Teacher
Professional
- Messages
- 2,670
- Reaction score
- 783
- Points
- 113
Further from the author's words:
A small introduction.
Information is one of the most important assets of the company. Information may constitute a commercial secret of the company, i.e., under existing or possible circumstances, increase revenues, avoid unnecessary expenses, maintain its position in the market of goods, works, services, or bring other commercial benefits to the company. Accordingly, such information must be protected.
Since any company employs people, it is inevitable that the human factor affects all the processes of the organization. Including the process of protecting confidential information.
The human factor is a stable expression that denotes a person's mental abilities as a potential and actual source (cause) of information problems when using modern technologies by this person.
Any actions of a person associated with a violation of the security regime can be divided into two broad categories: intentional and unintentional actions.
Deliberate actions include theft of information by employees, modification of information, or its destruction (sabotage). This is an extreme case and you have to deal with it after the fact, involving internal affairs officers.
Unintentional actions include: loss of information carriers, destruction or distortion of information due to negligence. The person does not realize that his actions lead to a violation of the trade secret regime.
Unintentional actions also include "helping" the wrong people, or so-called social engineering. When an employee does not realize that his actions are aimed at violating the trade secret regime, but at the same time, the person who asks him to do this clearly knows that he is violating the regime.
Social engineering — this is a method (attack) of unauthorized access to information or information storage systems without the use of technical means. The method is based on the use of weaknesses of the human factor and is very effective. An attacker obtains information, for example, by collecting information about employees of the target of the attack, using a regular phone call, or by entering the organization under the guise of its employee.
Basic model of social engineering
It is assumed that each employee has their own level of competence in security issues and their own level of access. Line employees (for example, receptionists) do not have access to critical information, so even capturing their accounts and getting all the data they know will not cause serious damage to the company. But their data can be used to move to the next stage already inside the protected zone. For example, you can get the names of employees and call a higher level by introducing yourself as one of them.
Don't believe me? Imagine a situation where an attacker calls the same girl from a call center several times a week for a month. He introduces himself as an employee, brings a lot of positive emotions, talks vividly, clarifies some open trifles, and sometimes asks for minor help. Clear authorization is replaced by the fact that the person calls frequently. Ten, twenty, thirty times if necessary. Until it becomes one of the phenomena of life. He is his own, because he is aware of various details of the company's work and calls constantly.
If you think that only incompetent users are susceptible to such attacks, then open the book" The Art of Deception", where Mitnick talks in the introduction about how he introduced himself as the lead developer of the project and forced, for a second, the system administrator to give privileged access to the system. Notice a man who knew exactly what he was doing.
Let's analyze the main methods of social engineering:
Nonexistent links
An attack that consists of sending an email with a tempting reason to visit the site and a direct link to it, which only has similarities with the expected site, for example, www.PayPai.com. It looks like it's a link to PayPal, but few people will notice that the letter "l" has been replaced with "i". Thus, when the victim clicks on the link, they will see a site that is as identical as possible to the expected one, and when entering their credit card details, this information is immediately sent to the attacker.
One of the most well-known examples of global phishing mailing is the 2003 scam, in which thousands of eBay users received emails claiming that their account had been blocked and that they needed to update their credit card information to unlock it. All of these emails contained a link leading to a fake web page that looked exactly like the official one. However, according to experts, the losses from this scam amounted to less than a million dollars.
Fraud involving the use of brands of well-known corporations
These phishing schemes use fake email messages or websites containing the names of large or well-known companies. Messages may include congratulations on winning a contest held by the company, or that you urgently need to change your credentials or password. Similar fraudulent schemes can also be carried out on behalf of the technical support service by phone
False emails with offers of freebies or something interesting.
The victim may receive an offer that touches the main strings of the soul of most people - this is greed and curiosity, for example:
Fake antivirus programs, also known as "scareware", are programs that look like antivirus programs, but in fact, the opposite is true. Such programs generate false notifications about various threats, and also try to lure the user into fraudulent transactions. The user may encounter them in email, online ads, social networks, search engine results, and even in pop-up windows on the computer that mimic system messages.
The user can receive messages stating that they have won a lottery held by a well-known company. Externally, these messages may look as if they were sent on behalf of one of the high-ranking employees of the corporation.
In the movie Whoami, this method is used when hackers send the victim an infected email from a supposedly familiar victim with a postcard and the caption look what kittens.
IVR or phone phishing
Phone phishing-vishing (English vishing - voice fishing) is so named by analogy with phishing.This is one of the methods of fraud using social engineering, which consists in the fact that attackers, using telephone communication and playing a certain role (bank employee, buyer, etc.), under various pretexts lure confidential information from the payment card holder or encourage them to perform certain actions with their card account / payment card.
