Fundamentals of Social Engineering

[Jollier]

Almost all articles on social engineering describe some specific case from questionable practice. In this article I will try to focus the reader's attention on the math part: to tell how the brain works when making a decision, how to influence this decision and what technologies can automate the process, describing everything in accessible words, referring to scientific research.
There will be no specific examples of the use of materials in the article. We will consider a spherical problem (question, action, not important), which has two possible solutions. This can be, for example, launching a file, disclosing information, believing in something, etc.

How do we make decisions?
To date, there is no definite answer, but the studies that have been carried out tell us that in fact a certain part of the brain is responsible for decisions - the striatum. If you do not dive into boring and uninteresting terminology, then, relatively speaking, it launches a certain model of our behavior, allowing us to analyze the current situation based on two factors: life experience (rational half) and emotions (desires, instincts).

Experience or desire?
The process of analysis should not be regarded as a confrontation between the rational and the emotions. And although in some cases outwardly it seems that this is exactly what is happening.
Rather, this process can be seen as generating a certain amount of pros and cons on both sides. And here it is necessary to dwell in detail on why these "pros" and "cons" may arise. Surely many of you know about Maslow's pyramid of needs.

Starting from this pyramid, you can see that in some cases, the decision is determined by the needs of the person. For example, trying to convince a person to pay a huge amount for a cheap product does not make sense if the person has a penny for his soul.
But a person is an emotional creature and is not always driven by needs (almost never). It is for this reason that millions of people take out a loan for expensive cars, spend all their money on branded gear and unjustifiably expensive gadgets that they do not need. Yes, brother, the instinct of domination somehow takes over the mind!

The same emotion of mercy can cause a person to give a large sum of money without any rational reason. Just. Out of pity.
I think you realized that if you press, then press on emotions, or instincts, because the rational part will hold the line to the last and will not break through it without frank and high-quality lies.

There is one interesting study, the essence of which is that an individual experiences pleasure not only at the moment of receiving a reward, but also on the way to achieving it. And here it is appropriate to recall the various stories of brainwashing on the topic of financial pyramids, abandonment of acquired property in favor of one's spirituality, etc. Let's take a closer look at this situation (brainwashing by some sectarian).

The person was convinced that he needed it, affecting, as a rule, emotions. They told how bad everything is now, in his current situation, "opened his eyes." Such flushing gains special weight if it is backed up by some pseudo-facts, or by the statements of authoritative people (scientists, thinkers, etc.).
The fact is that a person is a social being, and for society, the presence of a leader, whose words are heeded, is a normal phenomenon. These connections formed in our minds a long time ago and helped to survive: the leader took responsibility, distributed resources between society for more productive work.

Accordingly, the opinion of the leader was listened to. The mechanism is roughly the same as how digital certificates work - everything is based on trust. And now a person listens to all this, the “trust” of the noodles begins to exceed his own experience, the pressure on emotions is exerted (his self-esteem has dropped, because everything he did turns out to be “wrong”), and his opinion changes. Despite the seemingly logical thing: by giving material values, he actually exposes himself to additional danger. Why is this happening?

Against the background of emotional pressure, new goals are instilled in a person (everything is bad for him now, but everything can be changed). And at this point, the brain begins to stimulate the body to achieve these goals. A special hormone is produced: dopamine, which is precisely responsible for the so-called "motivation". A certain indicator of what efforts a person can make to achieve goals (in this case, imposed ones). As a result, it turns out, contrary to logic, a person finds himself on the street for some higher purpose, and at the same time he is only glad of his “freedom from the material”, despite the direct harm to his body (physiological needs according to Maslow's pyramid).

Influence the decision from the outside
Now let's talk about what conclusions can be drawn from the history above. First of all, influencing the rational part of the brain almost always makes no sense. For example, if you are trying to convince a person to invest in your cryptocurrency, you will hardly be able to convince him with numbers alone. First, the human brain will always prefer the “here and now” reward to some dubious prospects. In this case, “here and now” is his capital. And doubtful because the level of trust in you is not high enough for a person.

But, one has only to give an example of successful investments, talk about what these promising technologies are, and that in general the future belongs to cryptocurrencies, a person immediately begins to draw in his head a colorful picture of potential profit (after all, there have already been successful examples), supplementing it with various emotions. In this case, the feeling of expectation will only further stimulate the person.

Further, there are several interesting tricks, based, again, on the social component of consciousness:

• When rendering any service to a person, he is more willing to make contact, a feeling of duty arises (it will not be pronounced, of course, but the attitude towards you will shift upwards from zero).
• Asking for help (albeit a little one) contributes to this. A person unconsciously puts himself above the one to whom he provided assistance (after all, he was asked). In addition, the need for recognition is satisfied, self-esteem grows. This phenomenon is called the Benjamin Franklin effect.
• Go beyond the expected behavior. When interacting with any object with which there was an experience of interaction earlier, the expected behavior pattern is formed in the brain. Going beyond this template puts the rational part into a stupor, it becomes easier to influence emotions.
• Collect as much information as possible about the person before taking any action. Here you should pay special attention to the fact that it is necessary to act (whether directly or not) only when there is confidence that it will not be possible to collect more information, and it is all analyzed and structured.

Use technology
Of course, these are search engines and social networks. This has already been mentioned many times in various articles. People share information about themselves for various purposes (self-identification in society, commercial interests). All this can be used at least to collect information, at the most - to manipulate.

Also:

• Don't forget to look at the file metadata. They can contain a lot of interesting information.
• Some pages may not be accessible, but the web archive usually remembers everything;
• Finally, use parsers. Almost any amount of information can be obtained and analyzed thanks to any programming language and a wrapper for curl for this language. Also, do not forget that any social service provides its own API for convenience;
• Compromising a person's mobile device is almost a 100% option for gaining access to all private information;
• Follow research and discoveries. Psychology is good, but it only reveals a pattern, and does not explain a phenomenon.

