Social engineering: concept, founder, methods and examples

Socially engineered cybercriminals have adopted more advanced techniques in recent years that make it more likely to gain access to necessary information using the modern psychology of employees of enterprises, and people in general. The first step in countering these types of tricks is to understand the attackers' tactics themselves. Let's look at eight main approaches to social engineering.

Introduction

In the 90s, the concept of "social engineering" was introduced by Kevin Mitnick, an iconic figure in the field of information security, a former serious-level hacker. However, attackers used such methods long before the term itself appeared. Experts are convinced that the tactics of modern cybercriminals are tied to the pursuit of two goals: stealing passwords, installing malware.

Attackers are trying to apply social engineering using the phone, email and the Web. Let's get acquainted with the main methods that help criminals get the confidential information they need.

Tactic 1. The Ten Handshake Theory

The main goal of an attacker using a phone for social engineering is to convince his victim of one of two things:

1. The victim receives a call from a company employee;
2. A representative of an authorized body calls (for example, a law enforcement officer or an auditor).

If a criminal sets himself the task of collecting data about a particular employee, he can first contact his colleagues, trying in every possible way to get the data he needs.

Do you remember the old theory of six handshakes? So, security experts say that there can be only ten “handshakes” between a cybercriminal and his victim. Experts believe that modern conditions you always need to have a little paranoia, since you don’t know what this or that employee wants from you.

Attackers usually contact a secretary (or someone in a similar position) to gather information about people higher up in the hierarchy. Experts note that a friendly tone helps scammers a lot. Slowly but surely, criminals pick up the key to you, which soon leads to the fact that you share information that you would never have discovered before.

Tactic 2. Learn corporate language

As you know, each industry has its own specific formulations. The task of an attacker trying to get necessary information, - to study the features of such a language in order to more skillfully use social engineering techniques.

All the specifics lie in the study of the corporate language, its terms and features. If a cybercriminal speaks a familiar, familiar and understandable language for his purposes, he will more easily gain confidence and be able to quickly get the information he needs.

Tactic 3: Borrow Music to Wait During Calls

To carry out a successful attack, fraudsters need three components: time, perseverance and patience. Often cyber attacks using social engineering are carried out slowly and methodically - not only data on the right people but also the so-called "social signals". This is done in order to gain trust and circle the target around your finger. For example, attackers can convince the person they are communicating with that they are colleagues.

One of the features of this approach is to record the music that the company uses during calls, at a time when the caller is waiting for an answer. The criminal first waits for such music, then records it, and then uses it to his advantage.

Thus, when there is a direct dialogue with the victim, the attackers at some point say: "Wait a minute, there is a call on the other line." The victim then hears familiar music and is left in no doubt that the caller represents a certain company. In essence, this is just a competent psychological trick.

Tactic 4. Spoofing (substitution) of a phone number

Criminals often use spoofing phone numbers, which helps them to change the caller's number. For example, an attacker can sit in his apartment and call a person of interest, but the caller ID will display a company-owned number, which will create the illusion that the fraudster is calling using a corporate number.

Of course, unsuspecting employees will in most cases hand over sensitive information, including passwords, to the caller if the caller ID belongs to their company. This approach also helps criminals avoid tracking, as if you call this number back, you will be redirected to the company's internal line.

Tactic 5: Using the News Against You

Whatever the headlines of the current news, attackers use this information as bait for spam, phishing and other fraudulent activities. No wonder experts have recently noted an increase in the number of spam emails, the topics of which relate to presidential campaigns and economic crises.

Examples include a phishing attack on a bank. The email says something like this:

“Another bank [bank name] is acquiring your bank [bank name]. Click on this link to make sure your bank information is up to date before the deal is closed."

Naturally, this is an attempt to get information with which scammers can enter your account, steal your money, or sell your information to a third party.

Tactic 6: Leverage Trust in Social Platforms

It's no secret that Facebook, Myspace and LinkedIn are hugely popular social networks. According to expert research, people tend to trust such platforms. A recent spear-phishing incident targeting LinkedIn users supports this theory.

Thus, many users will trust an email if it claims to be from Facebook. A common trick is to claim that the social network is undergoing maintenance, you have to "click here" to update the information. That is why experts recommend that employees of enterprises enter web addresses manually to avoid phishing links.

