Social engineering. Famous Social Engineers

In this article we will pay attention to the concept " social engineering" Here we will look at the general ones. We will also learn about who was the founder of this concept. Let's talk separately about the main social engineering methods used by attackers.

Introduction

Methods that make it possible to correct human behavior and manage his activities without the use of a technical set of tools form general concept social engineering. All methods are based on the statement that the human factor is the most destructive weakness of any system. Often this concept are considered at the level of illegal activity, through which the criminal commits an action aimed at obtaining information from the subject-victim by dishonest means. For example, it could be a certain type of manipulation. However, social engineering is also used by humans in legitimate activities. Today, it is most often used to access resources with classified or valuable information.

Founder

The founder of social engineering is Kevin Mitnick. However, the concept itself came to us from sociology. It denotes a general set of approaches used by applied social media. sciences focused on changing the organizational structure capable of determining human behavior and exercising control over it. Kevin Mitnick can be considered the founder of this science, since it was he who popularized social media. engineering in the first decade of the 21st century. Kevin himself was previously a hacker, targeting a wide variety of databases. He argued that the human factor is the most vulnerable spot systems of any level of complexity and organization.

If we talk about social engineering methods as a way of obtaining (usually illegal) rights to use confidential data, then we can say that they have been known for a very long time. However, it was K. Mitnik who was able to convey the importance of their meaning and features of application.

Phishing and non-existent links

Any social engineering technique is based on the presence of cognitive distortions. Behavioral errors become a “weapon” in the hands of a skilled engineer, who in the future can create an attack aimed at obtaining important data. Social engineering methods include phishing and non-existent links.

Phishing is an Internet fraud designed to obtain personal information, for example, login and password.

Non-existent link - the use of a link that will lure the recipient with certain benefits that can be obtained by clicking on it and visiting a specific site. Most often they use the names of large companies, making subtle adjustments to their names. The victim, by clicking on the link, will “voluntarily” transfer his personal data to the attacker.

Methods using brands, defective antiviruses and fraudulent lotteries

Social engineering also uses methods of fraud using famous brands, defective antiviruses and fraudulent lotteries.

“Fraud and brands” is a method of deception, which also belongs to the phishing section. This includes emails and websites that contain the name of a large and/or "promoted" company. Messages are sent from their pages notifying you of your victory in a particular competition. Next, you need to enter important account information and steal it. Also this form scams can be carried out over the phone.

A fake lottery is a method in which the victim is sent a message with a text stating that he/she has won the lottery. Most often, the notification is disguised using the names of large corporations.

False antiviruses are software scams. It uses programs that look like antiviruses. However, in reality, they lead to the generation of false notifications about a specific threat. They also try to attract users into the transactional sphere.

Vishing, phreaking and pretexting

When talking about social engineering for beginners, it is also worth mentioning vishing, phreaking and pretexting.

Vishing is a form of deception that uses telephone networks. It uses pre-recorded voice messages, the purpose of which is to recreate the “official call” of a banking structure or any other IVR systems. Most often you are asked to enter a login and/or password in order to confirm any information. In other words, the system requires the user to authenticate using PIN codes or passwords.

Phreaking is another form of telephone deception. It is a hacking system using sound manipulation and tone dialing.

Pretexting is an attack using a pre-thought-out plan, the essence of which is to present it to another subject. Extremely the hard way deception, since it requires careful preparation.

Quid-pro-quo and the “road apple” method

The theory of social engineering is a multifaceted database that includes both methods of deception and manipulation, and ways to combat them. The main task Intruders, as a rule, are fishing out valuable information.

Other types of scams include: quid-pro-quo, the “road apple” method, shoulder surfing, the use open sources and reverse social engineering.

Quid-pro-quo (from Latin - “this for this”) is an attempt to extract information from a company or firm. This happens by contacting her by phone or by sending messages by email. Most often, attackers introduce themselves as technical staff. support that report the presence of a specific problem in the employee’s workplace. They then suggest ways to eliminate it, for example, by installing software. The software turns out to be defective and contributes to the advancement of the crime.

Road apple is an attack method that is based on the idea of ​​a Trojan horse. Its essence lies in the use of physical media and substitution of information. For example, they can provide a memory card with a certain “good” that will attract the victim’s attention, make them want to open and use the file or follow the links specified in the flash drive documents. The “road apple” object is dropped in social places and waits until some entity implements the attacker’s plan.

