Social engineering is an interesting phenomenon in our world. It allows you to hack any security system using the most vulnerable part of it - the human. Over the past two years, social engineering has stolen $ 2 billion from 100 banks.
In truth, not all social engineers are crooks. Someone can return the reputation of the company after the attack of competitors, for example, having learned the data of an anonymous commentator or informant and asked to remove a negative review or statement, libel. On forums, social engineers engage in conversations with negative audiences and neurolinguistic programming techniques influence their opinion.
Below I will describe real cases from life, these are really very cool scams. I'll start with the scams, during which they did not hack security systems, but used "hacking of human consciousness."
Victor Lustig (1890-1947)
In the 1920s and 1930s, there was a man named Victor Lustig. In general, he was a very cool swindler, spoke 5 languages and used many different documents and names to carry out his scams. Some of them will be discussed below.
There is a legend about how he collaborated with Al Capone. One of the legends associated with the name of Lustig is the story of his "collaboration" with Al Capone. In 1926, a well-dressed, tall young man visited a famous gangster. The man introduced himself as Count Victor Lustig. The essence of his meeting was as follows: he offered Capone to double the 50 thousand dollars that he would give him. Well, for a bandit, the amount was not that big, but he didn't mind doubling it, I don't know how long it took him to decide, but still decided to check whether the stranger could really do what he promised. As a last resort, he would always have time to kill him). The term of the event was 2 months. Well, the stranger spent all the money in a bank in Chicago and then went to New York. Naturally, he was not going to double anything. But two months later he returned to Al Capone, returned his money and said, that he could not do anything. The gangster replied, “I was expecting $ 100,000 or nothing. But ... get my money back ... Yes, you are an honest man! If you're in trouble, take this at least. " And he gave the count 5 thousand dollars. Needless to say, these 5 thousand were the target of the whole scam.
Eiffel Tower Sale
This scam is more genius. Already much more serious than some 5,000 dollars. And then one day Victor had a chance to earn a really large sum. In May 1925, Victor Lustig arrived in Paris with his friend and companion Dan Collins. On the very first day of their arrival, their attention was attracted by an article in a local newspaper. It told that the famous Eiffel Tower was in a terrible state and the city authorities were considering dismantling it.
The idea of a brilliant scam was born instantly. To implement it, a luxurious room was rented in an expensive hotel and documents were made, claiming that Viktor Lustig is the deputy head of the Ministry of Post and Telegraph. Then invitations were sent to the five largest metal dealers. The letters contained an invitation to an important and absolutely secret meeting with the deputy general director of the department at the Crillon Hotel, at that time the most prestigious hotel in Paris.
After meeting guests in a luxurious apartment, Lustig began to make a lengthy speech about how the maintenance of the Eiffel Tower costs the state a pretty penny. That it was built as a temporary structure for the World Exhibition in Paris, and now, 30 years later, it is so dilapidated that it simply poses a threat to Paris and the city authorities are considering the possibility of demolishing the tower. Therefore, a kind of tender for the purchase of the tower was announced among those present.
This proposal aroused great interest among the invitees, but Andre Poisson was especially interested in him. He was inspired not only by the obvious financial benefits of the deal, but also by the opportunity to go down in history. Maybe it was this vain interest that was noticed by Lustig and it was he who became the reason that after some time it was Monsieur Poisson who was appointed a confidential meeting.
During this meeting, Victor Lustig behaved somewhat uneasy. He told Poisson that he has every chance of winning the tender and for a complete victory, you just need to "promote" his candidacy a little with a small reward to Victor personally. Prior to this meeting, Monsieur Poisson had suspicions: why all the meetings related to the tender take place in such a secret atmosphere, and even not in the offices of the ministry, but in the hotel room. But such extortion by an official, oddly enough, dispelled Poisson's last doubts about a suspicious transaction. He counted out several large bills and persuaded Lustig to take them, then wrote out a check for a quarter of a million francs, received the documents for the Eiffel Tower and left happy.