It is also worth bearing in mind that sites in very rare cases send users a request to change their password or update account.

Tactic 7. Typesquatting

This malicious technique is notable in that attackers use the human factor, namely errors when entering a URL address in address bar. Thus, making a mistake of just one letter, the user can get to a site created specifically for this purpose by attackers.

Cybercriminals carefully prepare the ground for typesquatting, so their site will be like two peas in a pod similar to the legitimate one you originally wanted to visit. Thus, by making a mistake in writing a web address, you end up on a copy of a legitimate site, the purpose of which is either to sell something, or steal data, or distribute malware.

Tactic 8: Using FUD to Influence the Stock Market

FUD is a psychological manipulation tactic used in marketing and propaganda in general, which consists in presenting information about something (in particular, a product or organization) in such a way as to sow uncertainty and doubt in the audience about its qualities and thus cause fear of it.

According to the latest research from Avert, the security and vulnerability of products and even entire companies can affect the stock market. For example, researchers studied the impact of events such as "Microsoft Patch Tuesday" on the company's stock, finding a marked fluctuation each month after a vulnerability was released.

You can also recall how the attackers in 2008 spread false information about the health of Steve Jobs, which led to a sharp drop in stocks Apple. This is the most typical example of FUD being used for malicious purposes.

In addition, it is worth noting the use of e-mail to implement the “pump-and-dump” technique (a scheme for manipulating the exchange rate in the stock market or in the cryptocurrency market with a subsequent collapse). In this case, the attackers can send out emails describing the amazing potential of the shares they bought up in advance.

Thus, many will try to buy these shares as soon as possible, and they will increase in price.

conclusions

Cybercriminals are often very creative in their use of social engineering. Having become acquainted with their methods, we can conclude that various psychological tricks are very helpful for attackers to achieve their goals. Based on this, it is worth paying attention to any little thing that can unwittingly give out a fraudster, check and double-check information about people contacting you, especially if confidential information is being discussed.

In the age of information technology, social engineering has acquired a strong connection with cybercrime, but in fact this concept appeared a long time ago and initially did not have a pronounced negative connotation. If you think that social engineering is a dystopian fiction or a dubious psychological practice, then this article will change your mind.

What is called social engineering?

The term itself is sociological and denotes a set of approaches to creating such conditions under which it is possible to control human behavior. To one degree or another, social engineering techniques have been used by people since ancient times. in ancient Greece and Ancient Rome speakers with a special art of persuasion were highly valued, such people were attracted to participate in diplomatic negotiations. The activities of the special services are also largely based on the methods of social engineering, and the 20th century is completely replete with examples of what results can be achieved with the skillful manipulation of human consciousness and behavior. The pioneers of social engineering in the form in which it exists today are considered telephone scammers who appeared in the 70s of the last century, and this science came to the field of information technology thanks to the former hacker Kevin Mitnick, who is now an information security consultant and writes books about his path as a social engineer.

In the field of cybercrime, social engineering refers to the methods and techniques that attackers use to obtain the necessary data or to induce the victim to commit necessary actions. As Kevin Mitnick said, the most vulnerable spot in any security system is a person, and cybercriminals are well aware of this. Social engineers are good psychologists, they masterfully approach specific person, are easily rubbed into trust, go to all sorts of tricks and tricks - and all this in order to obtain confidential information.

How do social engineers work?

The film "Catch Me If You Can", based on the book of the same name, tells about the events of the life of real person, Frank Abagnale. Now he is an expert on documentary security, but in the middle of the twentieth century, Abagnale forged checks and for five years masterfully hid from the police, easily transforming into different people from a pilot to a doctor. This behavior, tricks and subtle psychological game is a prime example of social engineering.

If Frank Abagnale had to personally contact people using psychological tricks and acting skills to achieve his goals, today attackers obtain information remotely, using the Internet and cellular communication. On the tricks of hackers come across and ordinary computer users, and employees of large companies who are well versed in information security issues. The main danger is that the victim provides the necessary information voluntarily, without even suspecting that by his actions he is helping the criminal.

Manipulation of thoughts and actions becomes possible due to cognitive distortions - deviations in our perception, thinking and behavior. These errors can be caused by stereotypes, emotional or moral state, the influence of society, deviations in the brain. Under the influence of one or more factors, a failure occurs at the stage of analyzing the information received, as a result of which we can make an illogical judgment, misinterpret events, or take irrational actions. Knowing about such features of the work of human thinking, social engineers create situations in which the victim will most likely perform the desired action, and, as practice shows, cognitive distortions are stronger than us.