Collecting and searching for information from open sources is a scam in which obtaining data is based on psychological methods, the ability to notice little things and analysis of available data, for example, pages from a social network. This is enough new way social engineering.

Shoulder surfing and reverse social. engineering

The concept of "shoulder surfing" defines itself as literally watching a subject live. With this type of data extraction, the attacker goes to public places, for example, a cafe, airport, train station and monitors people.

Should not be underestimated this method, as many surveys and studies show that an attentive person can obtain a lot of sensitive information simply by being observant.

Social engineering (as a level of sociological knowledge) is a means to “capture” data. There are ways to obtain data in which the victim herself will offer the attacker necessary information. However, it can also serve for the benefit of society.

Reverse social Engineering is another method of this science. The use of this term becomes appropriate in the case that we mentioned above: the victim herself will offer the attacker the necessary information. This statement should not be taken as absurd. The fact is that subjects endowed with authority in certain areas of activity often gain access to identification data at the subject’s own discretion. The basis here is trust.

Important to remember! Support staff will never ask the user for a password, for example.

Awareness and protection

Social engineering training can be carried out by an individual both on the basis of personal initiative and on the basis of manuals that are used in special training programs.

Criminals can use a wide variety of types of deception, ranging from manipulation to laziness, gullibility, user kindness, etc. It is extremely difficult to protect yourself from this type of attack, which is due to the victim’s lack of awareness that he (she) has been deceived. To protect their data at this level of danger, various firms and companies often assess general information. Next, the necessary protection measures are integrated into the security policy.

Examples

An example of social engineering (its act) in the field of global phishing mailings is an event that occurred in 2003. As part of this scam, eBay users were sent emails to: email addresses. They stated that Accounts belonging to them were blocked. To cancel the blocking, you had to re-enter your account information. However, the letters were fake. They redirected to a page identical to the official one, but fake. According to expert estimates, the loss was not too significant (less than a million dollars).

Definition of responsibility

Social engineering may be punishable in some cases. In a number of countries, such as the United States, pretexting (deception by impersonating another person) is equated to an invasion of privacy. However, this may be punishable by law if the information obtained during pretexting was confidential from the point of view of the subject or organization. Record telephone conversation(as a method of social engineering) is also provided for by law and requires payment of a fine of $250,000 or imprisonment for up to ten years for individuals. persons Entities are required to pay $500,000; the deadline remains the same.

Social engineering

Social engineering is a method of unauthorized access to information or information storage systems without using technical means. The main goal of social engineers, like other hackers and crackers, is to gain access to secure systems in order to steal information, passwords, credit card information, etc. The main difference from simple hacking is that in in this case It is not the machine that is chosen as the target of attack, but its operator. That is why all methods and techniques of social engineers are based on the use of the weaknesses of the human factor, which is considered extremely destructive, since the attacker obtains information, for example, through a regular telephone conversation or by infiltrating an organization under the guise of its employee. To protect against this type of attack, you should be aware of the most common types of fraud, understand what hackers really want, and organize a suitable security policy in a timely manner.

Story

Despite the fact that the concept of “social engineering” appeared relatively recently, people in one form or another have used its techniques from time immemorial. IN Ancient Greece and Rome held people in high esteem who could convince their interlocutor in various ways that he was obviously wrong. Speaking on behalf of the leaders, they conducted diplomatic negotiations. Skillfully using lies, flattery and advantageous arguments, they often solved problems that seemed impossible to solve without the help of a sword. Among spies, social engineering has always been the main weapon. By impersonating another person, KGB and CIA agents could find out secret state secrets. In the early 70s, during the heyday of phreaking, some telephone hooligans called telecom operators and tried to extract confidential information from company technical staff. After various experiments with tricks, by the end of the 70s, phreakers had so perfected the techniques of manipulating untrained operators that they could easily learn from them almost everything they wanted.

Principles and techniques of social engineering

There are several common techniques and types of attacks that social engineers use. All of these techniques are based on features of human decision-making known as cognitive (see also Cognitive) biases. These prejudices are used in various combinations, in order to create the most appropriate deception strategy in each specific case. But the common feature of all these methods is misleading, with the aim of forcing a person to perform some action that is not beneficial to him and is necessary for the social engineer. To achieve the desired result, the attacker uses a number of various tactics: impersonating another person, distracting attention, increasing psychological tension, etc. The ultimate goals of deception can also be very diverse.

