain that can be used by an attacker.

An illustrative example is the story of the kidnapping of Evgeniy Kaspersky’s son. During the investigation, it was established that the criminals learned the teenager’s daily schedule and routes from his entries on the page social network.

Even by limiting access to information on his social network page, a user cannot be sure that it will never fall into the hands of fraudsters. For example, a Brazilian computer security researcher showed that it is possible to become a friend of any Facebook user within 24 hours using social engineering techniques. During the experiment, researcher Nelson Novaes Neto chose a “victim” and created a fake account of a person from her environment - her boss. Neto first sent friend requests to friends of friends of the victim's boss, and then directly to his friends. After 7.5 hours, the researcher got the “victim” to add him as a friend. Thus, the researcher gained access to the user’s personal information, which he shared only with his friends.

Road apple

This attack method is an adaptation of the Trojan horse and consists of using physical media. The attacker plants the "infected" , or flash, in a place where the carrier can be easily found (restroom, elevator, parking lot). The media is faked to look official, and is accompanied by a signature designed to arouse curiosity. For example, a scammer can plant a letter, equipped with a corporate logo and a link to the official website of the company, labeling it “Executive salaries.” The disc can be left on the elevator floor, or in the lobby. An employee may unknowingly pick up the disk and insert it into the computer to satisfy his curiosity.

Reverse social engineering

Reverse social engineering is referred to when the victim herself offers the attacker the information he needs. This may seem absurd, but in fact, persons with authority in the technical or social sphere often receive user IDs and passwords and other important information. personal information simply because no one doubts their integrity. For example, support staff never ask users for an ID or password; they don't need this information to solve problems. However, many users voluntarily provide this confidential information in order to quickly resolve problems. It turns out that the attacker doesn’t even need to ask about it.

An example of reverse social engineering is the following simple scenario. An attacker working with the victim changes the name of a file on the victim's computer or moves it to a different directory. When the victim notices the file is missing, the attacker claims that he can fix everything. Wanting to complete the job faster or avoid punishment for losing information, the victim agrees to this offer. The attacker claims that the problem can only be solved by logging in with the victim's credentials. Now the victim asks the attacker to log in under her name to try to restore the file. The attacker reluctantly agrees and restores the file, and in the process steals the victim's ID and password. Having successfully carried out the attack, he even improved his reputation, and it is quite possible that after this other colleagues will turn to him for help. This approach does not interfere with the usual procedures for providing support services and complicates the capture of the attacker.

Famous Social Engineers

Kevin Mitnick

Kevin Mitnick. World famous hacker and security consultant

One of the most famous social engineers in history is Kevin Mitnick. As a world-famous computer hacker and security consultant, Mitnick is also the author of numerous books on computer security, mainly devoted to social engineering and methods of psychological influence on people. In 2002, the book “The Art of Deception” was published under his authorship, telling about real stories of the use of social engineering. Kevin Mitnick argued that it is much easier to obtain a password by deception than to try to hack a security system

Badir Brothers

Despite the fact that the brothers Mundir, Mushid and Shadi Badir were blind from birth, they managed to carry out several large fraud schemes in Israel in the 1990s, using social engineering and voice spoofing. In a television interview they said: “Only those who do not use a telephone, electricity and a laptop are completely insured against network attacks.” The brothers have already been to prison for being able to hear and decipher the secret interference tones of providers telephone communication. They made long calls abroad at someone else's expense, having reprogrammed the computers of cellular providers with interference tones.

Archangel

Cover of Phrack magazine

A famous computer hacker and security consultant for the famous English-language online magazine "Phrack Magazine", Archangel demonstrated the capabilities of social engineering techniques by obtaining passwords from a huge number of various systems, deceiving several hundred victims.

Other

Lesser-known social engineers include Frank Abagnale, David Bannon, Peter Foster and Stephen Jay Russell.

Ways to protect against social engineering

To carry out their attacks, attackers who use social engineering techniques often exploit the gullibility, laziness, courtesy, and even enthusiasm of users and employees of organizations. It is not easy to defend against such attacks because victims may not be aware that they have been deceived. Social engineering attackers have generally the same goals as any other attacker: they want money, information, or the IT resources of the victim company. To protect against such attacks, you need to study their types, understand what the attacker needs and assess the damage that could be caused to the organization. With all this information, you can integrate the necessary protection measures into your security policy.