Examples of social engineering

To achieve their goals, attackers exploit human curiosity, benevolence, politeness, laziness, naivety, and other most different qualities. An attack on a person (as hackers call social engineering) can be carried out according to many scenarios, depending on the situation, but there are several of the most common techniques used by attackers.

Phishing. This method is effective due to the inattention of users. The victim receives an email from some well-known website, organization or even an individual with a request to perform the indicated actions by clicking on the link. Most often they ask you to log in. A person goes to the site and enters his username and password, without even looking at the sender of the message and at the site address, and the scammers thus receive the data necessary for hacking, after which they perform any actions on the victim's page.

Trojan. This is a virus that got its name from the principle of operation, similar to the Trojan horse from ancient Greek myth. A user downloads a program or even a picture, and under the guise of a harmless file, a virus enters the victim's computer, with the help of which attackers steal data. Sometimes this download occurs automatically when a person clicks on a curious link, opens suspicious websites or suspicious emails. Why is this type of data theft called social engineering? Because the creators of the virus know very well how to disguise the malware so that you are sure to click on the right link or download the file.

Qui pro quo. From the Latin quid pro quo, which means "this for this." This type of scam works on a quid pro quo basis. The attacker poses as a service employee technical support and offers to fix the problems that have arisen in the system or on the computer of a particular user, although in fact there were no problems in the operation of the software. The victim believes in the presence of malfunctions, which were reported to her by the "specialist", and happily provides the necessary data or performs the actions dictated by the scammer.

Reverse social engineering

This is the name of the type of attack in which the victim herself turns to the attacker and provides him with the necessary information. This can be achieved in several ways:

• Implementation of special software. At first, the program or system works properly, but then it fails, requiring the intervention of a specialist. Of course, the situation is set up in such a way that the specialist to whom they turn for help turns out to be a social hacker. By adjusting the work of the software, the fraudster performs the manipulations necessary for hacking. Sometimes the information you need is not obtained direct work with a computer, but through communication with the user, who, for the sake of speedy repair of the equipment, is ready to provide the master with any confidential information. Later, when a hack is discovered, the social engineer behind the mask of an assistant can remain beyond all suspicion, which makes social engineering a very profitable tool.
• Advertising. Attackers can advertise their services as computer masters or other professionals. The victim turns to the cracker herself, and the criminal not only works technically, but also fishes out information through communication with his client.
• Help. The social engineer may deliberately be among those who will be turned to for help in the event of a failure, and sometimes the scammer performs some kind of manipulation in advance that will force the victim to seek an assistant. In this case, the hacker appears in a positive role, and the attacked person remains grateful for the service rendered.

How to protect yourself?

The first defense against social engineering is reasonable skepticism and vigilance. Always pay attention to the addresser of the letters and the address of the site where you are going to enter some personal data. Not only company employees and famous people become victims of cybercriminals, but also ordinary users - a fraudster may need access to your page on a social network or e-wallet. If a person who claims to be an employee of some organization or website calls you, remember that in order to manipulate your account, as a rule, he does not need to know confidential data - do not disclose it yourself. The request to provide any personal information, such as passport data, should alert you - for identification of an individual, most often they require only the last digits of some data, and not the whole thing.

Do not work with important information in front of strangers. Fraudsters can use the so-called shoulder surfing, a type of social engineering when information is stolen over the victim's shoulder. A considerable amount of important data was spied on the screen while the unsuspecting victim was working on his computer.

Do not go to suspicious sites and do not download dubious files, because one of the most the best helpers social engineering is our curiosity. In any situation, when they call you, write to you, offer a service, or, for example, toss a flash drive, ask yourself if you know where, why and why. If not, then consult with a trusted and knowledgeable person, otherwise, ignore this situation, but never divulge important information without a good reason.

social engineering – a way to gain access to confidential information, passwords, banking and other protected data and systems.
Cybercriminals use social engineering to carry out targeted attacks (attacks on the infrastructure of companies or government agencies). They carefully study the means of protection of this organization in advance.