Develop!
Anyone who, in one way or another, wants to improve their SI skill, I strongly recommend reading the book Think Slow - Decide Fast by D. Kahneman. This man has been engaged in the analysis of the way of thinking and the behavioral psychology of people for 40 years - a tremendous job.

The author describes at what moments our brain "gives up slack'' and makes wrong or irrational decisions. All these examples can be remembered as fact and used for any purpose (do not let yourself be fooled or carefully thought out conclusions, well, or use it against others).

 

[Jollier]

SI pumping

Amigos, I think you've often seen diagrams where such items as "SI", "SI skills are needed 4 of 10", etc. are mentioned. But few people think and tried to understand what it is all about and what it is eaten with. How can you even tell what SI level you have? This is a purely subjective thing that depends on a person's abilities. And they, as a rule, are different for everyone.

There is a concept - social engineering. What is it all about, in plain language?
This is the skill with which you can achieve your goals using dialogue and some manipulation. The goals can be different: the extraction of docks from a person, the conclusion of a mammoth for profit, a divorce of a drocher to buy something, etc.

But how do you develop these skills?
Young people often write: "What level of SI do I need for this topic?" Uncle, well, for starters, I don't know what you are capable of. Take, for example, the immortal drocher theme. Someone manages to make several thousand rubles a day on them, while someone, having all the tools and instructions, earns nothing.
By my own example, I can say that I have not read any books on psychology and social engineering. I started from what I do and what I do. Take the good old school kids' scam on Steam, Origin, etc.

There is a task: to sell air. You don't actually have an account, do you? But you need to show, prove and tell that he really is. Make him believe it. If your page name is Petya Petrov, then find a Steam account with the login petya2008. Better yet, if the name "Peter" or "Peter" is indicated in the account profile. Do you understand the trick? Mammoths look at such small details.

Or another example. Jerkers. I already wrote more than one manual on this topic. And I repeat everywhere, stick to the legend. The legend of the character, in your case, this is some kind of madam, one of the most important components. If you are a 35-year-old woman with a child, then show it not only in the photo, but also in dialogue with the mammoth. Write that you need to leave to feed the child, that you need to help do your homework. Accompany all this with appropriate photos, for example, a photo of hands with a notebook or diary. The Internet is full of such live photos.

How to develop skills? Practice, practice and more practice. Get yourself several characters: Petya is a schoolboy, a nerd, Masha is a divorced woman who loves her son, Dmitry is a professional capper, Elizaveta is a flirty student with no money. And just talk to people. Observe their reactions to your actions. Sooner or later, you will hone your skills.

Difficult online? Try it in life. Make your way to the doctor through the line of 20 people. Anyway, make your way through any queue, try it. Find an approach, find loopholes.
Also, communicate more often with various technical staff. support. Whether it's AliExpress employees when you refund. Or Delivery Club employees when you want to get a refund for a low-quality food.

A lot of text and water, but I tried to convey some truths to you. In short: enough theory - closer to practice. There are no levels, only skill and difficulty.

 

[Jollier]

Developing: training thinking

The most spontaneous answer to the question of how to become a Sherlock might sound like this: "First, buy yourself a black coat." To use the terminology of the American psychologist, Nobel laureate Daniel Kahneman, who published the book Think Slow . Decide Fast in 2011, this is the reaction of the so-called "fast thinking" - a system that is responsible for momentary knowledge of the world and cataloging instinctive sensations. reacts to circumstances instantly and very directly, as a result of which often makes mistakes, forcing us to make irrational decisions.

But in order to think like Sherlock Holmes, you need to use a different system - "slow". It is she, according to Kahneman, who is responsible for the deliberate and conscious formation of thoughts, decisions, conclusions and assessments.
Like any function of the human brain, the slow thinking system can be strengthened and developed.

As in sports, training should start with light exercises in small amounts, gradually moving on to more complex and lengthy ones. To begin with, you can borrow several school textbooks from friends on various subjects: mathematics, physics, chemistry and other disciplines that involve solving problems. This will help not only to train the system of slow thinking (after all, it is it that is used in the process of intellectual activity), but also to broaden the horizons, restoring the knowledge lost since the time of studying at school and outlining interesting scientific areas for study.

Corrosiveness.
The quality that the future master of deduction requires. To nurture it in yourself, you need to find areas that really arouse curiosity.
What exactly they will be, by and large, does not matter: the emotional response always pushes a person to a deep study of the subject, makes him constantly increase the amount of knowledge, and with it the length of the border of contact with the unknown, the existence of which invariably prompts the mind to new searches.

Deduction and induction.
When the mind is prepared and saturated with various useful information, you can proceed to exercises for the development of logical thinking: deductive and inductive. After all, Conan Doyle's character used both methods - which, alas, is shown in the BBC series "Sherlock" somewhat weaker than in the books of Arthur Conan-Doyle.
Deduction is a method in which the particular is logically derived from the general: “All metals conduct current. Gold is a metal. This means that gold conducts current. "

Induction, on the contrary, deduces the general from the particular: “I am a Muscovite and I remember that it snowed every winter. This means that it always snows in Moscow in winter ”. Sherlock Holmes, examining the crime scene or assessing those around him, often went from private to general and back, freely moving in both logical directions: “John has a military bearing, a tan on his arms only up to his sleeves, a psychosomatic limp, which means he has been in a war. Where have the military operations been lately? In Afghanistan. So, in the war in Afghanistan. "

However, his main conclusions were deductive and appeared in the mind of the great detective when he tormented his violin or pondered while smoking a pipe. At these moments, Sherlock Holmes turned to his phenomenal knowledge of history and forensics and classified the case, based on the "family tree of crimes." He assigned him a place in the group: "Murder by inheritance", "Murder out of jealousy", "Theft of the will", etc. This gave the motive, and the motive gave the suspects. This was the essence of Sherlock Holmes's deductive method. Induction gave him food for thought, while deduction provided the answer.