Social engineering techniques

Pretexting

Pretexting is a set of actions carried out according to a specific, pre-prepared scenario (pretext). This technique involves the use of voice means such as telephone, Skype, etc. to obtain the necessary information. Typically, by posing as a third party or pretending that someone needs help, the attacker asks the victim to provide a password or log in to a phishing web page, thereby tricking the target into taking a desired action or providing certain information. In most cases, this technique requires some initial information about the target of the attack (for example, personal data: date of birth, phone number, account numbers, etc.) The most common strategy is to use small queries at first and mention names real people In the organisation. Later, during the conversation, the attacker explains that he needs help (most people are able and willing to perform tasks that are not perceived as suspicious). Once trust has been established, the scammer may ask for something more substantial and important.

Phishing

Example of a phishing email sent from postal service requesting "account reactivation"

Phishing (English phishing, from fishing - fishing, fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is perhaps the most popular social engineering scheme today. Not a single major personal data leak occurs without a wave of phishing emails following it. The purpose of phishing is to illegally obtain confidential information. The most striking example of a phishing attack is a message sent to the victim via email, and counterfeited as an official letter - from a bank or payment system - requiring verification of certain information or performance of certain actions. There can be a variety of reasons. This could be data loss, system failure, etc. These emails usually contain a link to a fake web page that looks exactly like the official one, and contains a form that requires you to enter sensitive information.

One of the most famous examples of global phishing emails was a 2003 scam in which thousands of eBay users received emails claiming that their account had been locked and required updating their credit card information to unlock it. All of these emails contained a link leading to a fake web page that looked exactly like the official one. According to experts, the losses from this scam amounted to several hundred thousand dollars.

How to recognize a phishing attack

Almost every day new fraud schemes appear. Most people can learn to recognize fraudulent messages on their own by becoming familiar with some of their distinguishing features. Most often, phishing messages contain:

• information causing concern or threats, such as the closure of user bank accounts.
• promises of huge cash prizes with little or no effort.
• requests for voluntary donations on behalf of charitable organizations.
• grammatical, punctuation and spelling errors.

Popular phishing schemes

The most popular phishing scams are described below.

Fraud using brands of famous corporations

These phishing schemes use fake messages Email or websites containing the names of large or well-known companies. The messages may include congratulations about winning a competition held by the company, or about the urgent need to change your credentials or password. Similar fraudulent schemes on behalf of the service technical support can also be done by telephone.

Fraudulent lotteries

The user may receive messages indicating that he has won a lottery that was conducted by some well-known company. On the surface, these messages may appear as if they were sent on behalf of a senior corporate employee.

False antivirus and security programs

IVR or telephone phishing

Operating principle of IVR systems

Qui about quo

Quid pro quo is an abbreviation commonly used in English to mean "quid pro quo." This type of attack involves an attacker calling a company via corporate phone. In most cases, the attacker poses as a technical support employee asking if there are any technical problems. In the process of "solving" technical problems, the scammer "forces" the target to enter commands that allow the hacker to launch or install malicious software. software to the user's machine.

Trojan horse

Sometimes the use of Trojans is only part of a planned multi-stage attack on certain computers, networks or resources.

Types of Trojans

Trojans are most often developed for malicious purposes. There is a classification where they are divided into categories based on how Trojans infiltrate the system and cause harm to it. There are 5 main types:

• remote access
• data destruction
• loader
• server
• security program deactivator

Goals

The purpose of the Trojan program can be:

• uploading and downloading files
• copying false links leading to fake websites, chat rooms or other registration sites
• interfering with the user's work
• stealing data of value or secrets, including authentication information, for unauthorized access to resources, obtaining details of bank accounts that could be used for criminal purposes
• distribution of other malware such as viruses
• destruction of data (erasing or overwriting data on a disk, hard-to-see damage to files) and equipment, disabling or failure of service of computer systems, networks
• collecting email addresses and using them to send spam
• spying on the user and secretly communicating information to third parties, such as browsing habits
• Logging keystrokes to steal information such as passwords and credit card numbers
• decontamination or interference with operation antivirus programs and firewall

Disguise

Many Trojan programs are located on users' computers without their knowledge. Sometimes Trojans are registered in the Registry, which leads to their automatic launch when the operating system starts. Trojans can also be combined with legitimate files. When a user opens such a file or launches an application, the Trojan is launched along with it.