Publication of this article on the portal www.

social engineering

It is believed that social engineering is the most dangerous and destructive type of attack on organizations. But unfortunately at conferences on information security, this issue is practically not given attention.

At the same time, most cases in the Russian-speaking segment of the Internet are cited from foreign sources and books. I'm not saying that there are few such cases on the Runet, but for some reason they just don't talk about them. I decided to figure out how dangerous social engineering is in reality, and figure out what the consequences of its massive use could be.

Social engineering in information security and penetration testing is usually associated with a targeted attack on a specific organization. In this selection of cases, I want to consider several examples of the use of social engineering, when “attacks” were carried out massively (indiscriminately) or mass-targeted (on organizations in a certain field).

Let's define the concepts so that it is clear to everyone what I mean. In the article I will use the term "social engineering" in the following sense: "a set of methods to achieve a goal, based on the use of human weaknesses." This is not always something criminal, but it definitely has a negative connotation and is associated with fraud, manipulation and the like. But all sorts of psychological tricks for knocking out discounts in a store are not social engineering.

In this area, I will act only as a researcher, I did not create any malicious sites and files. If someone received a letter from me with a link to the site, then this site was safe. The worst thing that could happen there is the tracking of the user by the Yandex.Metrica counter.

Examples of social engineering

Surely you have heard about spam with "certificates of completed work" or contracts, in which Trojans are embedded. You will no longer surprise accountants with such mailings. Or pop-up windows with "recommendations" to download a plug-in for watching videos - this is already boring. I have developed several less obvious scenarios and present them here as food for thought. I hope that they will not become a guide to action, but, on the contrary, will help make the Runet safer.

Verified sender

Sometimes, due to an oversight, site administrators do not enable filtering of the “Name” field in the registration form (for example, when subscribing to a newsletter or when sending an application). Instead of a name, you can insert text (sometimes kilobytes of text) and a link to a malicious site. Enter the victim's address in the email field. After registration, this person will receive a letter from the service: "Hello, dear ...", and then - our text and a link. The message from the service will be at the very bottom.

How to turn it into a weapon of mass destruction?

Elementary. Here is one example from my practice. In December 2017, one of the search engines discovered the possibility of sending messages through the form of binding a spare email. Before I submitted the bug bounty report, it was possible to send 150,000 messages a day - it only needed to automate the form filling a little.

This trick allows you to send fraudulent emails from the site's real support address, with all digital signatures, encryption, and so on. But the entire upper part turns out to be written by an attacker. I also received such letters, and not only from large companies like booking.com or paypal.com, but also from less famous sites.

And here is the “trend” of April 2018.

Emails from Google Analytics

I will tell you about a completely new case - for April 2018. WITH Google mail Analytics spam started coming to several of my addresses. After digging around a bit, I found the way it is sent.

"How to apply it?" I thought. And that's what came to mind: a scammer can make, for example, such a text.

Such a collection of passwords can be carried out not only targeted, but also in bulk, you just need to automate the process of collecting domains a little with Google Analytics and parsing emails from these sites.

Curiosity

This method of getting a person to click on a link requires some preparation. A fake company website is created with a unique name that immediately attracts attention. Well, for example, LLC "ZagibaliVygibali". Waiting for the search engines to index it.

Now we come up with some reason to send out congratulations on behalf of this company. Recipients will immediately begin to google it and find our site. Of course, it is better to make the congratulation itself unusual so that the recipients do not brush the letter into the spam folder. With a little test, I easily got over a thousand clicks.

Fake newsletter subscription

And what is it written there?

To lure people from some forum or site with open comments, you do not need to invent enticing texts - just post a picture. Just choose something more attractive (some kind of meme) and squeeze so that it is impossible to distinguish the text. Curiosity invariably makes users click on the picture. In my research, I conducted an experiment and received about 10k transitions in such a primitive way. Trojans were once delivered via LJ (livejournal) in the same way.

What is your name?

Getting a user to open a file or even a document with a macro is not that difficult, even though many have heard of the dangers lurking. With mass mailing, even just knowing the name of a person seriously increases the chances of success.

For example, we can send an email with the text "Is this email still active?" or "Please write the address of your site." In the answer, at least in 10-20% of cases, the sender's name will come (this is more common in large companies). And after a while we write “Alena, hello. What is with your site (photo attached)?” Or “Boris, good afternoon. I can't deal with the price at all. I need the 24th position. I am attaching the price. Well, in the price list - the banal phrase "To view the contents, enable macros ...", with all the ensuing consequences.