As for IVR systems, this technique is based on the use of a system of pre-recorded voice messages, in order to recreate the "official calls" of banking and other IVR systems. Usually, the victim receives a request (most often via phishing email) to contact the bank and confirm or update any information. The system requires user authentication by entering a PIN or password. Therefore, by writing down the keyword beforehand, you can find out all the necessary information. For example, anyone can write a typical command: "Press one to change your password.
Phone phreaking
Phreaking is a term that describes experimentation and hacking of telephone systems using audio manipulation of the tone dial. This technique appeared in the late 50s in America. The Bell Telephone Corporation, which then covered almost the entire territory of the United States, used tone dialing to transmit various service signals. Enthusiasts who tried to repeat some of these signals were given the opportunity to make free calls, organize telephone conferences, and administer the telephone network.
Pretexting
Pretexting is an attack in which an attacker introduces himself as another person and uses a pre-prepared scenario to extract confidential information. This attack requires proper preparation, such as the date of birth, INN, passport number, or the last digits of the account, in order not to arouse suspicion in the victim. Usually implemented via phone or email.
In the TV series Mr. robot, this method is used in one of the episodes, when a hacker calls a victim posing as a bank employee and extracts personal information from him, such as the pet's nickname, date of birth, etc.which he later uses to bruteforce the password to the victim's account.
Quid pro Quo
Quid pro quo (from Lat. Quid pro quo — "something for this") — in English, this expression is usually used in the sense of "quid pro quo". This type of attack involves an attacker contacting the company via a corporate phone (using acting skills) or email. Often, the attacker introduces himself as a technical support employee who reports technical problems at the employee's workplace and offers help in fixing them.
Road apple
This attack method is an adaptation of the Trojan horse, and consists of using physical media. The attacker plants" infected " storage media in public places where these media can be easily found, such as toilets, parking lots, canteens, or at the workplace of the attacked employee. Media are issued as official for the company that is being attacked, or accompanied by a signature designed to arouse curiosity.
In the TV series Mr. robot, this method is used in one of the episodes, when hackers scattered flash drives with malware at the police station and one of the policemen picked it up and inserted it into the computer to see what was there.
Collecting information from open sources
The application of social engineering techniques requires not only knowledge of psychology, but also the ability to collect the necessary information about a person. A relatively new way to obtain such information is to collect it from open sources, mainly from social networks. For example, such sites as livejournal, Odnoklassniki, and VKontakte contain a huge amount of data that people don't even try to hide. As a rule, users do not pay due attention to security issues, leaving data and information that can be used by an attacker freely available.
An illustrative example is the story of the abduction of Eugene Kaspersky's son. During the investigation, it was established that the criminals found out the schedule of the day and the routes of the teenager from his records on the page in the social network.
Even if you restrict access to information on your social network page, you can't be sure that it will never fall into the hands of scammers. For example, a Brazilian computer security researcher showed that it is possible to become a friend of any Facebook user within 24 hours using social engineering techniques. During the experiment, researcher Nelson Novaes Neto chose a victim and created a fake account of a person from her entourage — her boss.
In the future, I will post an article in which I will describe the most effective ways to collect information about the victim from open sources.
Shoulder surfing
Shoulder surfing involves watching the victim's personal information over their shoulder. This type of attack is common in public places, such as cafes, shopping centers, airports, train stations, and public transport.
A survey of IT professionals about security showed that:
85 % of respondents admitted that they saw confidential information that they were not supposed to know;82% admitted that the information displayed on their screen could be seen by unauthorized persons;82 % are not sure that anyone in their organization will protect their screen from unauthorized persons.
Reverse Social Engineering
Reverse social engineering is mentioned when the victim offers the attacker the information they need. This may seem absurd, but in fact, individuals with authority in the technical or social sphere often receive user IDs and passwords and other important personal information simply because no one doubts their integrity. For example, support staff never ask users for their ID or password; they don't need this information to solve problems.
I'll give you some examples:
An attacker working with the victim changes the file name on the victim's computer or moves it to another directory. When the victim notices that the file is missing, the attacker claims to be able to fix it. If the victim wants to complete the work faster or avoid punishment for losing information, he agrees to this offer. The attacker claims that the problem can only be solved by logging in with the victim's credentials. Now the victim asks the attacker to log in under her name in order to try to recover the file.
Conclusion
We have analyzed the main methods of social engineering, and in the future we will talk about each of these methods in more detail, as well as try them out in practice and see what happens!
Some of the information for this article was taken from Wikipedia, some from habra. For your and my convenience, I formatted it at my discretion and supplemented it with my comments.