How the Trojan works

Trojans usually consist of two parts: Client and Server. The Server runs on the victim machine and monitors connections from the Client. While the Server is running, it monitors a port or multiple ports for a connection from the Client. In order for an attacker to connect to the Server, it must know the IP address of the machine on which it is running. Some Trojans send the IP address of the victim machine to the attacking party via email or some other method. As soon as a connection to the Server occurs, the Client can send commands to it, which the Server will execute. Currently, thanks to NAT technology, it is impossible to access most computers via their external IP address. That's why many Trojans today connect to the attacker's computer, which is responsible for receiving connection connections, instead of the attacker itself trying to connect to the victim. Many modern Trojans can also easily bypass firewalls on user computers.

Collection of information from open sources

The use of social engineering techniques requires not only knowledge of psychology, but also the ability to collect the necessary information about a person. A relatively new way of obtaining such information was its collection from open sources, mainly from social networks. For example, sites such as livejournal, Odnoklassniki, Vkontakte contain a huge amount of data that people do not try to hide. As a rule, , users do not pay enough attention to security issues, leaving data and information in the public domain that can be used by an attacker.

An illustrative example is the story of the kidnapping of Evgeniy Kaspersky’s son. During the investigation, it was established that the criminals learned the teenager’s daily schedule and routes from his posts on a social network page.

Even by limiting access to information on his social network page, a user cannot be sure that it will never fall into the hands of fraudsters. For example, a Brazilian researcher on computer security showed that it is possible to become a friend of any Facebook user within 24 hours using social engineering methods. During the experiment, researcher Nelson Novaes Neto chose a “victim” and created a fake account of a person from her environment - her boss. Neto first sent friend requests to friends of friends of the victim's boss, and then directly to his friends. After 7.5 hours, the researcher got the “victim” to add him as a friend. Thus, the researcher gained access to the user’s personal information, which he shared only with his friends.

Road apple

This attack method is an adaptation of the Trojan horse and consists of using physical media. The attacker plants the "infected" , or flash, in a place where the carrier can be easily found (restroom, elevator, parking lot). The media is faked to look official, and is accompanied by a signature designed to arouse curiosity. For example, a scammer can plant a letter, equipped with a corporate logo and a link to the official website of the company, labeling it “Executive salaries.” The disc can be left on the elevator floor, or in the lobby. An employee may unknowingly pick up the disk and insert it into the computer to satisfy his curiosity.

Reverse social engineering

Reverse social engineering is referred to when the victim herself offers the attacker the information he needs. This may seem absurd, but in fact, persons with authority in the technical or social sphere often receive user IDs and passwords and other important information. personal information simply because no one doubts their integrity. For example, support staff never ask users for an ID or password; they don't need this information to solve problems. However, many users voluntarily provide this confidential information in order to quickly resolve problems. It turns out that the attacker doesn’t even need to ask about it.

An example of reverse social engineering is the following simple scenario. An attacker working with the victim changes the name of a file on the victim's computer or moves it to a different directory. When the victim notices the file is missing, the attacker claims that he can fix everything. Wanting to complete the job faster or avoid punishment for losing information, the victim agrees to this offer. The attacker claims that the problem can only be solved by logging in with the victim's credentials. Now the victim asks the attacker to log in under her name to try to restore the file. The attacker reluctantly agrees and restores the file, and in the process steals the victim's ID and password. Having successfully carried out the attack, he even improved his reputation, and it is quite possible that after this other colleagues will turn to him for help. This approach does not overlap with normal procedures providing support services and complicates the capture of the attacker.

Famous Social Engineers

Kevin Mitnick

Kevin Mitnick. Worldwide famous hacker and security consultant

One of the most famous social engineers in history is Kevin Mitnick. As a world-famous computer hacker and security consultant, Mitnick is also the author of numerous books on computer security, mainly devoted to social engineering and methods of psychological influence on people. In 2002, the book “The Art of Deception” was published under his authorship, telling about real stories application of social engineering. Kevin Mitnick argued that it is much easier to obtain a password by deception than to try to hack a security system

Badir Brothers

Despite the fact that the brothers Mundir, Mushid and Shadi Badir were blind from birth, they managed to carry out several large fraud schemes in Israel in the 1990s, using social engineering and voice spoofing. In a TV interview they said: "Completely from network attacks Only those who do not use telephones, electricity and laptops are insured.” The brothers have already been to prison for being able to hear and decipher the secret interference tones of telephone providers. They made long calls abroad at someone else's expense, having reprogrammed the computers of cellular providers with interference tones.