In general, personally addressed messages are opened and processed an order of magnitude more often.

Mass intelligence

This scenario is not so much an attack as a preparation for it. Let's say we want to know the name of some important person, such as an accountant or a head of security. This is easy to do if you send one of the employees who may have this information a letter with the following content: “Please tell me the middle name of the director and the office schedule. We need to send a courier."

We ask the time of work in order to blur our eyes, and asking for a patronymic is a trick that allows us not to give out that we do not know the first and last name. Both, most likely, will be contained in the response of the victim: the full name is most often written in full. In the course of the study, I managed to collect the names of more than two thousand directors in this way.

If you need to find out the mail of the authorities, then you can safely write to the secretary: “Hello. Haven't talked to Andrey Borisovich for a long time, is his address still working? And I didn't get an answer from him. Roman Gennadievich. The secretary sees an email made up on the basis of the real name of the director and containing the company's website, and gives the real address of Andrey Borisovich.

In this article, we will focus on the concept of "social engineering". Here the general will be considered. We will also learn about who was the founder of this concept. Let's talk separately about the main methods of social engineering that are used by attackers.

Introduction

Methods that allow you to correct human behavior and manage his activities without the use of a technical set of tools form the general concept of social engineering. All methods are based on the assertion that the human factor is the most destructive weakness of any system. Often this concept considered at the level of illegal activity, through which the criminal performs an action aimed at obtaining information from the subject-victim in a dishonest way. For example, it could be some kind of manipulation. However, social engineering is also used by humans in legitimate activities. Today, it is most often used to access resources with sensitive or sensitive information.

Founder

The founder of social engineering is Kevin Mitnick. However, the concept itself came to us from sociology. It denotes a general set of approaches used by applied social. sciences focused on changing the organizational structure that can determine human behavior and exercise control over it. Kevin Mitnick can be considered the founder of this science, since it was he who popularized the social. engineering in the first decade of the 21st century. Kevin himself was previously a hacker who committed to a wide variety of databases. He argued that the human factor is the most vulnerable point of a system of any level of complexity and organization.

If we talk about social engineering methods as a way to obtain rights (often illegal) to use confidential data, then we can say that they have been known for a very long time. However, it was K. Mitnick who was able to convey the full importance of their meaning and the peculiarities of their application.

Phishing and non-existent links

Any technique of social engineering is based on the presence of cognitive distortions. Behavioral errors become a "tool" in the hands of a skilled engineer, who in the future can create an attack aimed at obtaining important data. Among the methods of social engineering, phishing and non-existent links are distinguished.

Phishing is an online scam designed to obtain personal information such as username and password.

Non-existent link - the use of a link that will lure the recipient with certain benefits that can be obtained by clicking on it and visiting a specific site. Most often, the names of large companies are used, making subtle adjustments to their name. The victim, by clicking on the link, will "voluntarily" transfer their personal data to the attacker.

Methods using brands, defective antiviruses and a fake lottery

Social engineering also uses brand name scams, defective antiviruses, and fake lotteries.

"Fraud and brands" is a method of deception, which also belongs to the phishing section. This includes emails and websites that contain the name of a large and/or "hyped" company. Messages are sent from their pages with notification of victory in a certain competition. Next, you need to enter important account information and steal it. Also given form fraud can be carried out over the phone.

Fake lottery - a method in which a message is sent to the victim with the text that he (a) won (a) the lottery. Most often, the alert is masked using the names of large corporations.

False antiviruses are software scams. It uses programs that look like antiviruses. However, in reality, they lead to the generation of false notifications about a particular threat. They also try to lure users into the realm of transactions.

Vishing, phreaking and pretexting

Speaking of social engineering for beginners, we should also mention vishing, phreaking and pretexting.

Vishing is a form of deception that uses telephone networks. Here, pre-recorded voice messages, the purpose of which is to recreate the "official call" of the banking structure or any other IVR system. Most often, they are asked to enter a username and / or password in order to confirm any information. In other words, the system requires authentication by the user using PINs or passwords.

Phreaking is another form of phone scam. It is a hacking system using sound manipulation and tone dialing.

