Hacker
Professional
- Messages
- 1,044
- Reaction score
- 825
- Points
- 113
Talk about social networks. engineering can be continued indefinitely, but this will not protect you from intruders of all stripes. Among them, there are such talented guys who use non-standard and sophisticated methods. There are no typical counteractions to social engineers. Each situation requires an individual approach. Laxity, negligence of employees and amateur chatter in social networks from the work machine - the main holes in the security system of the company/company.
Many companies that think that the security problem is solved simply by hardware and software are mistaken. Security technologies that we are used to trust - firewalls, identification and encryption tools, attack detection systems, etc. - are ineffective against hackers using SE and RSE (social and reverse social engineering). Modern technical means of protection have reached a level where hacking takes a very long time, or the price of protected information is less than the cost of extracting it.
Let's take a real example. There are a couple of guys I know who have retired from hacking, earn money by conducting various attacks on company servers, including using SE on behalf of directors, and then give recommendations on protection. I was invited to take part in one fascinating business - to see how it happens.
Given: a small company that sells wholesale underwear.
Two very smart admins, who were not informed by their superiors, successfully coped and repelled all the attacks.
Luda was caught in contact.
Although, in high art, he is not in the tooth with his foot, but Google will help!
Cowardly and cautious Julia. There was something to dig up and to her - blackmail. This lamb was blinking in private, to her reliable virtual girlfriend about her spree from her husband. Fearing for the disintegration of the family, she agreed to commit a minor official offense, which could result in tangible losses for the company.
The method of telling all about infidelities to a jealous husband/wife is one of the most common. It doesn't matter if it was real or not. To do this, you don't need to install hidden cameras or do photo editing, just be a good storyteller and be able to convince the other person. And the jealousy of the spouse will serve a poor service. In jealous people, often the brains turn off completely, it is only necessary to mention about infidelity.
Impudent and boorish Nadia... which is all up and up to the door. Trolling doesn't break through her husband, she's on ... I've seen it. She also found a clue - a 14-year-old daughter, with whom she has serious conflicts. They were blackmailed by telling the girl that she was not her own-adopted. The probability that a child will believe an outsider is far from zero, which will cause deep emotional trauma. Scammed this and the woman agreed to merge useful information.
No matter how good the boss is, there is always someone who is dissatisfied with him. Let's call it Sveta. When she failed to become a senior manager, the director nominated another employee. If you didn't manage to get a step higher, then the salary remained the same. Greedy Sveta, after hesitating and haggling, agreed to help the "competitors".
And someone like the thievish and dim-witted accountant Misha is just a godsend for hackers! This employee is useful when you need to steal the company's money, not just information. Who will be asked for a small service, promising a decent amount, steal all the money, part of it, put it in his account and then inform the director of the company / company from whom to look for the missing. And it will be extremely difficult for him to prove that he did not take and will not be able to explain where he got the large amount that was transferred for the service.
So, the whole circle will remain to blame. It is difficult to track the path of money transferred, but it is possible. But, such cases are handled through figureheads. Even if caught, the hacker will claim that he is not the leader, but only the performer, if he keeps a smaller part of the stolen goods, this legend will sound very convincing. And the Misha will thunder to the full! That's how it's now fashionable to check employees for lice.
Now let's move on to the most interesting part...
REVERSE SE. This is a type of attack in which the attacker creates a situation where the victim faces a problem and runs to the attacker for help. A diversion is being made. For example, the victim hangs up during business hours in his favorite social network and suddenly can't go there or in the mail. The attacker is already familiar with it in advance, communicates and positions himself as a computer guru. At least admin will introduce himself. A person will not run with these troubles to his admin, from which he can easily get upset with lyulya, but will ask a virtual friend to help.
Let's look at a few more methods...
This attack method is an adaptation of the Trojan horse, and consists of using physical media. An attacker can plant an infected CD, or flash, in a place where the media can be easily found (toilet, elevator, parking). The media is forged under the official one, and is accompanied by a signature designed to arouse curiosity.
Example: An attacker can plant a CD with a corporate logo and a link to the official website of the target company, and provide it with the inscription "Salary of the management team Q1 2013". The disc can be left on the elevator floor, or in the lobby. An employee may unknowingly pick up a disk and insert it into the computer to satisfy their curiosity, or just a good Samaritan will take the disk to the company - here, yours was lying around.
If the company is large, where everyone does not know each other or different offices in the same building, a hacker can easily go to the right office with a disk/flash drive and say - Marvanna or Pyotr Ivanovich gave you documents, software, or whatever. And there is a high probability that they will not ask why they did not transfer it over the internal network and insert the infected media. Although you can still talk it out here, Marvanna has problems with the network, and the boss asked that the file be delivered to you.
It works in large and small companies. An attacker can call a random number to the company and introduce himself as a technical support employee asking if there are any technical problems. If they do exist, the target enters commands that allow the hacker to run malicious software during the process of "solving" them.
I also got a job as a lunch delivery guy. They served just the company that was interested and, as it were, casually communicated with women. In conversations skipped, my wife lost weight on a super method-the exercises in the video tutorial are recorded. Fat women were very interested, asked to copy the disk and wanted to buy it. The virus was introduced, and bought for money.) Fat-assed young ladies couldn't wait to see the magic video tutorial and hurried to charge the disks into the working machines.) I was never seen again...
Did I tell you about the dastardly schemes that people suffered from? Well, read it. As a result: "weak links" were dismissed. Well, something like that, lousy and shitty.
