In this article we will pay attention to the concept of "social engineering". A general definition of the term will be considered here. We will also learn about who was the founder of this concept. Let's talk separately about the main methods of social engineering used by attackers.
Introduction
Methods that allow you to correct a person's behavior and manage his activities without the use of a technical set of tools form the general concept of social engineering. All methods are based on the assertion that the human factor is the most destructive weakness of any system. Often this concept is considered at the level of illegal activity, through which the criminal performs an action aimed at obtaining information from the subject-victim in a dishonest way. For example, it could be some kind of manipulation. However, social engineering is also used by humans in legitimate activities. To date, it is most often used to access resources with sensitive or sensitive information.
Founder
The founder of social engineering is Kevin Mitnick. However, the concept itself came to us from sociology. It denotes a general set of approaches used by applied social. sciences focused on changing the organizational structure that can determine human behavior and exercise control over it. Kevin Mitnick can be considered the founder of this science, since it was he who popularized the social. engineering in the first decade of the 21st century. Kevin himself was previously a hacker who illegally entered a wide variety of databases. He argued that the human factor is the most vulnerable point of a system of any level of complexity and organization.
If we talk about social engineering methods as a way to obtain rights (often illegal) to use confidential data, we can say that they have been known for a very long time. However, it was K. Mitnick who was able to convey the importance of their meaning and peculiarities of application.
Phishing and non-existent links
Any technique of social engineering is based on the presence of cognitive distortions. Behavioral errors become a "tool" in the hands of a skilled engineer, who in the future can create an attack aimed at obtaining important data. Among social engineering methods, phishing and non-existent links are distinguished.
Phishing is an online scam designed to obtain personal information such as username and password.
Non-existent link - using a link that will lure the recipient with certainbenefits that can be obtained by clicking on it and visiting a specific site. Most often, the names of large companies are used, making subtle adjustments to their name. The victim, by clicking on the link, will "voluntarily" transfer their personal data to the attacker.
Methods using brands, defective antiviruses and a fake lottery
Social engineering also uses brand name scams, defective antiviruses and fake lotteries.
"Fraud and brands" - a method of deception, which also belongs to the phishing section. This includes emails and websites that contain the name of a large and/or "hyped" company. Messages are sent from their pages with notification of victory in a certain competition. Next, you need to enter important account information and steal it. Also, this form of fraud can be carried out by phone.
Fake lottery - a method in which a message is sent to the victim with the text that he (a) won (a) the lottery. Most often, the alert is masked using the names of large corporations.
Fake antiviruses are software scams. It uses programs that look like antiviruses. However, in reality, they lead to the generation of false notifications about a particular threat. They also try to lure users into the realm of transactions.
Vishing, phreaking and pretexting
While talking about social engineering for beginners, we should also mention vishing, phreaking and pretexting.
Vishing is a form of deception that uses telephone networks. It uses pre-recorded voice messages, the purpose of which is to recreate the "official call" of the banking structure or any other IVR system. Most often, they are asked to enter a username and / or password in order to confirm any information. In other words, the system requires authentication by the user using PINs or passwords.
Phreaking is another form of phone scam. It is a hacking system using sound manipulation and tone dialing.
Pretexting is an attack using a premeditated plan, the essence of which is to represent another subject. An extremely difficult way to cheat, as it requires careful preparation.
Quid Pro Quo and the Road Apple Method
The theory of social engineering is a multifaceted database that includes both methods of deception and manipulation, as well as ways to deal with them. The main task of intruders, as a rule, is to fish out valuable information.
Other types of scams include: quid pro quo, road apple, shoulder surfing, open source and reverse social media. engineering.
Quid-pro-quo (from Latin - “for this”) - an attempt to extract information from a company or firm. This happens by contacting her by phone or by sending messages by e-mail. Most often, attackerspretend to be employees. support, which report the presence of a specific problem in the workplace of the employee. They then suggest ways to fix it, for example by installing software. The software turns out to be defective and promotes the crime.
The Road Apple is an attack method that is based on the idea of a Trojan horse. Its essence lies in the use of a physical medium and the substitution of information. For example, they can provide a memory card with a certain "good" that will attract the attention of the victim, cause a desire to open and use the file or follow the links indicated in the documents of the flash drive. The "road apple" object is dropped in social places and waited until the intruder's plan is implemented by some subject.
Collecting and searching for information from open sources is a scam in which data acquisition is based on the methods of psychology, the ability to notice little things and the analysis of available data, for example, pages from a social network. This is a fairly new way of social engineering.
Shoulder surfing and reverse social. engineering
The concept of "shoulder surfing" defines itself as watching a subject live in the literal sense. With this type of data fishing, the attacker goes to public places, such as a cafe, airport, train station and follows people.
Don't underestimate this method, as many surveys and studies show that an attentive person can receive a lot of confidentialinformation simply by being observant.
Social engineering (as a level of sociological knowledge) is a means to “capture” data. There are ways to obtain data in which the victim herself will offer the attacker the necessary information. However, it can also serve the good of society.
Reverse social engineering is another method of this science. The use of this term becomes appropriate in the case that we mentioned above: the victim himself will offer the attacker the necessary information. This statement should not be taken as absurd. The fact is that subjects endowed with authority in certain areas of activity often get access to identification data at the subject's own decision. The basis here is trust.
Important to remember! Support staff will never ask the user for a password, for example.
Information and protection
Social engineering training can be done by the individual either on the basis of personal initiative or on the basis of benefits that are used in special training programs.
Criminals can use a wide variety of types of deception, ranging from manipulation to laziness, gullibility, courtesy of the user, etc. It is extremely difficult to protect yourself from this type of attack, due to the victim’s lack of awareness that he) cheated. Various firms and companies to protect their data at this level of danger are often engaged in the evaluation of general information. The next step is to integrate the necessarysafeguards to the security policy.
Examples
An example of social engineering (its act) in the field of global phishing mailings is an event that occurred in 2003. Emails were sent to eBay users during this scam. They claimed that the accounts belonging to them were blocked. To cancel the blocking, it was necessary to re-enter the account data. However, the letters were fake. They translated to a page identical to the official one, but fake. According to expert estimates, the loss was not too significant (less than a million dollars).
Definition of responsibility
The use of social engineering may be punishable in some cases. In a number of countries, such as the United States, pretexting (deception by impersonating another person) is equated with an invasion of privacy. However, this may be punishable by law if the information obtained during pretexting was confidential from the point of view of the subject or organization. Recording a telephone conversation (as a social engineering method) is also required by law and requires a fine of $250,000 or imprisonment for up to ten years for individuals. persons. Legal entities are required to pay $500,000; the deadline remains the same.