There are many exercises for training logical thinking.
For example, "Concepts in order", within which it is necessary to arrange several words from particular meanings to general ones, or vice versa. Chess or poker may also be helpful. In addition, it is important to learn to avoid logical errors in judgments, having studied them, for example, according to the book by Abner Uyemov “Logical errors. How they interfere with right thinking".

How to bring up a detective in yourself.
Learning to notice details, interpret them correctly and not be distracted during observation and analysis will require exercises for the development of voluntary and involuntary attention, as well as training in flexibility of thinking.
Involuntary attention is a system of reaction to stimuli, a kind of "peripheral vision" in terms of the perception of reality. To develop it, you can make it a rule to observe familiar objects and places with a lack of lighting and a different sound background (in natural conditions, with pleasant music and harsh unpleasant sounds), and also learn to mark the details that attract attention when moving from one species activities to others.
This allows you to cultivate sensitivity to fluctuations in reality and learn not to miss out on interesting details that may be the key to a situation or a person's character.

 

[Jollier]

Example:
The grandmaster received a letter in the mail, in which a man unknown to him, introducing himself as a young novice chess player, offered to play a remote game of chess. Remote, because the moves were sent by mail. The grandmaster was promised a very large sum of money for winning, and if there is a draw, or, God forbid, the grandmaster loses, he pays the money. True, half the amount that he himself will receive if a young chess player loses. The grandmaster, without hesitation, agreed. We made a bet and started playing. From the very first moves, the famous grandmaster realized that he would not be able to earn money "for free", because already the first moves gave out a promising master in a young chess player. In the middle of the mast, the grandmaster lost his peace and sleep, constantly calculating the next moves of the opponent, who turned out to be not just a promising master, but a pro. In the end, after a long time, the grandmaster barely managed to draw the game, after which he poured a bunch of compliments on the young man and offered him not money, but his support, saying that with such talents he would make him the world champion. But the young chess player said that he did not need world fame, and that he only asked to fulfill the conditions of the bet, i.e. send the money he won. What the grandmaster did, reluctantly. Where is the manipulation, you ask? And the manipulation here is that it was not a young man who played against the grandmaster, but another great grandmaster, who received exactly the same letter from the young man and in the same way agreed to "earn extra money quickly." On exactly the same conditions: a young man pays him a large sum for the win, and for a loss or a draw, the grandmaster pays the young man. As a result, two great chess players fought with each other, and the young "talented chess player", in modern terms, worked as a postal relay, i.e. only forwarded their letters to each other. And then, as a result of a draw, both grandmasters sent money to this young man.

Technique for regulating emotional stress in communication

REDUCES VOLTAGE:
- emphasizing community with a partner (similarity of goals, interests, opinions, personality traits, etc.)
- emphasizing the importance of a partner, his opinion in your eyes
- verbalization of the emotional state: your own and your partner
- showing interest in the partner's problems
- presenting the partner with the opportunity to speak out
- immediate admission of their own wrong
- a proposal for a specific way out of the current situation
- appeal to facts
- calm confident speech rate
- maintaining optimal distance, angle of rotation and inclination of the body

INCREASES VOLTAGE:
- emphasizing the differences between yourself and your partner
- belittling a partner, a negative assessment of his personality, belittling the partner's contribution to the common cause and exaggerating one's own
- ignoring the emotional state, your own and your partner
- demonstration of disinterest in the partner's problem
- interrupting a partner
- delaying the moment of admitting one’s wrong or denying it
- search for the guilty and blame the partner
- the transition to "personalities"
- a sharp acceleration of the rate of speech
- avoidance of spatial proximity and eye contact

COMMUNICATION UNDERSTANDING TECHNIQUE
At the training of Japanese managers, 20 minutes after meeting the group, they are asked to write what unites them with each member of the group.
There should be as many lists as there are participants in the group, and each list should include at least ten qualities.

UNDERSTANDING GENERAL TWO CONDITIONS must be met:
- the revealed common features should be more pleasant to the partner than unpleasant. That is, characteristics should be perceived as virtues (for example, observation, ingenuity, artistry) or as peculiar traits (for example, dominance, cunning, eccentricity, individualism, etc.). There are some traits that are not flaws, but are perceived as such by those who have them, for example, shyness, straightforwardness, perseverance, etc. By emphasizing the commonality of these characteristics, you run the risk of touching the "weak string" of the soul.
- these common features should be relevant to the business or personal area of expertise of the person.

For example:
We both want to get this situation resolved.
We both love creative people.
You and I often have "lying" ideas.
What unites us is the speed of consideration.
We are both "tricky" and so on.

TECHNIQUE OF UNDERLINING THE SIGNIFICANCE OF THE PARTNER.
UNDERLINING SIGNIFICANCE is an expression of admiration for another person, recognition of his merits and achievements.
Requirements for technique:
- concreteness, conditionality by facts
- sincerity.

The FORMULA of the technique is not “I like you”, but “it seems to me that what you do is valuable”.
Emphasizing significance is not a compliment in the conventional sense of the word. Emphasizing significance is a variant of a positive statement, but with some emotional addition: “I admire…”, “… pride arises,” “… respect for you grows,” etc.

For example:
- You know, your idea seemed very valuable to me.
- Several times today I recalled how great you answered a question from the audience yesterday.
- Saw your calculations and was just filled with awe!
- Yes, this is work! Super!
- Your lightning speed amazes me!

TECHNIQUE OF VERBALIZATION OF YOUR SENSES AND SENSES OF THE PARTNER
The following FORMULAS are effective for verbalizing one's own
Feelings:
- I am surprised…
- I am upset ...
- I'm uncomfortable ...
- It hurts me ..
- I have some protest ...
- I'm worried ...
- I'm depressed ...

For example:
- How could you not send me workers? Do I have to drag the tables myself?
- Ninochka, I AM SURPRISED ... How could this have happened? After all, I ... and so on.
- Why do you never tell in advance that you have to go to work on the weekend?
- Zinochka, I'm upset ... I am upset that I have to call you, and I am even more upset that you were not informed in advance ...
- Why did you come here? What should you study here? Or are you supposed to watch us here ?!
- Kolya, I am very uncomfortable when I hear such assumptions ... very uncomfortable ...