Pretexting is an attack using a preconceived plan, the essence of which is to represent another subject. An extremely difficult way to cheat, as it requires careful preparation.

Quid Pro Quo and the Road Apple Method

The theory of social engineering is a multifaceted database that includes both methods of deception and manipulation, as well as ways to deal with them. The main task of intruders, as a rule, is to fish out valuable information.

Other types of scams include: quid pro quo, the road apple method, shoulder surfing, open source use, and reverse social media. engineering.

Quid-pro-quo (from lat. - “for this”) - an attempt to fish out information from a company or firm. This happens by contacting her by phone or by sending messages to e-mail. Most often, attackers pose as employees of those. support, which report the presence of a specific problem in the workplace of the employee. They then suggest ways to eliminate it, for example, by establishing software. The software turns out to be defective and promotes the crime.

"Road apple" is an attack method that is based on the idea of ​​a Trojan horse. Its essence is to use physical media and changing information. For example, they can provide a memory card with a certain "good" that will attract the attention of the victim, cause a desire to open and use the file or follow the links indicated in the documents of the flash drive. The object of the "road apple" is dropped into social places and wait until some subject implements the attacker's plan.

Gathering and searching for information from open sources is a scam in which data acquisition is based on the methods of psychology, the ability to notice little things and the analysis of available data, for example, pages from a social network. This is enough new way social engineering.

Shoulder surfing and reverse social. engineering

The concept of "shoulder surfing" defines itself as the observation of the subject live in the literal sense. With this type of data fishing, the attacker goes to public places, such as a cafe, airport, train station and follows people.

Should not be underestimated this method, as many surveys and studies show that an attentive person can receive a lot of confidential information just being observant.

Social engineering (as a level of sociological knowledge) is a means for "capturing" data. There are ways to obtain data in which the victim herself will offer the attacker the necessary information. However, it can also serve the benefit of society.

Reverse social engineering is another method of this science. The use of this term becomes appropriate in the case that we mentioned above: the victim himself will offer the attacker the necessary information. This statement should not be taken as absurd. The fact is that subjects endowed with authority in certain areas of activity often get access to identification data at the subject's own decision. Trust is the basis here.

Important to remember! Support staff will never ask the user for a password, for example.

Information and protection

Social engineering training can be carried out by an individual both on the basis of personal initiative and on the basis of benefits that are used in special training programs.

Criminals can use a wide variety of types of deception, ranging from manipulation to laziness, gullibility, courtesy of the user, etc. It is extremely difficult to protect yourself from this type of attack, which is due to the victim's lack of awareness that he (she) was deceived. Various firms and companies to protect their data at this level of danger are often engaged in the evaluation of general information. Next, the necessary protection measures are integrated into the security policy.

Examples

An example of social engineering (its act) in the field of global phishing mailings is an event that occurred in 2003. During this scam, emails were sent to eBay users at email addresses. They claimed that the accounts belonging to them were blocked. To cancel the blocking, it was necessary to re-enter the account data. However, the letters were fake. They translated to a page identical to the official one, but fake. According to expert estimates, the loss was not too significant (less than a million dollars).

Definition of responsibility

The use of social engineering may be punishable in some cases. In a number of countries, for example, the United States, pretexting (deception by impersonating another person) is equated with an invasion of personal life. However, this may be punishable by law if the information obtained during pretexting was confidential from the point of view of the subject or organization. Recording telephone conversation(as a method of social engineering) is also provided for by law and requires a fine of $ 250,000 or imprisonment for up to ten years for individuals. persons. Legal entities are required to pay $500,000; the period remains the same.

Methods of social engineering - this is what this article will discuss, as well as everything related to the manipulation of people, phishing and theft of customer bases and more. The information was kindly provided to us by Andrey Serikov, the author of which he is, for which many thanks to him.

A.SERIKOV

A.B.BOROVSKY

INFORMATION TECHNOLOGIES OF SOCIAL HACKING

Introduction

The desire of mankind to achieve the perfect fulfillment of the tasks set has led to the development of modern computer technology, and attempts to meet the conflicting requirements of people have led to the development of software products. Data software products not only keep the hardware running, but also manage it.

The development of knowledge about a person and a computer has led to the emergence of a fundamentally new type of systems - “man-machine”, where a person can be positioned as hardware running a stable, functional, multi-tasking operating system called "psyche".