Archangel

Cover of Phrack magazine

A famous computer hacker and security consultant for the famous English-language online magazine "Phrack Magazine", Archangel demonstrated the capabilities of social engineering techniques by obtaining passwords from huge amount various systems, deceiving several hundred victims.

Other

Lesser-known social engineers include Frank Abagnale, David Bannon, Peter Foster and Stephen Jay Russell.

Ways to protect against social engineering

To carry out their attacks, attackers who use social engineering techniques often exploit the gullibility, laziness, courtesy, and even enthusiasm of users and employees of organizations. It is not easy to defend against such attacks because victims may not be aware that they have been deceived. Social engineering attackers have generally the same goals as any other attacker: they want money, information, or the IT resources of the victim company. To protect against such attacks, you need to study their types, understand what the attacker needs and assess the damage that could be caused to the organization. Having all this information, you can integrate it into your security policy necessary measures protection.

Threat classification

Email threats

Many employees receive dozens and even hundreds of messages every day through corporate and private email systems. emails. Of course, with such a flow of correspondence it is impossible to pay due attention to each letter. This makes it much easier to carry out attacks. Most users of e-mail systems are relaxed about processing such messages, perceiving this work as the electronic analogue of moving papers from one folder to another. When an attacker sends a simple request by mail, his victim will often do what he is asked to do without thinking about his actions. Emails may contain hyperlinks that entice employees to violate corporate security. Such links do not always lead to the stated pages.

Most security measures are aimed at preventing unauthorized users from accessing corporate resources. If, by clicking on a hyperlink sent by an attacker, the user downloads corporate network Trojan horse or a virus, this will make it easy to bypass many types of protection. The hyperlink may also point to a site with pop-up applications asking for data or offering help. As with other types of scams, the most effective way to protect yourself from malicious attacks is to be skeptical of any unexpected incoming emails. To promote this approach throughout your organization, your security policy should include specific guidelines for the use of email that cover the following elements.

• Attachments to documents.
• Hyperlinks in documents.
• Requests for personal or corporate information emanating from within the company.
• Requests for personal or corporate information originating from outside the company.

Threats associated with using instant messaging services

Instant messaging is a relatively new method of data transfer, but it has already gained wide popularity among corporate users. Due to the speed and ease of use, this method of communication opens up wide opportunities for various attacks: users treat it as a telephone connection and do not associate it with potential software threats. The two main types of attacks based on the use of instant messaging services are the inclusion of a link to a malicious program in the body of the message and the delivery of the program itself. Of course, instant messaging is also one way to request information. One of the features of instant messaging services is the informal nature of communication. Combined with the ability to assign themselves any name, this makes it much easier for an attacker to impersonate someone else and greatly increases their chances of successfully carrying out an attack. If a company intends to take advantage of the cost-cutting opportunities and other benefits provided by instant messaging, it is necessary to include in corporate Security policies provide protection mechanisms against relevant threats. To gain reliable control over instant messaging in an enterprise environment, there are several requirements that must be met.

• Choose one instant messaging platform.
• Determine the security settings that are specified when deploying the instant messaging service.
• Determine principles for establishing new contacts
• Set password standards
• Make recommendations for using the instant messaging service.

Multi-level security model

To protect large companies and their employees from scammers using social engineering techniques, complex multi-level security systems are often used. Some of the features and responsibilities of such systems are listed below.

• Physical security. Barriers that restrict access to company buildings and corporate resources. Do not forget that company resources, for example, garbage containers located outside the company’s territory, are not physically protected.
• Data. Business information: accounts, mail, etc. When analyzing threats and planning measures to protect data, you need to determine the principles of handling paper and electronic data media.
• Applications. User-run programs. To protect your environment, you need to consider how attackers can exploit email programs, instant messaging, and other applications.
• Computers. Servers and client systems used in the organization. Protects users from direct attacks on their computers by defining strict guidelines governing what programs can be used on corporate computers.
• Internal network. The network through which they interact corporate systems. It can be local, global or wireless. IN last years Due to the growing popularity of remote work methods, the boundaries of internal networks have become largely arbitrary. Company employees need to be told what they should do for the organization. safe work in any network environment.
• Network perimeter. The boundary between a company's internal networks and external ones, such as the Internet or networks of partner organizations.