VERBALIZATION OF OWN SENSES is, in fact, I-messages. Verbalization of our own state plays a double role - on the one hand, it informs our partner about our feelings and reduces his stress, and on the other hand, it helps to regulate our own emotional state.
Verbalizing our own NEGATIVE feelings can also be used as a polite form of remarking or asking our partner to stop doing things that are causing us stress.
It is much more difficult to VERBALIZE THE FEELINGS OF A PARTNER. Phrases like “you are outraged” or “you are agitated” can provoke an increase in negative reactions.

The INDIRECT verbalization of the partner's feelings is more effective, for example:
- I agree that this may cause a protest
- I agree that it causes discomfort
- I agree that such a turn of affairs causes unpleasant feelings
- Yes, it is, of course, upsetting.

In DIRECT CONSTATIONS of feelings, it is preferable to use terms that indicate a respectful attitude towards a partner and oneself.
For example:
Instead of “I don’t understand,” it’s better to say “I’m surprised”
Instead of "You are depressed" it is better to say "You are upset."
Instead of "I am unpleasant" it is better to say "I am uncomfortable"
Instead of "I am disgusted" - "I am outraged"
Instead of “Are you nervous” it’s better to say “Are you worried”
Instead of "I'm offended" - "It hurts me"
Instead of "Pisses me off" - "I have a protest"
Instead of "you are angry" - "you are angry"
Instead of "Are you afraid" - "Are you afraid"

Expressing NEGATIVE feelings can be mitigated by using METAPHORS.

Carl Rogers was helped, for example, by such metaphors: “I got a fantasy that you are a princess and you would like it if everyone obeyed you” or “I feel that you are acting both as a judge and an accused in relation to yourself, and speak sternly to himself: "You are to blame for everything."

Verbalization of feelings can be accomplished using the FORMULA:
"I feel like ..." + metaphor, for example:
- In my opinion, you have already forgotten about our yesterday's conversation!
- I feel like a schoolboy answering at the blackboard.
- Are you going to check the documents for the third time ?! Are you looking for all the dirty tricks?
- I feel like a defendant in a courtroom.
- How could you call your company that? It gives rise to such strange associations ...
- I feel like Thumbelina in a tulip: she fell and flounders in the flower.

METAPHOR should be bright and at the same time soft, truthful and at the same time humorous, accurate and at the same time respectful.

TYPICAL VERBALIZATION ERRORS and WAYS TO OVERCOME THEM:

1. Emphasizing the commonality that the partner in no way wants to admit to himself ("You and I, both of us do not like when our tail is pressed ..", "The boss does not consider you and me as people ...").
This can be perceived by the interlocutor as a hidden belittling of his personality. A person wants to belong only to that community that is referential for him. Emphasizing a commonality of weaknesses or weaknesses is possible only when it is not perceived as a threat to self-esteem.
It is better to choose formulations in which the shortcomings act as a continuation of the merits ("We are both intolerant of inaccuracies", "Well, we can be harsh with you!").

2. Acting exactly the opposite while emphasizing the importance ("You did it great! I did not expect from you!", "You performed well today, not like usual!").
This is a hidden belittling of the partner's personality. In fact, a message is conveyed to him that he is usually at a much lower level. Comparisons of the person with himself and with the expectations of him should be avoided.
Better to just say, "You did it great!" or "You performed so well today!"

3. Verbal statements instead of verbalization ("I understand you very well", "I understand you perfectly!"). But as long as the emotion is not named, the person may continue to think that they have actually been misunderstood. In addition, a person wants to be understood just as much as he wants to be understood. The phrase “I understand you perfectly well” in this context can arouse fear of exposure.
Therefore, if the state of the interlocutor is not entirely clear or you feel that a struggle of various feelings is taking place in him, then it is better to use neutral-respectful formulations with interrogative intonation ("Are you surprised? ...", "Do you feel uncomfortable? ...", “Are you upset? ..”, “You are not yet sure that…?”, Etc.).

4. Verbalization of negative feelings and states, which as a result only intensify (“You look tired”, “You look so exhausted”, “You look so scared!”).
Freshness, cheerfulness, a toned appearance - all these are signs of well-being, testifying to the ability to achieve social success.
Looking tired is a sign of a certain defeat or concession to the difficulties of life. Discussion of such states plunges us into the abyss of negativity.
It is better to use more neutral formulations: "You are concentrated ..", "You are tense ...", "You are afraid", "I see that you are alarmed by something ..", etc.
And finally, in the technique of VERBALIZATION of feelings, it is by no means always a question of negative feelings. In a situation where someone attacks you, it can generate a surge of energy, excitement, and even admiration.

An example from the movie "Tootsie":
Director: I like it so much that you always understand the director's task exactly!
Tootsi: Where do you see the director here?
Director: How I like that you don't let anyone down!

(E. Sidorenko. Training of communicative competence in business interaction, 2004). REDUCES THE STRESS.

 

[Hacker]

SE. Methods and protection

The human brain is a large hard drive, a repository of a huge amount of information. And both the owner and any other person can use this information. As they say, a chatterbox is a godsend for a spy. In order for you to further understand the meaning of the following, you should at least be familiar with the basics of psychology.

Social engineering is a kind of young science. There are many methods and techniques for manipulating human consciousness. Kevin Mitnick was right when he said that sometimes it is easier to deceive and obtain information than to hack access to it. Read the book The Art of Deception at your leisure, you will like it.

There are no gestures, intonation, facial expressions on the Internet. All communication is based on text messages. And your success in a given situation depends on how your messages will affect the interlocutor. What techniques can be used in order to covertly manipulate a person's consciousness?

Provoking
Strictly speaking, this is trolling. In most cases, a person who has lost his temper is not critical of information. In this state, you can impose or receive the necessary information.

Love
Perhaps this is the most effective technique. In most cases, this is what I used. In a state of love, a person perceives little, and this is exactly what the manipulator needs.