The subject of the work is the consideration of social hacking as a branch of social programming, where human beings are manipulated with the help of human weaknesses, prejudices and stereotypes in social engineering.

Social engineering and its methods

Methods of manipulating a person have been known for a long time, they mainly came to social engineering from the arsenal of various special services.

The first known case of competitive intelligence dates back to the 6th century BC and occurred in China, when the Chinese lost the secret of making silk, which was fraudulently stolen by Roman spies.

Social engineering is a science that is defined as a set of methods for manipulating human behavior, based on the use of the weaknesses of the human factor, without the use of technical means.

According to many experts, the biggest threat to information security is precisely the methods of social engineering, if only because the use of social hacking does not require significant financial investments and thorough knowledge. computer technology, and also because people have some behavioral tendencies that can be used for careful manipulation.

And no matter how improved technical systems protection, people will remain people with their weaknesses, prejudices, stereotypes, with the help of which management takes place. Setting up a human “security program” is the most difficult and not always guaranteed result business, since this filter must be constantly adjusted. Here, more than ever, the main motto of all security experts sounds relevant: “Security is a process, not a result”

Areas of application of social engineering:

1. general destabilization of the organization's work in order to reduce its influence and the possibility of subsequent complete destruction of the organization;
2. financial fraud in organizations;
3. phishing and other methods of stealing passwords in order to access personal banking data of individuals;
4. theft of client databases;
5. competitive intelligence;
6. general information about the organization, its strengths and weaknesses, with the aim of the subsequent destruction of this organization in one way or another (often used for raider attacks);
7. information about the most promising employees in order to further "poach" them into their organization;

Social programming and social hacking

Social programming can be called an applied discipline that deals with purposeful influence on a person or group of people in order to change or keep their behavior in the right direction. Thus, the social programmer sets himself the goal of mastering the art of managing people. The main concept of social programming is that many of the actions of people and their reactions to this or that external influence are predictable in many cases.

Methods of social programming are attractive because either no one will ever know about them, or even if someone guesses something, it is very difficult to hold such a figure accountable, and in some cases it is possible to “program” people’s behavior, and one person, and a large group. These opportunities belong to the category of social hacking precisely for the reason that in all of them people fulfill someone else's will, as if obeying a “program” written by a social hacker.

Social hacking as an opportunity to hack a person and program him to perform the necessary actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers - use techniques of psychological influence and acting skills borrowed from the arsenal of special services.

Social hacking is used in most cases when it comes to an attack on a person who is part of a computer system. computer system, which is hacked, does not exist by itself. It contains an important component - a person. And in order to get information, a social hacker needs to hack into a person who works with a computer. In most cases, it is easier to do this than to hack into the victim's computer, trying to find out the password in this way.

Typical algorithm of influence in social hacking:

All attacks of social hackers fit into one fairly simple scheme:

1. the purpose of the impact on a particular object is formulated;
2. information about the object is collected in order to find the most convenient targets for exposure;
3. based collected information a stage is realized, which psychologists call attraction. Attraction (from lat. Attrahere - to attract, attract) is the creation of the necessary conditions for influencing an object;
4. coercion to the action necessary for the social hacker;

Coercion is achieved by performing the previous stages, i.e. after the attraction is achieved, the victim himself does the actions necessary for the social engineer.

Based on the information collected, social hackers accurately predict the psycho- and sociotype of the victim, identifying not only the needs for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc., etc.

And really, why try to penetrate this or that company, hack computers, ATMs, organize complex combinations when you can make everything easier: fall in love with yourself to unconsciousness of a person who, of his own free will, will transfer money to a specified account or each time share the necessary information?

