Man
Professional
- Messages
- 3,088
- Reaction score
- 631
- Points
- 113
Social engineering is a method (of attacks) of unauthorized access to information or information storage systems without the use of technical means. The method is based on the use of human weaknesses and is considered very destructive. The attacker obtains information, for example, by collecting information about the employees of the target of the attack, using a regular phone call or by penetrating the organization under the guise of its employee. The attacker can call a company employee (under the guise of technical support) and find out the password, citing the need to solve a small problem in the computer system. Very often this trick works. The most powerful weapon in this case is a pleasant voice and acting skills. The attacker, posing as a company employee, calls the technical support service. Introducing himself on behalf of the employee, he asks to remind you of his password, or changes it to a new one, citing forgetfulness. The names of the employees can be found out after a series of calls and studying the names of managers on the company's website and other sources of open information (reports, advertising, etc.). Then it's a matter of technology. Using real names in a conversation with the technical support service, the attacker tells a fictitious story that he cannot get to an important meeting on the site with his remote access account. Other aids in this method are the study of the trash of organizations, virtual trash bins, theft of a laptop or storage media. This method is used when the attacker has targeted a specific company.
Social Engineering Techniques and Terms
All social engineering techniques are based on the peculiarities of human decision-making, called the cognitive basis. They can also be called "glitches in human support."
Pretexting
Pretexting is an action worked out according to a pre-written scenario (pretext). As a result, the target must give out certain information, or perform a certain action. This type of attack is usually used over the phone. More often than not, this technique includes more than just lies and requires some preliminary research (for example, personalization: date of birth, amount of the last bill, etc.) in order to ensure the trust of the target. This type also includes attacks on online messengers, such as ICQ.
Phishing
Phishing is a technique aimed at fraudulently obtaining confidential information. Typically, the attacker sends the target an e-mail faked as an official letter - from a bank or payment system - requiring "verification" of certain information or the performance of certain actions. This letter usually contains a link to a fake web page imitating the official one, with a corporate logo and content, and containing a form requiring the entry of confidential information - from a home address to a bank card PIN code.
Trojan Horse
This technique exploits the curiosity or greed of the target. The attacker sends an e-mail containing an attachment that is either a "cool" or "sexy" screen saver, an important antivirus upgrade, or even fresh dirt on an employee. This technique remains effective as long as users blindly click on any attachments.
Traveler's Apple
This attack method is an adaptation of the Trojan Horse and involves the use of physical media. The attacker can plant an infected CD or flash drive in a place where the media can be easily found (restroom, elevator, parking lot). The media is faked as official and accompanied by a signature designed to arouse curiosity.
Example: The attacker can plant a CD with a corporate logo and a link to the official website of the target company and provide it with the inscription "Managerial Salaries Q1 2007". The disk may be left on the floor of an elevator or in the lobby. An employee may unknowingly pick up the disk and insert it into a computer to satisfy their curiosity, or a good Samaritan may simply take the disk to the company.
Qui pro quo
The attacker may call a random number at the company and pose as a tech support employee asking if there are any technical problems. If there are, in the process of "solving" them, the target enters commands that allow the hacker to run malicious software.
Reverse social engineering
The goal of reverse social engineering is to make the target contact the attacker for "help". To this end, the hacker may use the method of creating a reversible problem on the victim's computer so that the victim contacts him himself. Or the advertising method. The attacker slips the victim an ad like "If you have problems with your computer, call such and such a number."
Social Engineering Techniques and Terms
All social engineering techniques are based on the peculiarities of human decision-making, called the cognitive basis. They can also be called "glitches in human support."
Pretexting
Pretexting is an action worked out according to a pre-written scenario (pretext). As a result, the target must give out certain information, or perform a certain action. This type of attack is usually used over the phone. More often than not, this technique includes more than just lies and requires some preliminary research (for example, personalization: date of birth, amount of the last bill, etc.) in order to ensure the trust of the target. This type also includes attacks on online messengers, such as ICQ.
Phishing
Phishing is a technique aimed at fraudulently obtaining confidential information. Typically, the attacker sends the target an e-mail faked as an official letter - from a bank or payment system - requiring "verification" of certain information or the performance of certain actions. This letter usually contains a link to a fake web page imitating the official one, with a corporate logo and content, and containing a form requiring the entry of confidential information - from a home address to a bank card PIN code.
Trojan Horse
This technique exploits the curiosity or greed of the target. The attacker sends an e-mail containing an attachment that is either a "cool" or "sexy" screen saver, an important antivirus upgrade, or even fresh dirt on an employee. This technique remains effective as long as users blindly click on any attachments.
Traveler's Apple
This attack method is an adaptation of the Trojan Horse and involves the use of physical media. The attacker can plant an infected CD or flash drive in a place where the media can be easily found (restroom, elevator, parking lot). The media is faked as official and accompanied by a signature designed to arouse curiosity.
Example: The attacker can plant a CD with a corporate logo and a link to the official website of the target company and provide it with the inscription "Managerial Salaries Q1 2007". The disk may be left on the floor of an elevator or in the lobby. An employee may unknowingly pick up the disk and insert it into a computer to satisfy their curiosity, or a good Samaritan may simply take the disk to the company.
Qui pro quo
The attacker may call a random number at the company and pose as a tech support employee asking if there are any technical problems. If there are, in the process of "solving" them, the target enters commands that allow the hacker to run malicious software.
Reverse social engineering
The goal of reverse social engineering is to make the target contact the attacker for "help". To this end, the hacker may use the method of creating a reversible problem on the victim's computer so that the victim contacts him himself. Or the advertising method. The attacker slips the victim an ad like "If you have problems with your computer, call such and such a number."