A small introduction.
Information is one of the most important assets of the company. Information may constitute a commercial secret of the company, i.e., under existing or possible circumstances, increase revenues, avoid unnecessary expenses, maintain its position in the market of goods, works, services, or bring other commercial benefits to the company. Accordingly, such information must be protected.
Since any company employs people, it is inevitable that the human factor affects all the processes of the organization. Including the process of protecting confidential information.
The human factor is a stable expression that denotes a person's mental abilities as a potential and actual source (cause) of information problems when using modern technologies by this person.
Any actions of a person associated with a violation of the security regime can be divided into two broad categories: intentional and unintentional actions.
Deliberate actions include theft of information by employees, modification of information, or its destruction (sabotage). This is an extreme case and you have to deal with it after the fact, involving internal affairs officers.
Unintentional actions include: loss of information carriers, destruction or distortion of information due to negligence. The person does not realize that his actions lead to a violation of the trade secret regime.
Unintentional actions also include "helping" the wrong people, or so-called social engineering. When an employee does not realize that his actions are aimed at violating the trade secret regime, but at the same time, the person who asks him to do this clearly knows that he is violating the regime.
Social engineering — this is a method (attack) of unauthorized access to information or information storage systems without the use of technical means. The method is based on the use of weaknesses of the human factor and is very effective. An attacker obtains information, for example, by collecting information about employees of the target of the attack, using a regular phone call, or by entering the organization under the guise of its employee.
Basic model of social engineering
It is assumed that each employee has their own level of competence in security issues and their own level of access. Line employees (for example, receptionists) do not have access to critical information, so even capturing their accounts and getting all the data they know will not cause serious damage to the company. But their data can be used to move to the next stage already inside the protected zone. For example, you can get the names of employees and call a higher level by introducing yourself as one of them.
Don't believe me? Imagine a situation where an attacker calls the same girl from a call center several times a week for a month. He introduces himself as an employee, brings a lot of positive emotions, talks vividly, clarifies some open trifles, and sometimes asks for minor help. Clear authorization is replaced by the fact that the person calls frequently. Ten, twenty, thirty times if necessary. Until it becomes one of the phenomena of life. He is his own, because he is aware of various details of the company's work and calls constantly.
If you think that only incompetent users are susceptible to such attacks, then open the book" The Art of Deception", where Mitnick talks in the introduction about how he introduced himself as the lead developer of the project and forced, for a second, the system administrator to give privileged access to the system. Notice a man who knew exactly what he was doing.
Let's analyze the main methods of social engineering:
Nonexistent links
An attack that consists of sending an email with a tempting reason to visit the site and a direct link to it, which only has similarities with the expected site, for example, www.PayPai.com. It looks like it's a link to PayPal, but few people will notice that the letter "l" has been replaced with "i". Thus, when the victim clicks on the link, they will see a site that is as identical as possible to the expected one, and when entering their credit card details, this information is immediately sent to the attacker.
One of the most well-known examples of global phishing mailing is the 2003 scam, in which thousands of eBay users received emails claiming that their account had been blocked and that they needed to update their credit card information to unlock it. All of these emails contained a link leading to a fake web page that looked exactly like the official one. However, according to experts, the losses from this scam amounted to less than a million dollars.
Fraud involving the use of brands of well-known corporations
These phishing schemes use fake email messages or websites containing the names of large or well-known companies. Messages may include congratulations on winning a contest held by the company, or that you urgently need to change your credentials or password. Similar fraudulent schemes can also be carried out on behalf of the technical support service by phone
False emails with offers of freebies or something interesting.
The victim may receive an offer that touches the main strings of the soul of most people - this is greed and curiosity, for example:
Fake antivirus programs, also known as "scareware", are programs that look like antivirus programs, but in fact, the opposite is true. Such programs generate false notifications about various threats, and also try to lure the user into fraudulent transactions. The user may encounter them in email, online ads, social networks, search engine results, and even in pop-up windows on the computer that mimic system messages.
The user can receive messages stating that they have won a lottery held by a well-known company. Externally, these messages may look as if they were sent on behalf of one of the high-ranking employees of the corporation.
In the movie Whoami, this method is used when hackers send the victim an infected email from a supposedly familiar victim with a postcard and the caption look what kittens.
IVR or phone phishing
Phone phishing-vishing (English vishing - voice fishing) is so named by analogy with phishing.This is one of the methods of fraud using social engineering, which consists in the fact that attackers, using telephone communication and playing a certain role (bank employee, buyer, etc.), under various pretexts lure confidential information from the payment card holder or encourage them to perform certain actions with their card account / payment card.