Based on the fact that people's actions are predictable and also subject to certain laws, social hackers and social programmers use both original multi-steps and simple positive and negative tricks based on the psychology of human consciousness, behavior programs, vibrations of internal organs, logical thinking, imagination, memory, attention. These approaches include:

Wood generator - generates oscillations of the same frequency as the frequency of oscillations of internal organs, after which a resonance effect is observed, as a result of which people begin to feel severe discomfort and a panic state;

impact on the geography of the crowd - for the peaceful disbandment of extremely dangerous aggressive, large groups of people;

high-frequency and low-frequency sounds - to provoke panic and its reverse effect, as well as other manipulations;

social imitation program - a person determines the correctness of actions, finding out what actions other people consider correct;

the program of clackering - (based on social imitation) the organization of the necessary reaction of the audience;

queuing - (based on social imitation) a simple but effective advertising ploy;

mutual aid program - a person seeks to repay good to those people who have done him some kind of good. The desire to fulfill this program often exceeds all arguments of reason;

social hacking on the internet

With the advent and development of the Internet - a virtual environment consisting of people and their interactions, the environment for manipulating a person has expanded to obtain the necessary information and perform the necessary actions. Today, the Internet is a worldwide broadcast medium, a medium for collaboration, communication and covers the entire Earth. This is what social engineers use to achieve their goals.

Ways to manipulate a person via the Internet:

In the modern world, the owners of almost every company have already realized that the Internet is a very effective and convenient tool for expanding a business and its main task is to increase the profits of the entire company. It is known that without information aimed at attracting attention to the desired object, forming or maintaining interest in it and promoting it on the market, advertising is used. Only, due to the fact that the advertising market has long been divided, most types of advertising for most entrepreneurs are wasted money. Internet advertising is not just one of the types of advertising in the media, it is something more, because with the help of Internet advertising, people interested in cooperation come to the organization's website.

Internet advertising, unlike advertising in the media, has many more options and parameters for managing an advertising company. Most important indicator internet advertising is that Internet advertising fee is deducted only upon transition interested user on the advertisement link, which of course makes advertising on the Internet more effective and less costly than advertising in the media. So, having advertised on television or in print media, they pay for it in full and just wait for potential customers, but customers can respond to advertising or not - it all depends on the quality of production and presentation of advertising on television or newspapers, however, the advertising budget has already been spent in the case if the advertisement did not work, it was wasted. Unlike such media advertising, online advertising has the ability to track audience response and manage online advertising before its budget is used up, moreover, online advertising can be paused when demand for products has increased and resumed when demand begins to fall.

Another way of influence is the so-called "Forum Killing" where, with the help of social programming, they create anti-advertising for a particular project. Social programmer at this case, with the help of obvious provocative actions alone, destroys the forum, while using several pseudonyms ( nickname) to create an anti-leader group around itself, and attract regular visitors to the project who are dissatisfied with the behavior of the administration. At the end of such events in the forum, it becomes impossible to promote goods or ideas. Why was the forum originally designed?

To the methods of influencing a person through the Internet for the purposes of social engineering:

Phishing is a type of Internet fraud in order to gain access to confidential user data - logins and passwords. This operation achieved through mass mailings emails on behalf of popular brands, as well as private messages inside various services(Rambler), banks or within social networks(Facebook). The letter often contains a link to a site that is outwardly indistinguishable from the real one. After a user lands on a fake page, social engineers use various techniques to encourage the user to enter their username and password on the page, which they use to access a particular site, which allows them to access accounts and bank accounts.

More dangerous view fraud than phishing, is the so-called pharming.

Pharming is a mechanism to covertly redirect users to phishing sites. A social engineer distributes to users' computers special malware, which, after being launched on a computer, redirect requests from the necessary sites to fake ones. Thus, high secrecy of the attack is ensured, and user participation is minimized - it is enough to wait until the user decides to visit the sites of interest to the social engineer.

Conclusion

Social engineering is a science that emerged from sociology and claims to be the totality of the knowledge that guides, puts in order and optimizes the process of creating, modernizing and reproducing new (“artificial”) social realities. In a certain way, it “finishes” sociological science, completes it at the stage of transforming scientific knowledge into models, projects and constructions of social institutions, values, norms, algorithms of activity, relationships, behavior, etc.

Despite the fact that social engineering is a relatively young science, it causes great damage to the processes that take place in society.

The simplest methods of protection from the impact of this destructive science can be called:

Bringing people's attention to security issues.

Awareness by users of the seriousness of the problem and the adoption of the security policy of the system.

Literature

1. R. Petersen Linux: Complete guide: per. from English. - 3 - ed. - K .: BHV Publishing Group, 2000. - 800 p.

2. From Grodnev Internet in your home. - M .: "RIPOL CLASSIC", 2001. -480 p.

3. M. V. Kuznetsov Social engineering and social hacking. SPb.: BHV-Petersburg, 2007. - 368 p.: ill.