Responsibility

Pretexting and recording of telephone conversations

Hewlett-Packard

Patricia Dunn, president of Hewlett Packard Corporation, said she hired a private company to identify those company employees who were responsible for leaking confidential information. Later, the head of the corporation admitted that the practice of pretexting and other social engineering techniques was used during the research process.

Notes

see also

Links

• SocialWare.ru – Private social engineering project
• - Social engineering: basics. Part I: Hacker Tactics

Methods of social engineering - this is exactly what will be discussed in this article, as well as everything related to the manipulation of people, phishing and theft of client databases and more. Andrey Serikov kindly provided us with information, the author of which he is, for which we thank him very much.

A. SERIKOV

A.B.BOROVSKY

INFORMATION TECHNOLOGIES OF SOCIAL HACKING

Introduction

The desire of mankind to achieve perfect fulfillment of assigned tasks served as the development of modern computer equipment, and attempts to satisfy the conflicting demands of people led to the development of software products. Data software products not only support performance hardware, but also manage it.

The development of knowledge about man and computer has led to the emergence of a fundamentally new type of system - “human-machine”, where a person can be positioned as hardware, running a stable, functional, multitasking operating system called "psyche".

The subject of the work is the consideration of social hacking as a branch of social programming, where a person is manipulated with the help of human weaknesses, prejudices and stereotypes in social engineering.

Social engineering and its methods

Methods of human manipulation have been known for a long time; they mainly came to social engineering from the arsenal of various intelligence services.

The first known case of competitive intelligence dates back to the 6th century BC and occurred in China, when the Chinese lost the secret of making silk, which was fraudulently stolen by Roman spies.

Social engineering is a science that is defined as a set of methods for manipulating human behavior, based on the use of the weaknesses of the human factor, without the use of technical means.

According to many experts, the biggest threat information security represent precisely the methods of social engineering, if only because the use of social hacking does not require significant financial investments and thorough knowledge computer technology, and also because people have certain behavioral tendencies that can be used for careful manipulation.

And no matter how much we improve technical systems protection, people will remain people with their weaknesses, prejudices, stereotypes, with the help of which management takes place. Setting up a human “security program” is the most difficult task and does not always lead to guaranteed results, since this filter must be constantly adjusted. Here, the main motto of all security experts sounds more relevant than ever: “Security is a process, not a result.”

Areas of application of social engineering:

1. general destabilization of the organization’s work in order to reduce its influence and the possibility of subsequent complete destruction of the organization;
2. financial fraud in organizations;
3. phishing and other methods of stealing passwords in order to access personal banking data of individuals;
4. theft of client databases;
5. competitive intelligence;
6. general information about the organization, its strengths and weaknesses, with the aim of subsequently destroying this organization in one way or another (often used for raider attacks);
7. information about the most promising employees with the aim of further “enticing” them to your organization;

Social programming and social hacking

Social programming can be called an applied discipline that deals with targeted influence on a person or group of people in order to change or maintain their behavior in the desired direction. Thus, the social programmer sets himself a goal: mastering the art of managing people. The basic concept of social programming is that many people’s actions and their reactions to one or another external influence are in many cases predictable.

Social programming methods are attractive because either no one will ever know about them, or even if someone guesses about something, it is very difficult to bring such a figure to justice, and in some cases it is possible to “program” people’s behavior, and one person, and large group. These opportunities fall into the category of social hacking precisely because in all of them people carry out someone else’s will, as if obeying a “program” written by a social hacker.

Social hacking as the ability to hack a person and program him to perform the desired actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers - use techniques of psychological influence and acting, borrowed from the arsenal of the intelligence services.

Social hacking is used in most cases when it comes to attacking a person who is part of a computer system. Computer system, which is hacked, does not exist in itself. It contains an important component - a person. And to get information, a social hacker needs to hack a person who works with a computer. In most cases, it is easier to do this than to hack into the victim's computer in an attempt to find out the password.