When Monsieur Poisson began to suspect something was wrong, Victor Lustig had already fled to Vienna with a suitcase of cash received from a check he had written.
How the tweet affected the country's economy
In April 2013, a fake tweet appeared on the Twitter profile of The Associated Press that hit the global economy hard.
Transfer. "Urgent: Two explosions in the White House, Barack Obama is injured"
On this news, stock indices collapsed. The situation recovered when the White House denied the report. The Syrian Electronic Army claimed responsibility for the hacking. It was also reported that before that, hackers on behalf of one of the AP employees sent a letter to "colleagues" asking them to go to a very important link. There the user was asked to log in by entering a username and password. So the attackers wanted to get the data of the personal accounts of the editorial staff.
This situation shows vulnerability to such cyber attacks. Today it is The Associated Press, and tomorrow it may be any other company on behalf of which it can send out viral messages that defame its reputation.
Social engineering in Russia
There are many precedents for thefts by social engineering methods in Russia. In 2016, such schemes stole 650 million rubles from the cards of Russians. This, according to the Izvestia news agency, is 15% less than in 2015. But by the end of 2017, according to forecasts, this figure will jump to 750 million rubles.
Criminals are developing new schemes - they pose as tax inspectors and extort money to "pay off debt", or they pose as bank employees and demand pin codes.
None of the usual means of protection (antiviruses, firewalls) will help save you from such attacks. It is important to create various options for security policies, educate users, and define the rules for using devices within the company. And also create a warning system about the possibility of a threat, assign those responsible for technical support and organize a double check.
Divorce from top managers
In 2015, $ 40 million was stolen from The Ubiquiti Networks. Nobody hacked operating systems. Nobody stole the data. The safety rules were violated by the employees themselves. The scammers sent an email on behalf of a top manager of the company. They simply asked the financiers to transfer a large amount of money to the specified bank account. This method of social engineering plays on a person's weaknesses. For example, the desire to serve the authorities.
Psychologists conducted an experiment (for more details see the book "The Psychology of Influence" by Robert Cialdini, 2009). On behalf of the head physician, they called the nurses, giving the order to administer a lethal dose of the substance to the patient. Of course, the nurses knew what they were doing, but in 95% of cases they followed the command (the authors of the study stopped it at the entrance to the ward). However, they did not try to confirm the identity of the doctor. Why did the nurses do this? Obedience to authority. The same thing happened in the history of The Ubiquiti.
Hacking a bank
In 2007, one of the most expensive security systems in the world was hacked. No violence, no weapons, no electronic devices. The man took $ 28 million worth of diamonds from the Belgian bank ABN AMRO with his charm.
Fraudster Carlos Hector Flomenbaum, a man with an Argentine passport stolen in Israel, had won the trust of bank employees a year before the incident. He pretended to be a businessman, gave chocolates. On one occasion, employees gave him access to a secret vault of 120,000 carats of gems. Later, this case was recognized as one of the most high-profile robberies.
Moral of the story: it doesn't matter what kind of technology is used and how expensive it is - as long as there is a human factor, the system is vulnerable.
Often times, as in the example above, the social engineer does not even need to gain the trust of the “victims” and manage them. It is enough to competently use the information that is in everyone's sight: mail on the desktop, notifications on the phone screen, or garbage. A social engineer can get data without putting pressure on people.
As you can see, social engineering is actively used for various kinds of scams. And the scale of some really excites the mind.
In truth, not all social engineers are crooks. Someone can return the reputation of the company after the attack of competitors, for example, having learned the data of an anonymous commentator or informant and asked to remove a negative review or statement, libel. On forums, social engineers engage in conversations with negative audiences and neurolinguistic programming techniques influence their opinion.
Below I will describe real cases from life, these are really very cool scams. I'll start with the scams, during which they did not hack security systems, but used "hacking of human consciousness."
Victor Lustig (1890-1947)
In the 1920s and 1930s, there was a man named Victor Lustig. In general, he was a very cool swindler, spoke 5 languages and used many different documents and names to carry out his scams. Some of them will be discussed below.