Indifference
The effect of the manipulator's indifference to a certain topic is created, and the interlocutor, in turn, tries to persuade him, and thereby falls into a trap and reveals the necessary information.

Rush
Situations often arise when the manipulator allegedly is in a hurry to somewhere and constantly hints at this, but at the same time he purposefully promotes the information he needs.

Suspicion
The reception of suspicion is somewhat similar to the reception of indifference. In the first case, the victim proves the opposite, in the second, the victim tries to justify “his suspicion,” thereby not realizing that he is giving away all the information.

Irony
Similar to the provocation technique. The manipulator makes a person angry with irony. He, in turn, in anger is not able to critically evaluate information. As a result, a hole is formed in the psychological barrier, which is used by the manipulator.

Frankness
When the manipulator tells the interlocutor frank information, the interlocutor develops some kind of trusting relationship, which implies a weakening of the protective barrier. This creates a gap in the psychological defense.

Also, Social Engineer distinguishes three main clusters of social engineering:

• Phishing is the practice of sending fake emails to e-mail with the aim of influencing a user or obtaining personal information.
• Wishing is the practice of obtaining personal information or attempting to influence a person through the telephone, including tools such as "caller spoofing".
• Reincarnation is the practice of impersonating another person in order to gain information or access a person, company, or computer system.

There are many methods in social engineering, and every day this base is replenished with new ones. Some attacks cannot be carried out without the use of modern technology, while others are based purely on human psychology. We decided to tell you about the basic social engineering techniques that can be used against you.

Phishing
Phishing emails trick users into giving away their personal information (usernames, passwords, and credit card details) or installing a file with malicious content. One of the reasons phishing is effective is that people tend to trust messages from senders that are important or known to them. To this end, an attacker easily manipulates the URL, for example, the URL cоmpany.com looks almost identical to cоrnpany.com... Phishing is based on human error, not technology, so raising awareness on a global scale is the main way to combat this particularly effective form of social engineering.

What to do?
The best defense against phishing messages is not to follow the criminals' lead, that is, don't follow the links indicated in the messages, don't enter your data in the form fields embedded in the message. Instead, manually enter the URL of a verified site in the address bar of your browser, and never use auto-complete fields.

Fake messenger
An equally common attack is that the attacker pretends to be a representative of the company delivering the goods to the buyer. Remember how many times "messengers" were allowed into a company office to which they had no access? But a simple penetration into the office can lead a criminal to full access to the system. Typically, the perpetrator may disguise himself as an employee of a well-known postal service, a deliveryman of pizza, flowers, or other goods. The most fragile part of the crime is the preparation of all the papers certifying the powers, documents and "parcels".

Social programming and social hacking
Social programming can be called an applied discipline that deals with the targeted impact on a person or a group of people in order to change or keep their behavior in the right direction. Thus, the social programmer sets a goal for himself: mastering the art of managing people. The basic concept of social programming is that many actions of people and their reactions to one or another external influence are in many cases predictable.

Social programming methods are attractive because either no one will ever know about them, or even if someone guesses about something, it is very difficult to prosecute such a person, and also in some cases it is possible to “program” the behavior of people, and one person, and a large group. These opportunities fall into the category of social hacking precisely for the reason that in all of them people perform someone else's will, as if submitting to a "program" written by a social hacker.

Social hacking as an opportunity to hack a person and program him to perform the necessary actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers - use methods of psychological influence and acting, borrowed from the arsenal of special services.

Social hacking is used in most cases when it comes to attacking a person who is part of a computer system. A computer system that is hacked does not exist on its own. It contains an important component - a person. And in order to get information, a social hacker needs to hack a person who works with a computer. In most cases, it is easier to do this than to hack into the victim's computer, thus trying to find out the password.

 

[Jollier]

Social engineering in practice
Today we will examine the use of social engineering in practice. For example, let's take a wallet hijacking scheme through the implementation of a RATnik.

What's the point?
The trick of this scheme is that we will sell an infected file to the victim and thus hijack e-wallets (such as qiwi, webmoney and others).
It would seem simple enough. Make an email newsletter or SMS newsletter and row money. But not entirely true. There is nothing better than a targeted and competent attack.
So, comrades, the trick is what. First of all, we need what, right, find such a victim ... now we need to take and think about where they can hang out ...
That's right, comrades, they hang out on forums like zismo, mmgp or on sites like Free-lance.ru. There are a lot of similar resources out there, you can google and not bother with these three sites After all, sooner or later, threads like "Don't get caught, there is an unscrupulous customer" will appear on them.

What do we need for a successful attack?
1) RATnik. What is a warrior? Ratnik is a Trojan that allows you to take control of the device it is running on. Don't skimp on money, it's better to buy a good one.
2) Cryptor. A cryptor is a gizmo that allows you to disguise your warrior, that is, to make him invisible to antivirus systems. You can find more details in Google. It is not necessary to buy a cryptor, you can simply order crypt services. It's even cheaper.
3) Joyner. Joyner from the word "join", that is, "attach". A utility for gluing our virus to any other file.
4) A file for gluing with a virus (we will have this game).

So, initially I already told you about white forums and freelance sites. And I said this to you, of course, not in vain. After all, it is there that we will be looking for our victims with the aim of further processing them.

If you work on forums, then it will be very desirable for you to either buy a good pumped profile, or register yourself and fill in posts (and let it rest).
Why? Because this is psychology. Any social engineering practitioner will tell you that the more advanced the profile on the forum (date of registration, number of posts, etc), the more trust arises in such an account. And a fresh account without activity is defined by the subconscious as knowingly alarming. No matter what conditions he offers and no matter how he pours on his ears, he is still alarming. And the shirt-guy who has been sitting for a long time and actively communicates inspires much more confidence.

If you will be working on freelance sites, you will at least need a good employer account. And here again there are two options: either you buy a similar account, or you upgrade yours. Namely, you register an employer account, create several performer accounts and give yourself work. Then you write praise for each other, thereby pumping your profile. Indeed, on similar sites, they treat no-names with anxiety in the same way - remember this.