Typical influence algorithm in social hacking:

All attacks by social hackers fit into one fairly simple scheme:

1. the purpose of influencing a particular object is formulated;
2. information about the object is collected in order to detect the most convenient targets of influence;
3. based collected information a stage is realized that psychologists call attraction. Attraction (from Latin Attrahere - to attract, attract) is the creation necessary conditions to influence an object;
4. forcing a social hacker to take action;

Coercion is achieved by performing the previous stages, i.e., after the attraction is achieved, the victim himself takes the actions necessary for the social engineer.

Based on the information collected, social hackers quite accurately predict the psycho- and sociotype of the victim, identifying not only needs for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc., etc.

And indeed, why try to penetrate this or that company, hack computers, ATMs, organize complex combinations, when you can do everything easier: make a person fall in love with you, who, of his own free will, will transfer money to the specified account or share the necessary money every time information?

Based on the fact that people’s actions are predictable and also subject to certain laws, social hackers and social programmers use both original multi-steps and simple positive and negative techniques based on the psychology of human consciousness, behavioral programs, vibrations of internal organs, logical thinking, imagination, memory, attention. These techniques include:

Wood generator - generates oscillations of the same frequency as the frequency of oscillations of internal organs, after which a resonance effect is observed, as a result of which people begin to feel severe discomfort and a state of panic;

impact on the geography of the crowd - for the peaceful disbandment of extremely dangerous aggressive, large groups of people;

high-frequency and low-frequency sounds - to provoke panic and its reverse effect, as well as other manipulations;

social imitation program - a person determines the correctness of actions by finding out what actions other people consider correct;

claquering program - (based on social imitation) organization of the necessary reaction from the audience;

formation of queues - (based on social imitation) a simple but effective advertising move;

mutual assistance program - a person seeks to repay kindness to those people who have done some kindness to him. The desire to fulfill this program often exceeds all reason;

Social hacking on the Internet

With the advent and development of the Internet - virtual environment, consisting of people and their interactions, the environment for manipulating a person has expanded to obtain the necessary information and commit necessary actions. Nowadays, the Internet is a means of worldwide broadcasting, a medium for collaboration, communication and covers the entire Earth. This is exactly what social engineers use to achieve their goals.

Ways to manipulate a person via the Internet:

IN modern world owners of almost every company have already realized that the Internet is a very effective and convenient tool to expand the business and its main task is to increase the profits of the entire company. It is known that without information aimed at attracting attention to the desired object, generating or maintaining interest in it and promoting it on the market, advertising is used. Only, due to the fact that the advertising market has long been divided, most types of advertising for most entrepreneurs are wasted money. Internet advertising is not just one of the types of advertising in the media, it is something more, since with the help of Internet advertising people interested in cooperation come to the organization’s website.

Internet advertising, unlike advertising in the media, has many more possibilities and control options advertising company. The most important indicator of Internet advertising is that Internet advertising fees are debited only when you switch interested user via an advertising link, which of course makes advertising on the Internet more effective and less costly than advertising in the media. So by advertising on television or in printed publications, they pay for it in full and just wait for potential clients, but clients can respond to advertising or not - it all depends on the quality of production and presentation of advertising on television or newspapers, however, the advertising budget has already been spent and if the advertising did not work, it is wasted. Unlike such media advertising, Internet advertising has the ability to track audience response and manage Internet advertising before its budget is spent; moreover, Internet advertising can be suspended when demand for products has increased and resumed when demand begins to fall.

Another method of influence is the so-called “Killing of forums” where, with the help of social programming, they create anti-advertising for a particular project. In this case, the social programmer, with the help of obvious provocative actions, destroys the forum alone, using several pseudonyms ( nickname) to create an anti-leader group around itself, and attract regular visitors to the project who are dissatisfied with the behavior of the administration. At the end of such events, it becomes impossible to promote products or ideas on the forum. This is what the forum was originally developed for.

Methods of influencing a person via the Internet for the purpose of social engineering:

Phishing is a type of Internet fraud aimed at gaining access to confidential user data - logins and passwords. This operation is achieved through mass mailings of emails on behalf of popular brands, as well as personal messages within various services (Rambler), banks or within social networks(Facebook). The letter often contains a link to a website that is outwardly indistinguishable from the real one. After a user lands on a fake page, social engineers various techniques encourage the user to enter his login and password on the page, which he uses to access a specific site, which allows him to gain access to accounts and bank accounts.

A more dangerous type of fraud than phishing is the so-called pharming.

