In this article we will pay attention to the concept of “social engineering”. Here a general definition of the term will be considered . We also learn about who was the founder of this concept. We will separately talk about the main methods of social engineering that are used by attackers.
Introduction
Methods that allow you to adjust human behavior and manage their activities without the use of a technical set of tools form the general concept of social engineering. All methods are based on the assertion that the human factor is the most destructive weakness of any system. Often this concept is considered at the level of illegal activity, through which the offender commits an action aimed at obtaining information from the victim subject dishonestly. For example, it may be a certain type of manipulation. However, social engineering is also used by people in legitimate activities. Today, it is most often used to access resources with closed or valuable information.
The founder
The founder of social engineering is Kevin Mitnik. However, the concept itself came to us from sociology. It denotes a common set of approaches used by applied social services. sciences focused on changing the organizational structure capable of determining human behavior and exercising control over it. Kevin Mitnik can be considered the founder of this science, since it was he who popularized the social. engineering in the first decade of the 21st century. Kevin himself was previously a hacker who illegally entered into a wide variety of databases. He argued that the human factor is the most vulnerable part of a system of any level of complexity and organization.
If we talk about methods of social engineering as a way of obtaining rights (often illegal) to use confidential data, then we can say that they were already known for a very long time. However, it was K. Mitnik who was able to convey the full importance of their significance and application features.
Phishing and nonexistent links
Any social engineering technique is based on the presence of cognitive distortion. Behavioral errors become a "tool" in the hands of a skilled engineer who in the future can create an attack aimed at obtaining important data. Among the methods of social engineering, phishing and non-existent links are distinguished.
Phishing is an Internet fraud designed to obtain personal information, for example, about login and password.
A nonexistent link is the use of a link that will lure the recipient with certain advantages that can be obtained by clicking on it and visiting a certain site. Most often they use the names of large companies, making subtle adjustments to their name. The victim, following the link, “voluntarily” will transfer his personal data to the attacker.
Methods using brands, defective antiviruses and fake lottery
Social engineering also uses fraud methods using well-known brands, defective antiviruses and fake lotteries.
“Fraud and brands” is a method of deception, which also applies to the phishing section. This includes emails and websites that contain the name of a large and / or “hyped” company. From their pages messages are sent with a notification of victory in a particular competition. Next, you need to enter important account information and steal it. Also, this form of fraud can be carried out by phone.
Fake lottery - a way in which a message is sent to the victim with a text stating that he (a) won the lottery. Most often, an alert is masked using the names of large corporations.
False antiviruses are software scams. It uses programs that look like antiviruses. However, in reality they lead to the generation of false alerts about a specific threat. They also try to lure users into the realm of transactions.
Wishing, phreaking and pretexting
Speaking about social engineering for beginners, it is also worth mentioning vishing, phreaking and pretexting.
Wishing is a form of fraud that uses telephone networks. It uses pre-recorded voice messages, the purpose of which is to recreate the “official call” of the banking structure or any other IVR system. Most often they are asked to enter a username and / or password in order to confirm any information. In other words, the system requires authentication from the user using PIN codes or passwords.
Phreaking is another form of phone cheating. It is a hacking system using sound manipulations and tone dialing.
Pretext is an attack using a pre-designed plan, the essence of which is to be presented by another entity. An extremely complicated way of cheating, as it requires careful preparation.
Quid Pro Quo and the Road Apple Method
The theory of social engineering is a multifaceted database that includes both methods of deception and manipulation, and methods of dealing with them. The main task of attackers, as a rule, is to extract valuable information.
Among other types of scams are: Quid-pro-quo, the “road apple” method, shoulder surfing, the use of open sources and reverse social. engineering.
Quid-pro-quo (from lat. - “then for it”) is an attempt to extract information from a company or company. This happens by contacting her by phone or by sending messages by e-mail. Most often, the attackers are represented by employees of those. support, which report the presence of a specific problem at the workplace of the employee. They further suggest ways to eliminate it, for example, by installing software. The software turns out to be defective and helps to promote the crime.
The Road Apple is an attack method based on the idea of ​​a Trojan horse. Its essence is the use of a physical medium and the substitution of information. For example, they can provide the memory card with a certain “benefit” that will attract the attention of the victim, cause a desire to open and use the file, or follow the links specified in the flash drive’s documents. The object of the “road apple” is dumped in social places and wait until an attacker’s plan is realized by any entity.
Collecting and searching for information from open-type sources is a scam in which data is based on psychology methods, the ability to notice little things and analyze available data, for example, pages from a social network. This is a fairly new way of social engineering.
Shoulder surfing and reverse social. engineering
The concept of “shoulder surfing” defines itself as observing a subject live literally. In this type of data fishing, the attacker goes to public places, such as a cafe, airport, train station, and watches people.
Do not underestimate this method, as many surveys and studies show that an attentive person can receive a lot of confidential information simply by observing.
Social engineering (as a level of sociological knowledge) is a means to “capture” data. There are ways to obtain data in which the victim herself will offer the attacker the necessary information. However, it can also serve for the good of society.
Feedback social Engineering is another method of this science. The use of this term becomes appropriate in the case that we mentioned above: the victim herself will offer the attacker the necessary information. Do not take this statement as absurd. The fact is that entities endowed with authority in certain fields of activity often get access to identification data by their own decision. The basis here is trust.
Important to remember! Support staff will never ask the user, for example, a password.
Awareness and Protection
Social engineering training can be carried out by the individual both on the basis of personal initiative, and on the basis of benefits that are used in special training programs.
Criminals can use a wide variety of types of deception, from manipulation to laziness, credulity, courtesy of the user, etc. It is extremely difficult to protect yourself from this type of attack, due to the victim's lack of awareness that he (she) was deceived. Various firms and companies, in order to protect their data at this danger level, are often involved in evaluating general information. Next, the necessary security measures are integrated into the security policy.
Examples
An example of social engineering (its act) in the field of the way of global phishing mailings is the event that occurred in 2003. During this scam, e-mail users were sent emails. They claimed that the accounts belonging to them were blocked. To cancel the lock, you had to re-enter your account information. However, the letters were fake. They translated into a page identical to the official, but fake. According to expert estimates, the loss was not too significant (less than a million dollars).
Definition of Responsibility
Social engineering may be penalized in some cases. In a number of countries, for example, the USA, pretexting (deceit by impersonating another person) is equated with an invasion of personal life. However, this may be punishable by law if the information obtained during pretexting was confidential from the point of view of the subject or organization. Recording a telephone conversation (as a method of social engineering) is also provided for by law and requires the payment of a fine of $ 250,000 or imprisonment for up to ten years for individuals. persons. Legal entities are required to pay $ 500,000; the deadline remains the same.