In this article we will pay attention to the concept"Social engineering". Here will be considered a general definition of the term. We will also find out who was the founder of this concept. Separately talk about the main methods of social engineering, which are used by attackers.
Methods to correct behaviorman and manage his activities without the use of technical tools, form the general concept of social engineering. All methods are based on the statement that the human factor is the most destructive weakness of any system. Often this concept is considered at the level of illegal activity, by means of which an offender is committed an action aimed at obtaining information from a victim entity through dishonest means. For example, it may be a certain type of manipulation. However, social engineering is applied by man in legal activities. Today, it is most often used to access resources with secret or valuable information.
The founder of social engineering isKevin Mitnick. However, the concept itself came to us from sociology. It denotes a common set of approaches used by applied soc. science, focused on changing the organizational structure that can determine human behavior and control it. Kevin Mitnick can be considered the ancestor of this science, since it was he who popularized the soc. engineering in the first decade of the XXI century. Kevin himself had previously been a hacker who had infiltrated a wide variety of databases. He argued that the human factor is the most vulnerable point of the system at any level of complexity and organization.
If we talk about the methods of social engineering asabout the method of obtaining rights (often illegal) to use confidential data, then we can say that they were already known for a very long time. However, it was K. Mitnick who was able to convey the full importance of their meaning and particular application.
Любая техника социальной инженерии базируется на presence of cognitive distortion. Behavioral errors become a “tool” in the hands of a skilled engineer who in the future can create an attack aimed at obtaining important data. Among the methods of social engineering are phishing and non-existent links.
Phishing is an online fraud designed to obtain personal information, such as login and password.
Non-existent link - use link,which will lure the recipient to certain benefits that can be obtained by clicking on it and visiting a specific site. Most often they use the names of large firms, making subtle adjustments to their names. The victim, following the link, "voluntarily" will transfer his personal data to the attacker.
Social engineering also uses methods of fraud with the use of well-known brands, defective antiviruses and fake lottery.
“Fraud and brands” is a way of cheating, whichalso refers to the phishing section. This includes emails and websites that contain the name of a large and / or "promoted" company. From their pages are sent messages with notification of victory in a particular competition. Next, you need to enter important account information and steal it. Also this form of fraud can be carried out by phone.
Counterfeit lottery - the way in which the victim is sent a message with the text that he (a) won (a) the lottery. Most often, the alert is masked using the names of large corporations.
False antivirus software is a scam.software. It uses programs that look like antiviruses. However, in fact, they lead to the generation of false notifications about a particular threat. They also try to lure users into the realm of transactions.
Speaking of social engineering for beginners, it is also worth mentioning vishing, phreaking and pretexting.
Vishing is a form of deception that usestelephone networks. Here, pre-recorded voice messages are used, the purpose of which is to recreate the “official call” of the banking structure or any other IVR system. Most often asked to enter a username and / or password in order to confirm any information. In other words, the system requires user authentication through PIN codes or passwords.
Phreaking is another form of telephone fraud. It is a hacking system with sound manipulation and tone dialing.
Pretexting is an attack using a premeditated plan, the essence of which is to be presented by another subject. Extremely complex way of cheating, as it requires careful preparation.
The theory of social engineering - a multifaceted basedata, which includes both methods of deception and manipulation, and ways to deal with them. The main task of the attackers, as a rule, is to catch valuable information.
Other types of frauds include: Quid-Pro-Quo, the "apple of the road", shoulder surfing, the use of open sources and reverse soc. engineering
Quid-pro-quo (from Lat.- “then for this”) - an attempt to extract information of a company or company. This happens by contacting her by phone or by sending e-mail messages. Most often, attackers are represented by those of those. support that report the presence of a specific problem in the workplace of the employee. Further, they propose ways to eliminate it, for example, by installing software. Software is defective and contributes to the promotion of crime.
“Road Apple” is an attack method thatbased on the idea of a Trojan horse. Its essence lies in the use of physical media and the substitution of information. For example, they can provide a memory card with a certain “blessing” that will attract the attention of the victim, make you want to open and use the file or follow the links indicated in the flash drive documents. The object of the “road apple” is dumped in social places and waited until an intruder’s plan is implemented by any subject.
Сбор и поиск информации из источников отрытого Type is a scam in which data acquisition is based on the methods of psychology, the ability to notice trivia and the analysis of available data, for example, pages from a social network. This is a fairly new way of social engineering.
Понятие «плечевой серфинг» определяет себя как observing the subject live in a literal sense. With this type of data capturing, the attacker goes to public places, for example, a cafe, an airport, a railway station, and follows people.
Не стоит недооценивать данный метод, так как Many surveys and studies show that an attentive person can receive a lot of confidential information simply by being observant.
Social engineering (as levelsociological knowledge) is a means to “capture” data. There are ways to obtain data, in which the victim herself offers the necessary information to the attacker. However, it can serve the good of society.
Reverse socialengineering is another method of this science. The use of this term becomes relevant in the case that we mentioned above: the victim will offer the attacker the necessary information. Do not take this statement as absurd. The fact is that the subjects endowed with authority in certain areas of activity, often get access to the identification data by their own decision of the subject. The basis here is trust.
Important to remember! Support staff will never ask the user, for example, a password.
Social engineering training can be carried out by an individual, either on the basis of a personal initiative, or on the basis of benefits, which are used in special educational programs.
Criminals can apply the mostvarious types of deception, ranging from manipulation to laziness, trustfulness, courtesy of the user, etc. It is extremely difficult to protect oneself from this type of attack, which is caused by the victim’s lack of awareness that he / she was deceived. Various firms and companies to protect their data at this level of danger are often involved in the assessment of general information. Next, the necessary protection measures are integrated into the security policy.
An example of social engineering (its act) inThe way global phishing ezines is an event that occurred in 2003. During this scam, eBay users were sent emails. They claimed that the accounts belonging to them were blocked. To cancel the lock, it was necessary to re-enter the account information. However, the letters were fake. They translated into a page identical to the official, but fake. According to expert estimates, the loss was not too significant (less than a million dollars).
For the application of social engineering canpunishable in some cases. In a number of countries, for example, the United States, pretexting (deception by posing as another person) is equated with invasion of privacy. However, this can be punished by law if the information obtained during the pretext is confidential from the point of view of the entity or organization. Recording a telephone conversation (as a method of social engineering) is also provided for by law and requires payment of a fine of $ 250,000 or imprisonment for up to ten years for individuals. individuals. Legal entities are required to pay $ 500,000; the term remains the same.