And yes, there is no need to forget about preparation. Preparation is 90% of your success. Upgrade your accounts until you say to yourself, "Well, where else is that more?"
Then, we take any small, unpopular flash game, and glue it with our warrior. We check with antivirus software (do not try to upload it to virusotal), and we check that the warrior does not fight against the databases.

So, let's say you have everything ready with your accounts. And with the warrior too. There are credible profiles.
Now we need to find our victim.
Our victim will be a freelancer who will take the order from us and fulfill it.
Take the category of programmers, for example.

A few words of digression
You all think that all programmers are very smart people, but in reality this is far from the case, and I will explain why.
Take motorcycle mechanics, for example. Just because he knows about motors doesn't mean that his motorcycle can't whistle, right? That's how it is. Maybe programmers are savvy in some technical solutions, but they, just like ordinary people, rely on primitive antiviruses, and hang their ears in the same way. A programmer is not a pentester or even a sysadmin. A programmer is just a person who knows how to make programs. And whether he fumbles in safety or not fumbles is a very controversial question.
Therefore, I want to give you advice. The first commandment of a social engineer is DON'T BE AFRAID OF YOUR VICTIMS!
But on the other hand, you do not need to think that they are stupider than you. He underestimated the enemy - he warmed up. So also Sun Tzu said. Just don't be afraid to hang on to your ears in fear of being bitten. Trust me, you can fuck anyone.
So, comrades. We entered the category of programmers. Again, programmers tend to be people who always have hard cash in their wallets.
We write out a list for ourselves and begin to write to everyone about the following by contacts:
"Hi. I would like to order a mini-game from you. Shall we talk?"

A couple of moments

Moment number of times.
Write correctly. If you write without mistakes, you are automatically perceived as a respectable person who has both money and everything.
No need to write "will you make a game?" Write this and you will be a schoolboy in the eyes of the programmer.

Moment number two.
Coming from moment number one. You know you can never change? The first impression of yourself. And therefore, do not screw up the first impression. As you seem - so in the subconscious you will remain.
So, programmers started to answer us with remarks "Yes, hello, what's there?"
And here's the fun part. We need to force the malicious file to open on the computer. How to do it? We look further. Of course, we will not push anything, we need to make the victim ask for the file.

We open our game, play a little, and begin to describe in detail the functionality of the game to the programmer:
"So they say and so, on the left there should be such buttons, on the right such, the interface is such and such," and so on.
We must provoke the following question:
"Do you have a sample of the game?"
That is, in order to provoke this question, we need to make it clear that we have it.
IN NO EVENT DO NOT SAY TO THE PROGRAMMER: "If you want I give you a sample, you can make a game from it."
IN NO EVENT!

If you say so, this will ALREADY be a wake-up call for a programmer, and you will be an unreliable passenger who wants to sell a file. The programmer himself must decide what he wants to open the game and watch.
If the programmer is tough, we make screenshots of our game and send it to him, say "I want it like this, but the buttons are of a different color."
This usually provokes the request "Don't fuck my head, give me the game itself and that's it."
So, the victim downloaded the file, launched it. And voila, we have a tap in our warrior admin panel. The computer is infected.

So what can you do?
Firstly, you can stupidly take over control of the computer and drain all the money that it has. As a rule, transfers from the same kiwi or poison, which are carried out from a native computer, do not require SMS confirmation. WebMoney Keeper installed on your computer - too.
Secondly, you can steal all passwords in quiet mode (pull them out of cookies), and just simply drain all the money.
Thirdly, if we come across a fat personal passport, we can hijack it and collect credits on the stock exchanges (this is quite cunning, but smart people, I am sure, can handle it).

So, citizens and comrades. This was just an example of the use of social engineering in the size of our population.

What lessons can be learned from this?
1) Always prepare carefully. Without preparation, any attack will go down the drain. Spare no effort, no money, no time to prepare. This is the key to success.
2) Don't be afraid of your victims. If you need to fuck up, for example, an FBI officer, then believe me, this is real. After all, if you don't try, you definitely won't fuck. And if you try, you have two options: success or failure. Do not be afraid of your victims, you do not need to consider them the smartest people who will immediately figure out the deception. And if they bite, then to hell with them.
3) Don't underestimate your sacrifice. Yes, you shouldn't be afraid, but underestimate too. Always act as if you are confident that your victim is a hundred times smarter than you.

 

[Hacker]

Social engineering is a method of controlling human actions without using technical means (with the exception of communication tools), or, as is customary for hackers, it is an attack on a person. This method is usually used to gain access to various types of confidential information: whether it is a page on a social network or secret documents of an organization. Social engineering is considered one of the most destructive and dangerous methods, as it can cause irreparable damage to the entire company.

History
The term "social engineering" itself has recently appeared, and was especially popularized by Kevin Mitnick. However, it is known that in Ancient Rome and Greece, people who were able to put noodles on the ears of any person and convince them of their rightness were always held in high esteem. They were always negotiating, and they could easily get an entire city out of a situation that might require the use of weapons.

The main point
The basis of social engineering is to mislead people. This may include impersonating another person, escalating the situation, or distracting attention. Let's consider the simplest case. A stranger comes to the office, introduces himself as John Smith from the technical department, and says that a vulnerability has been found in the company's computers, and it needs to be fixed urgently. Thus, the synger (i.e. social engineer) not only learns the password from the computer, but at the same time launches a virus.

Social engineering is a very universal method, it can be applied to any systems where there is a person. And it is everywhere. No wonder they say that a person is the weakest link in any defense. Also, social engineering makes it possible to learn data directly from a person, and not to search for vulnerabilities in the system, or try to find out the password by brute force. The only difficulty is to find the right approach to each person. Although, professional syngers almost always act impromptu, relying only on their feelings.

Social engineering techniques
Social engineering involves several techniques. Each of them differs in principle, but the goal remains the same.