Threat classification

Email threats

Many employees receive daily through corporate and private postal systems dozens and even hundreds of emails. Of course, with such a flow of correspondence it is impossible to pay due attention to each letter. This makes it much easier to carry out attacks. Most users of e-mail systems are relaxed about processing such messages, perceiving this work as the electronic analogue of moving papers from one folder to another. When an attacker sends a simple request by mail, his victim will often do what he is asked to do without thinking about his actions. Emails may contain hyperlinks that incline employees to violate the protection of the corporate environment. Such links do not always lead to the stated pages.

Most security measures are aimed at preventing unauthorized users from accessing corporate resources. If, by clicking on a hyperlink sent by an attacker, the user uploads a Trojan or virus to the corporate network, this will make it easy to bypass many types of protection. The hyperlink may also point to a site with pop-up applications asking for data or offering help. As with other types of scams, most effective way protection from malicious attacks is to be skeptical about any unexpected incoming letters. To promote this approach throughout your organization, your security policy should include specific guidelines for the use of email that cover the following elements.

• Attachments to documents.
• Hyperlinks in documents.
• Requests for personal or corporate information coming from within the company.
• Requests for personal or corporate information originating from outside the company.

Threats associated with using instant messaging services

Instant messaging is a relatively new method of data transfer, but it has already gained wide popularity among corporate users. Due to the speed and ease of use, this method of communication opens up wide opportunities for various attacks: users treat it as a telephone connection and do not associate it with potential software threats. The two main types of attacks based on the use of instant messaging services are the inclusion of a link to a malicious program in the body of the message and the delivery of the program itself. Of course, instant messaging is also one way to request information. One of the features of instant messaging services is the informal nature of communication. Combined with the ability to assign themselves any name, this makes it much easier for an attacker to impersonate someone else and greatly increases their chances of successfully carrying out an attack. If a company intends to take advantage of the cost-cutting opportunities and other benefits provided by instant messaging, it is necessary to include in corporate Security policies provide protection mechanisms against relevant threats. To gain reliable control over instant messaging in an enterprise environment, there are several requirements that must be met.

• Choose one instant messaging platform.
• Determine the security settings that are specified when deploying the instant messaging service.
• Determine principles for establishing new contacts
• Set password standards
• Make recommendations for using the instant messaging service.

Multi-level security model

To protect large companies and their employees from scammers using social engineering techniques, complex multi-level security systems are often used. Some of the features and responsibilities of such systems are listed below.

• Physical security. Barriers that restrict access to company buildings and corporate resources. Do not forget that company resources, for example, garbage containers located outside the company’s territory, are not physically protected.
• Data. Business information: Accounts, mail, etc. When analyzing threats and planning data protection measures, it is necessary to determine the principles for handling paper and electronic media data.
• Applications. User-run programs. To protect your environment, you need to consider how attackers can exploit mailers, instant messaging services and other applications.
• Computers. Servers and client systems used in the organization. Protects users from direct attacks on their computers by defining strict guidelines governing what programs can be used on corporate computers.
• Internal network. The network through which they interact corporate systems. It can be local, global or wireless. IN last years Due to the growing popularity of remote work methods, the boundaries of internal networks have become largely arbitrary. Company employees need to be told what they should do for the organization. safe work in any network environment.
• Network perimeter. Border between internal networks company and external, such as the Internet or networks of partner organizations.

Responsibility

Pretexting and recording of telephone conversations

Hewlett-Packard

Patricia Dunn, president of Hewlett Packard Corporation, said she hired a private company to identify those company employees who were responsible for leaking confidential information. Later, the head of the corporation admitted that the practice of pretexting and other social engineering techniques was used during the research process.

Notes

see also

Links

• SocialWare.ru – Private social engineering project
• - Social engineering: basics. Part I: Hacker Tactics
• – Protection against phishing attacks.
• Social Engineering Fundamentals – Securityfocus.com.
• Social Engineering, the USB Way – DarkReading.com.
• Should Social Engineering be a part of Penetration Testing? – darknet.org.uk.
• "Protecting Consumers" Phone Records", Electronic Privacy Information Center US Committee on Commerce, Science, and Transportation .
• Plotkin, Hal. Memo to the Press: Pretexting is Already Illegal.
• Striptease for passwords – MSNBC.MSN.com.
• Social-Engineer.org – social-engineer.org.