Pharming is a mechanism for covertly redirecting users to phishing sites. A social engineer distributes special messages to users’ computers. malware, which, after launching on a computer, redirect requests from necessary sites to fake ones. Thus, the attack is highly secrecy, and user participation is minimized - it is enough to wait until the user decides to visit the sites of interest to the social engineer.

Conclusion

Social engineering is a science that emerged from sociology and claims to be the body of knowledge that guides, puts in order and optimizes the process of creating, modernizing and reproducing new (“artificial”) social realities. In a certain way, it “completes” sociological science, completes it at the phase of transforming scientific knowledge into models, projects and designs of social institutions, values, norms, algorithms of activity, relationships, behavior, etc.

Despite the fact that Social Engineering is a relatively young science, it causes great damage to the processes that occur in society.

The simplest methods of protection from the effects of this destructive science are:

Drawing people's attention to safety issues.

Users understanding the seriousness of the problem and accepting the system security policy.

Literature

1. R. Petersen Linux: Complete Guide: per. from English — 3rd ed. - K.: BHV Publishing Group, 2000. – 800 p.

2. From Grodnev Internet in your home. - M.: “RIPOL CLASSIC”, 2001. -480 p.

3. M. V. Kuznetsov Social engineering and social hacking. St. Petersburg: BHV-Petersburg, 2007. - 368 pp.: ill.

Lies and deceit are the refuge of fools and cowards

Social engineering, ugh, what a disgusting phrase, do you feel? Definitely not ours, not our own. But what does the all-knowing Wikipedia tell us? Here's how she explains this concept:

Social engineering is a method of controlling human actions without the use of technical means. The method is based on exploiting the weaknesses of the human factor and is considered very destructive. Social engineering is often viewed as an illegal method of obtaining information, however, this is not entirely true. Social engineering can also be used for legitimate purposes - not only to obtain information, but also to take action specific person. Today, social engineering is often used on the Internet to obtain classified information, or information that is of great value.

Ugh! So this is an ordinary lie! That’s how they would write: a lie used to deceive the gullible and good-natured part of the planet’s population in order to seize their property and funds. At the same time, the ability to remain unpunished. And look how they disguised themselves, hiding behind such clever words! Just read the history of “social engineering” and its technology. So look at the impudence to which darkness has reached, which even justifies this crime: “...Social engineering can also be used for legal purposes.” If lying is a violation of God's law, then how can it be “used for lawful purposes”? What nonsense.

Actually, this is intended for people with a low level of development. No I don't mean intelligence or a few higher education. I mean the level of spirituality and morality in a person. This “science,” if I may say so, is just a legitimization of satanic laws.

I won’t be surprised if in the near future, when they ask: what do you do for work? The answer will be: social engineer. It seems to be pleasant to the ear, and who can tell you honestly: I am a thief and a part-time fraudster. I think today we can find more than one confirmation of this, when the bad is covered up by the good. By the way, humanity has been warned about this for a long time.

Enough is known about the existence of the Brotherhood of Good and the Brotherhood of Evil. It is also known that the Brotherhood of Evil is trying to imitate the Brotherhood of Good in its methods and methods of action. The ignorant will ask: is it possible for a person to distinguish the approach of one or another Brother? If their appearance and words are the same, then it is not difficult to fall into error and accept advice that leads to evil. This is how a person will reason who does not know that the method of recognition lies in the heart. The manifestation of psychic energy will help to accurately recognize the inner essence of phenomena. There is no need for any complex devices when a person carries a spark of knowledge within himself. Psychic energy researchers can testify that energy readings are unmistakable. They may be relative in earthly terms, but in quality they will not be erroneous. Meanwhile, it is quality that is needed to recognize the essence. The primary energy cannot show the negative as positive.

Such a purely scientific indication will protect people from the evil approach. It is not without reason that such recognition is called a weapon of Light.

And while there are few people in the world who know how to use such weapons of Light, the Dark Hierarchy will not be left without work. Each newly incarnated young soul immediately falls into their “penates” and drags out its existence in pain and suffering until the higher nature awakens. And the physical person himself will not voluntarily give up the reins of government to his higher nature. To your higher self, your soul and spirit.

As for the methods of social engineering, they do not disdain anything. Starting with flattery and ending with blatant lies. All abominations are good there as an instrument of darkness. All that remains is to wish everyone who has taken the Path to quickly master the weapon of Light and protect themselves from such engineering, and protect others.

Social engineering (divorce of suckers)