Pretexting – an action based on a pre-created plan, or pretext. Synger thinks through everything to the smallest detail, including not only what he will say, but all the information about the "new" self, as well as the reaction of the attacked. It is the most common method, and does not require much effort.

Phishing is a method based on obtaining information due to human inattention. For example, the victim is sent an email on behalf of a well-known brand or website asking them to log in due to technical problems. Design, writing style – everything is as it should be, nothing will cause doubts. And the person will do everything as it is written. And of course, it won't pay attention to either the sender's address or the site address for authorization. Is everything similar? What could be the problem?

Trojan horse, or Trojan, is a technique that exploits the victim's curiosity and greed. The name itself speaks for itself. A person receives a parcel with the same name, but a completely different content. The most common option adapted to social networks: a person searches for a program to hack a social network page, downloads it, but this magic program is a regular virus.

The road apple is a technique that exploits the victim's curiosity, and is a slightly modified Trojan horse. The only difference is that the person does not receive the "parcel", but finds it himself. For example, the object "accidentally" finds a disk in the elevator with the name "Employee Information 2011, for official use only". Before this honest citizen takes the disk to his superiors (or maybe not), he will definitely look at the contents, and also pick up the virus. And even more so, if this disk is taken, there is a chance to infect both the authorities and the entire company. You can see a vivid example here.

Qui pro quo is a method that uses the victim's lack of skills and inexperience. For example, a person calls the office "from the technical support department", and also reports that there is either a vulnerability in the computer, or just asks about the presence of errors. And then he simply commands what needs to be done, and the presence of sinjer himself is not necessary, the employee himself will harm himself.

Reverse Social Engineering
By the way, in addition to the usual social engineering, reverse social engineering is also used, and possibly together with any of the above techniques. Its meaning is that the victim finds Sinjer himself. For example, sabotage – the victim can simply create a reversible problem with the computer. And if you also advertise yourself as someone who repairs computers, you can get the entire system at once.

Protection
The only reliable means of protection is anthropogenic protection, that is, protection of the person himself. This may include, for example, professional development of personnel in the field of security or at least small guides on how to act in such situations, even just "TSU". But, in the end, everything depends on the individual, regardless of whether he works in a company, or he is a regular user of a social network. With any "parcel", whether on the phone, under the door, or by e-mail, a person always needs to be aware of "what, from whom, to whom, why and why".

Examples of social engineering
In order to know what exactly to protect yourself from, I will give you some examples of social engineering. Although, in fact, anyone can come up with them and use them. Therefore, there are an incredible number of examples, as well as their authors.

Call:
"Good afternoon! Are you John Smith? You are concerned about the prosecutor's office of the Maskalyan region. Say you are registered in the social network Facebook under the name John Smith? Yes? The fact is that it was discovered that mass distribution of extremist materials is being conducted on your behalf. Do you know anything about it?" Don't you? In this case, we need to get access to your account. We'll just install an IP scanner to track down the culprit. Can you provide a password?»

An honest citizen will do as I say. But soon he will be disappointed. So pay attention to the phone number, ask the employee to introduce themselves, and find out if they actually have one.

Post on a social network:
"Hello there! Due to a recent problem on the server, the database of usernames and passwords was lost. If you are going to continue using our social network, please send your registration data to this address within two days, as the cache will be completely cleared and you will not be able to log in. Sincerely, Super-duper social network Administration»

It should be clear to a fool that the administration will never ask you for your passwords.

It is very easy, for example, to" make " a computer program that does not exist, but is very necessary.

Forum:
"Hello there! Looking for a programmer, salary 1000$ + full social package. Work in a prestigious company, possibly at home. As a test task, write such and such a program".

And the program is in your pocket. How to distinguish such a cheater? Quite difficult. You need to pay attention to its reputation, reviews about it, and so on. Especially since the contest is being held. But still real, but you need experience.

Sometimes you can find such a type of social engineering as test penetration, when the employee of the company (and so far hidden) steals his information on the instructions of the management to check the company for vulnerability. And then provides all the collected information to management. Especially in this case, Ire Winkler distinguished himself, who managed to steal absolutely all the company's data. After that, the director said "We should thank God that you don't work for our competitors”. You can read about this in Winkler's book "Industrial Espionage".

 

[CarderPlanet]

Social engineering, sometimes referred to as the science and art of hacking human consciousness, is becoming more and more popular due to the rise in the role of social media, email, or other forms of online communication in our lives. In the field of information security, the term is widely used to refer to a number of techniques used by cybercriminals. The latter aim to entice confidential information from victims or induce victims to take actions aimed at penetrating the system bypassing the security system.

Even today, with a huge number of information security products available on the market, a person still holds the keys to all doors. Whether it's a combination of credentials (login and password), credit card number, or online banking access, the weakest link in a security system is not technology, but human beings. Thus, if attackers apply manipulative psychological techniques to users, it is very important to know which techniques are most typical in a given situation, as well as to understand how they work in order to avoid trouble.

Social engineering is not a new concept at all, it appeared a long time ago. Famous practitioners in this science are, for example, Kevin Mitnick and Frank Abagnale, who today are leading security consultants. They are a living illustration of how criminals can turn into respected experts. For example, the same Frank Abagnale was one of the most famous and masterly fraudsters: he knew how to create many personalities, forge checks and deceive people, extracting from them confidential information necessary for the work of fraudulent schemes. If you've watched Catch Me If You Can, you have an idea of what a social engineering professional can do if he has a clear goal in mind. You just have to remember that the social engineer may use various fraudulent schemes, not limited to tricks related to technology or computers, to obtain the necessary information from you, so it is better for users to be wary of suspicious actions, even if they seem common. A classic technique, for example, is to entice a password in a phone call. It seems that no one in their right mind will tell their password to an outsider, but a call "from work" at 9 am on Sunday, requiring you to come for some small technical operation on your computer, changes things somewhat. When “your administrator” asks you to simply tell him the password so that he will do everything for you, you will not only provide the password, but also thank him for his concern! Well, maybe not you personally, but about half of your colleagues are guaranteed to do this. is to entice a password in a phone call. It seems that no one in their right mind will tell their password to an outsider, but a call " but also thank him for his concern! Well, maybe not you personally, but about half of your colleagues are guaranteed to do this. When “your administrator” asks you to simply tell him the password so that he will do everything for you, you will not only provide the password, but also thank him for his concern! Well, maybe not you personally, but about half of your colleagues are guaranteed to do this.