People lost their jobs, and all because they were victims of SE. I can imagine how many people cursed not their own stupidity, but our team. And sorry and not sorry for them. Ambivalent feeling. Yes, I want to knock stupid chickens on the head. Coolies don't need it if it's like that in real life.
Many companies that think that the security problem is solved simply by hardware and software are mistaken. Security technologies that we are used to trust - firewalls, identification and encryption tools, attack detection systems, etc. - are ineffective against hackers using SE and RSE (social and reverse social engineering). Modern technical means of protection have reached a level where hacking takes a very long time, or the price of protected information is less than the cost of extracting it.
Let's take a real example. There are a couple of guys I know who have retired from hacking, earn money by conducting various attacks on company servers, including using SE on behalf of directors, and then give recommendations on protection. I was invited to take part in one fascinating business - to see how it happens.
Given: a small company that sells wholesale underwear.
Two very smart admins, who were not informed by their superiors, successfully coped and repelled all the attacks.
Luda was caught in contact.
Although, in high art, he is not in the tooth with his foot, but Google will help!
Cowardly and cautious Julia. There was something to dig up and to her - blackmail. This lamb was blinking in private, to her reliable virtual girlfriend about her spree from her husband. Fearing for the disintegration of the family, she agreed to commit a minor official offense, which could result in tangible losses for the company.
The method of telling all about infidelities to a jealous husband/wife is one of the most common. It doesn't matter if it was real or not. To do this, you don't need to install hidden cameras or do photo editing, just be a good storyteller and be able to convince the other person. And the jealousy of the spouse will serve a poor service. In jealous people, often the brains turn off completely, it is only necessary to mention about infidelity.
Impudent and boorish Nadia... which is all up and up to the door. Trolling doesn't break through her husband, she's on ... I've seen it. She also found a clue - a 14-year-old daughter, with whom she has serious conflicts. They were blackmailed by telling the girl that she was not her own-adopted. The probability that a child will believe an outsider is far from zero, which will cause deep emotional trauma. Scammed this and the woman agreed to merge useful information.
No matter how good the boss is, there is always someone who is dissatisfied with him. Let's call it Sveta. When she failed to become a senior manager, the director nominated another employee. If you didn't manage to get a step higher, then the salary remained the same. Greedy Sveta, after hesitating and haggling, agreed to help the "competitors".
And someone like the thievish and dim-witted accountant Misha is just a godsend for hackers! This employee is useful when you need to steal the company's money, not just information. Who will be asked for a small service, promising a decent amount, steal all the money, part of it, put it in his account and then inform the director of the company / company from whom to look for the missing. And it will be extremely difficult for him to prove that he did not take and will not be able to explain where he got the large amount that was transferred for the service.
So, the whole circle will remain to blame. It is difficult to track the path of money transferred, but it is possible. But, such cases are handled through figureheads. Even if caught, the hacker will claim that he is not the leader, but only the performer, if he keeps a smaller part of the stolen goods, this legend will sound very convincing. And the Misha will thunder to the full! That's how it's now fashionable to check employees for lice.
Now let's move on to the most interesting part...
REVERSE SE. This is a type of attack in which the attacker creates a situation where the victim faces a problem and runs to the attacker for help. A diversion is being made. For example, the victim hangs up during business hours in his favorite social network and suddenly can't go there or in the mail. The attacker is already familiar with it in advance, communicates and positions himself as a computer guru. At least admin will introduce himself. A person will not run with these troubles to his admin, from which he can easily get upset with lyulya, but will ask a virtual friend to help.
Let's look at a few more methods...
This attack method is an adaptation of the Trojan horse, and consists of using physical media. An attacker can plant an infected CD, or flash, in a place where the media can be easily found (toilet, elevator, parking). The media is forged under the official one, and is accompanied by a signature designed to arouse curiosity.
Example: An attacker can plant a CD with a corporate logo and a link to the official website of the target company, and provide it with the inscription "Salary of the management team Q1 2013". The disc can be left on the elevator floor, or in the lobby. An employee may unknowingly pick up a disk and insert it into the computer to satisfy their curiosity, or just a good Samaritan will take the disk to the company - here, yours was lying around.
If the company is large, where everyone does not know each other or different offices in the same building, a hacker can easily go to the right office with a disk/flash drive and say - Marvanna or Pyotr Ivanovich gave you documents, software, or whatever. And there is a high probability that they will not ask why they did not transfer it over the internal network and insert the infected media. Although you can still talk it out here, Marvanna has problems with the network, and the boss asked that the file be delivered to you.
It works in large and small companies. An attacker can call a random number to the company and introduce himself as a technical support employee asking if there are any technical problems. If they do exist, the target enters commands that allow the hacker to run malicious software during the process of "solving" them.
I also got a job as a lunch delivery guy. They served just the company that was interested and, as it were, casually communicated with women. In conversations skipped, my wife lost weight on a super method-the exercises in the video tutorial are recorded. Fat women were very interested, asked to copy the disk and wanted to buy it. The virus was introduced, and bought for money.) Fat-assed young ladies couldn't wait to see the magic video tutorial and hurried to charge the disks into the working machines.) I was never seen again...
Did I tell you about the dastardly schemes that people suffered from? Well, read it. As a result: "weak links" were dismissed. Well, something like that, lousy and shitty.
People lost their jobs, and all because they were victims of SE. I can imagine how many people cursed not their own stupidity, but our team. And sorry and not sorry for them. Ambivalent feeling. Yes, I want to knock stupid chickens on the head. Coolies don't need it if it's like that in real life.