As for IVR systems, this technique is based on the use of a system of pre-recorded voice messages, in order to recreate the "official calls" of banking and other IVR systems. Usually, the victim receives a request (most often via phishing email) to contact the bank and confirm or update any information. The system requires user authentication by entering a PIN or password. Therefore, by writing down the keyword beforehand, you can find out all the necessary information. For example, anyone can write a typical command: "Press one to change your password.
Phone phreaking
Phreaking is a term that describes experimentation and hacking of telephone systems using audio manipulation of the tone dial. This technique appeared in the late 50s in America. The Bell Telephone Corporation, which then covered almost the entire territory of the United States, used tone dialing to transmit various service signals. Enthusiasts who tried to repeat some of these signals were given the opportunity to make free calls, organize telephone conferences, and administer the telephone network.
Pretexting
Pretexting is an attack in which an attacker introduces himself as another person and uses a pre-prepared scenario to extract confidential information. This attack requires proper preparation, such as the date of birth, INN, passport number, or the last digits of the account, in order not to arouse suspicion in the victim. Usually implemented via phone or email.
In the TV series Mr. robot, this method is used in one of the episodes, when a hacker calls a victim posing as a bank employee and extracts personal information from him, such as the pet's nickname, date of birth, etc.which he later uses to bruteforce the password to the victim's account.
Quid pro Quo
Quid pro quo (from Lat. Quid pro quo — "something for this") — in English, this expression is usually used in the sense of "quid pro quo". This type of attack involves an attacker contacting the company via a corporate phone (using acting skills) or email. Often, the attacker introduces himself as a technical support employee who reports technical problems at the employee's workplace and offers help in fixing them.
Road apple
This attack method is an adaptation of the Trojan horse, and consists of using physical media. The attacker plants" infected " storage media in public places where these media can be easily found, such as toilets, parking lots, canteens, or at the workplace of the attacked employee. Media are issued as official for the company that is being attacked, or accompanied by a signature designed to arouse curiosity.
In the TV series Mr. robot, this method is used in one of the episodes, when hackers scattered flash drives with malware at the police station and one of the policemen picked it up and inserted it into the computer to see what was there.
Collecting information from open sources
The application of social engineering techniques requires not only knowledge of psychology, but also the ability to collect the necessary information about a person. A relatively new way to obtain such information is to collect it from open sources, mainly from social networks. For example, such sites as livejournal, Odnoklassniki, and VKontakte contain a huge amount of data that people don't even try to hide. As a rule, users do not pay due attention to security issues, leaving data and information that can be used by an attacker freely available.
An illustrative example is the story of the abduction of Eugene Kaspersky's son. During the investigation, it was established that the criminals found out the schedule of the day and the routes of the teenager from his records on the page in the social network.
Even if you restrict access to information on your social network page, you can't be sure that it will never fall into the hands of scammers. For example, a Brazilian computer security researcher showed that it is possible to become a friend of any Facebook user within 24 hours using social engineering techniques. During the experiment, researcher Nelson Novaes Neto chose a victim and created a fake account of a person from her entourage — her boss.
In the future, I will post an article in which I will describe the most effective ways to collect information about the victim from open sources.
Shoulder surfing
Shoulder surfing involves watching the victim's personal information over their shoulder. This type of attack is common in public places, such as cafes, shopping centers, airports, train stations, and public transport.
A survey of IT professionals about security showed that:
85 % of respondents admitted that they saw confidential information that they were not supposed to know;82% admitted that the information displayed on their screen could be seen by unauthorized persons;82 % are not sure that anyone in their organization will protect their screen from unauthorized persons.
Reverse Social Engineering
Reverse social engineering is mentioned when the victim offers the attacker the information they need. This may seem absurd, but in fact, individuals with authority in the technical or social sphere often receive user IDs and passwords and other important personal information simply because no one doubts their integrity. For example, support staff never ask users for their ID or password; they don't need this information to solve problems.
I'll give you some examples:
An attacker working with the victim changes the file name on the victim's computer or moves it to another directory. When the victim notices that the file is missing, the attacker claims to be able to fix it. If the victim wants to complete the work faster or avoid punishment for losing information, he agrees to this offer. The attacker claims that the problem can only be solved by logging in with the victim's credentials. Now the victim asks the attacker to log in under her name in order to try to recover the file.
Conclusion
We have analyzed the main methods of social engineering, and in the future we will talk about each of these methods in more detail, as well as try them out in practice and see what happens!
Some of the information for this article was taken from Wikipedia, some from habra. For your and my convenience, I formatted it at my discretion and supplemented it with my comments.