"A company can spend hundreds of thousands of dollars on firewalls, encryption and other security technologies, but if a fraudster can call a trusted employee and access sensitive information through him, all the money spent in the name of security has been wasted." says Kevin Mitnick.

Most cybercriminals will not waste their time on technologically sophisticated hacking techniques if the necessary information can be obtained using social engineering skills. Moreover, there are many websites that describe how these techniques work and the reasons for their success. One of these sites is called SocialEngineer.org, and it offers a very useful framework for theoretical study of the principles of social engineering, complemented by many real-life examples.
We use speech every day, influencing each other's actions, although we often do not notice it. But language from the point of view of social engineering has several disadvantages, since it is associated with our subjective perception of facts, in which we can omit some parts of the story, distort the meaning or make some generalizations. NLP, or neurolinguistic programming which was originally created for medicinal purposes is today considered a "mutated" form of hypnosis used by social engineers as a tool to manipulate and influence victims to induce them to perform actions leading to a successful attack. As a result of this tactic, the victim can provide his password, disclose confidential information, refuse any security measure, that is.

Although the link between psychology and hacking seems a little too far-fetched, in fact, online attacks are based on the same principles that underlie "offline" fraud. The principle of return ("if I do you a service, you will do me a favor"), the principle of social verification (you evaluate your behavior as correct if you observe the same behavior in the majority), admiration for authorities (showing a greater degree of trust in the police officer, doctor, a technical support employee, someone of a higher rank) are universal ways of building communication in society and satisfying our basic social instincts. The social engineer knows which buttons to press to get the desired response, bypass the rational thinking of a person, and it will only take them a split second to gain an advantage and get the necessary data from the victim.
However, in this article, we will focus more on the various techniques used by online scammers to illegally obtain information and profit from victims who "wanted the best." As we mentioned, the principles used for online fraudulent schemes are similar to those used in real life, but since the Internet is a huge information dissemination machine, a single phishing message can be sent to millions of recipients in a very short time. That is, in such conditions, this type of attack can turn into a win-win lottery: even if only a small part of the total number of potential victims falls for the bait, it still means huge profits for the organization or the person behind the attack.

“Doing what I did when I was young is much easier today. Technology is fueling the evolution of crime, ”says Frank William Abagnale.
Today, one of the most widespread methods of obtaining confidential information is phishing (the term is derived from a play on words password harvesting fishing). Phishing can be described as a type of computer fraud that uses the principles of social engineering in order to obtain confidential information from the victim. Cybercriminals usually carry out their actions using e-mail, instant messaging services or SMS, sending a phishing message in which they directly ask the user for information (by entering credentials in the fields of a fake site, downloading malware when a link is clicked, etc.), thanks to which the attackers get what they want with complete ignorance on the part of the victim.

We have seen the development of malware that largely uses the principles of social engineering. Previously, the fact that a computer was infected with a virus was very obvious: the user saw strange messages, icons, pictures - in a word, everything that revealed the involvement of an intruder. Today we are no longer surprised by examples of malware that gains access to victim systems through social engineering tricks and remains invisible to the user until it completes its task. The endless cat-and-mouse game between hackers and security companies confirms that education and awareness is a key defense mechanism for users. They should be aware of the news and new trends in the world of information security, as well as be aware of the key tactics of fraudsters.

Many interesting examples of hacking are based on social engineering techniques, which in turn help attackers deliver malware to victims. Among the most popular are fake updates to Flash Player and other popular programs, executable files embedded in a Word document, and much more.

Flash-update
Most of the attack methods described above are aimed at residents of Latin America, since technological threats of this type are not fully understood or common in the region, and if we also take into account that most computers run outdated software, this gives cybercriminals an excellent opportunity to make money. Only recently have some banks tightened up cybersecurity measures for online banking users, but many security vulnerabilities still contribute to the success of social engineering tactics. It is interesting that many of the features of this region have something in common with the Russian ones, so cybercriminals from the CIS and Latin America are very actively exchanging experiences and adopting successful findings from each other.

Other types of attacks are popular and don't even always fall into the category of computer fraud. A scheme known as' virtual kidnapping“, Uses the practice of social engineering, and the telephone acts as a means of communication. Attackers usually call the victim and say that the family member has been kidnapped and an immediate ransom payment is required to release him. The perpetrator creates a sense of urgency and fear, the victim fulfills the demands of the fraudster without even knowing if a relative has actually been kidnapped. A similar scheme is popular in attacks on the elderly and can be called a "virtual disease" - when the victim is called allegedly from the clinic, they say that in recent analyzes there are signs of a dangerous illness and you need to immediately go for an operation to save life, of course, paid. After payment, of course, no one is operated on, because there was no illness.

In light of this, it is very important to remember that any publicly available information that appears on social networks (VKontakte, Instagram, Facebook, Twitter, Foursquare, etc.) can also help criminals put two and two together and understand where you are, or find out some personal information. Targeted spear phishing attacks are not common, but if you are willing to provide valuable information without even thinking about the intended consequences, you only make it easier for scammers. Even Amazon wishlists can be a good tool for hacking with carefully selected tricks from the social engineer's arsenal.

As we said, installing a comprehensive security solution is a necessity today, especially if you use the Internet (and it is very likely that it is). Moreover, being aware of the news and trends in the world of online threats and social engineering will help you avoid these types of attacks (both online and in real life). Remember that all gadgets and security technologies are worthless unless you know how to use them correctly and are not aware of what attackers are capable of. The technology used by criminals is evolving and you need to keep up, so a little paranoia doesn't hurt these days.