Social engineering- a method of obtaining the necessary access to information, based on the characteristics of human psychology. The main goal of social engineering is to gain access to confidential information, passwords, banking data and other protected systems. Although the term social engineering appeared not so long ago, the method of obtaining information in this way has been used for quite a long time. CIA and KGB employees who want to get some state secrets, politicians and parliamentary candidates, and we ourselves, if we want to get something, often without even realizing it, we use social engineering methods.

In order to protect yourself from the effects of social engineering, you need to understand how it works. Let's look at the main types of social engineering and methods of protecting against them.

Pretexting- this is a set of actions worked out according to a specific, pre-compiled scenario, as a result of which the victim can give out some information or perform a certain action. More often this type The attack involves the use of voice means such as Skype, telephone, etc.

To use this technique, the attacker must initially have some data about the victim (name of employee; position; name of the projects with which he works; date of birth). The attacker initially uses real queries with the names of company employees and, after gaining trust, obtains the information he needs.

Phishing– an Internet fraud technique aimed at obtaining confidential user information - authorization data of various systems. The main type of phishing attack is a fake email sent to the victim that appears to be an official letter from payment system or bank. The letter contains a form for entering personal data (PIN codes, login and password, etc.) or a link to the web page where such a form is located. The reasons for a victim’s trust in such pages can be different: account blocking, system failure, data loss, etc.

Trojan horse– This technique is based on the curiosity, fear or other emotions of users. The attacker sends a letter to the victim via email, the attachment of which contains an antivirus “update”, a key to winning money, or incriminating evidence on an employee. In fact, the attachment contains malware, which, after the user runs it on his computer, will be used to collect or change information by an attacker.

Qui about quo(quid pro quo) – this technique involves the attacker contacting the user via email or corporate phone. An attacker can introduce himself, for example, as a technical support employee and inform about the occurrence of technical problems at the workplace. He further informs about the need to eliminate them. In the process of “solving” such a problem, the attacker pushes the victim to take actions that allow the attacker to execute certain commands or install the necessary software on the victim’s computer.

Road apple– this method is an adaptation of the Trojan horse and consists of using physical media (CDs, flash drives). An attacker usually plants such media in public places on company premises (parking lots, canteens, employee workplaces, toilets). In order for the employee to develop an interest in to this medium, an attacker can put a company logo and some kind of signature on the media. For example, “sales data”, “employee salaries”, “tax report” and more.

Reverse social engineering- this type of attack is aimed at creating a situation in which the victim will be forced to turn to the attacker for “help.” For example, an attacker can send a letter with telephone numbers and contacts of the “support service” and after some time create reversible problems in the victim’s computer. In this case, the user will call or email the attacker himself, and in the process of “fixing” the problem, the attacker will be able to obtain the data he needs.

Figure 1 – Main types of social engineering

Countermeasures

The main way to protect against social engineering methods is to train employees. All company employees should be warned about the dangers of disclosing personal information and confidential company information, as well as ways to prevent data leakage. In addition, each company employee, depending on the department and position, should have instructions on how and on what topics one can communicate with the interlocutor, what information can be provided to the technical support service, how and what a company employee must communicate to receive that information. or other information from another employee.

In addition, the following rules can be distinguished:

• User credentials are the property of the company.
On the day of hiring, it should be explained to all employees that the logins and passwords that were issued to them cannot be used for other purposes (on websites, for personal mail etc.), transfer to third parties or other employees of the company who do not have the right to do so. For example, very often, when going on vacation, an employee can transfer his authorization data to his colleague so that he can perform some work or view certain data during his absence.
• It is necessary to conduct introductory and regular training for company employees aimed at increasing knowledge of information security.
Conducting such briefings will allow company employees to have up-to-date information about existing social engineering methods, and also not to forget the basic rules on information security.
• It is mandatory to have safety regulations, as well as instructions to which the user must always have access. The instructions should describe the actions of employees if a particular situation arises.
For example, the regulations can specify what needs to be done and where to go if a third party attempts to request confidential information or employee credentials. Such actions will allow you to identify the attacker and prevent information leakage.
• Employees' computers should always have up-to-date antivirus software.
A firewall must also be installed on employee computers.
• IN corporate network the company needs to use attack detection and prevention systems.
It is also necessary to use systems to prevent leaks of confidential information. All this will reduce the risk of phytic attacks.
• All employees must be instructed how to behave with visitors.
Clear rules are needed to establish the identity of the visitor and accompany him. Visitors must always be accompanied by one of the company's employees. If an employee meets a visitor unknown to him, he must inquire in the correct form for what purpose the visitor is in this room and where he is being escorted. If necessary, the employee must report unknown visitors to the security service.
• It is necessary to limit user rights in the system as much as possible.
For example, you can restrict access to websites and prohibit the use removable media. After all, if an employee is unable to get to a phishing site or use a flash drive with “ Trojan horse”, then he will also not be able to lose personal data.

Based on all of the above, we can conclude: the main way to protect against social engineering is to train employees. It is necessary to know and remember that ignorance is not an excuse. Each user of the system should be aware of the dangers of disclosing confidential information and know ways to help prevent leakage. Forewarned is forearmed!

Every large or even small organization has weaknesses in information security. Even if all the company's computers have the best software, all employees have the strongest passwords, and all the computers are monitored by the smartest administrators, you can still find a weak spot. And one of the most important “weak points” are the people who work in the company and have access to computer systems and are to a greater or lesser extent a carrier of information about the organization. People who are planning to steal information, or in other words hackers, only benefit from the human factor. And it’s on people that they try various ways influences called social engineering. I’ll try to talk about it today in the article and about the danger it poses for ordinary users and organizations.

Let's first understand what social engineering is - it is a term used by crackers and hackers that refers to unauthorized access to information, but is completely opposite to hacking a software designation. The goal is not to hack, but to trick people so that they themselves give passwords or other information that can later help hackers violate the security of the system. This type of fraud involves calling an organization by phone and identifying those employees who have the required information, and then calling the identified administrator from a non-existent employee who allegedly has problems accessing the system.

Social engineering is directly related to psychology, but is developing as a separate part of it. Nowadays, the engineering approach is used very often, especially for the undetected work of a burglar to steal documents. This method is used to train spies and secret agents for secret penetration without leaving traces.

A person is able to think, reason, come to one conclusion or another, but the conclusions may not always turn out to be real, one’s own, and not imposed from the outside, such as they are needed by someone else. But the most interesting thing and the main thing that helps scammers is that a person may not notice that his conclusions are false. Until the last moment he may think that he decided everything himself. It is this feature that people practicing social engineering use.

The point of social engineering is the theft of information. People who do this try to steal information without undue attention, and then use it at their own discretion: sell or blackmail the original owner. According to statistics, it very often turns out that such tricks occur at the request of a competing company.

Now let's look at ways of social engineering.

Human denial of service (HDoS)

The essence of this attack is to quietly force a person not to react to certain situations.

For example, simulating an attack on some port serves as a diversionary maneuver. The system administrator is distracted by errors, and at this time they easily penetrate the server and take the information they need. But the administrator can be sure that there can be no errors on this port, and then the hacker’s penetration will be instantly noticed. The whole point of this method is that the attacker must know the psychology and level of knowledge of the system administrator. Without this knowledge, penetration into the server is not possible.

Call method.

This method means phone call the so-called “victim”. The scammer calls the victim using both correctly delivered speech and psychologically correct questions asked misleads her and finds out all the necessary information.

For example: a scammer calls and says that, at the request of the administrator, he is checking the functionality of the security system. Then he asks for a password and username, and after that all the information he needs is in his pocket.

Visual contact.

The most difficult way. Only professionally trained people can cope with it. The point of this method is that you must find an approach to the victim. Once an approach has been found, it will be possible to use it to please the victim and gain her trust. And after this, the victim herself will lay out all the necessary information and it will seem to her that she is not telling anything important. Only a professional can do this.

Email.

This is the most common way for hackers to extract information. In most cases, hackers send a letter to the victim from someone they allegedly know. The most difficult thing about this method is to copy the manner and writing style of this friend. If the victim believes in the deception, then here you can already extract all the information that the hacker might need.