There is a legend about how he collaborated with Al Capone. One of the legends associated with the name of Lustig is the story of his "collaboration" with Al Capone. In 1926, a well-dressed, tall young man visited a famous gangster. The man introduced himself as Count Victor Lustig. The essence of his meeting was as follows: he offered Capone to double the 50 thousand dollars that he would give him. Well, for a bandit, the amount was not that big, but he didn't mind doubling it, I don't know how long it took him to decide, but still decided to check whether the stranger could really do what he promised. As a last resort, he would always have time to kill him). The term of the event was 2 months. Well, the stranger spent all the money in a bank in Chicago and then went to New York. Naturally, he was not going to double anything. But two months later he returned to Al Capone, returned his money and said, that he could not do anything. The gangster replied, “I was expecting $ 100,000 or nothing. But ... get my money back ... Yes, you are an honest man! If you're in trouble, take this at least. " And he gave the count 5 thousand dollars. Needless to say, these 5 thousand were the target of the whole scam.
Eiffel Tower Sale
This scam is more genius. Already much more serious than some 5,000 dollars. And then one day Victor had a chance to earn a really large sum. In May 1925, Victor Lustig arrived in Paris with his friend and companion Dan Collins. On the very first day of their arrival, their attention was attracted by an article in a local newspaper. It told that the famous Eiffel Tower was in a terrible state and the city authorities were considering dismantling it.
The idea of a brilliant scam was born instantly. To implement it, a luxurious room was rented in an expensive hotel and documents were made, claiming that Viktor Lustig is the deputy head of the Ministry of Post and Telegraph. Then invitations were sent to the five largest metal dealers. The letters contained an invitation to an important and absolutely secret meeting with the deputy general director of the department at the Crillon Hotel, at that time the most prestigious hotel in Paris.
After meeting guests in a luxurious apartment, Lustig began to make a lengthy speech about how the maintenance of the Eiffel Tower costs the state a pretty penny. That it was built as a temporary structure for the World Exhibition in Paris, and now, 30 years later, it is so dilapidated that it simply poses a threat to Paris and the city authorities are considering the possibility of demolishing the tower. Therefore, a kind of tender for the purchase of the tower was announced among those present.
This proposal aroused great interest among the invitees, but Andre Poisson was especially interested in him. He was inspired not only by the obvious financial benefits of the deal, but also by the opportunity to go down in history. Maybe it was this vain interest that was noticed by Lustig and it was he who became the reason that after some time it was Monsieur Poisson who was appointed a confidential meeting.
During this meeting, Victor Lustig behaved somewhat uneasy. He told Poisson that he has every chance of winning the tender and for a complete victory, you just need to "promote" his candidacy a little with a small reward to Victor personally. Prior to this meeting, Monsieur Poisson had suspicions: why all the meetings related to the tender take place in such a secret atmosphere, and even not in the offices of the ministry, but in the hotel room. But such extortion by an official, oddly enough, dispelled Poisson's last doubts about a suspicious transaction. He counted out several large bills and persuaded Lustig to take them, then wrote out a check for a quarter of a million francs, received the documents for the Eiffel Tower and left happy.
When Monsieur Poisson began to suspect something was wrong, Victor Lustig had already fled to Vienna with a suitcase of cash received from a check he had written.
How the tweet affected the country's economy
In April 2013, a fake tweet appeared on the Twitter profile of The Associated Press that hit the global economy hard.
Transfer. "Urgent: Two explosions in the White House, Barack Obama is injured"
On this news, stock indices collapsed. The situation recovered when the White House denied the report. The Syrian Electronic Army claimed responsibility for the hacking. It was also reported that before that, hackers on behalf of one of the AP employees sent a letter to "colleagues" asking them to go to a very important link. There the user was asked to log in by entering a username and password. So the attackers wanted to get the data of the personal accounts of the editorial staff.
This situation shows vulnerability to such cyber attacks. Today it is The Associated Press, and tomorrow it may be any other company on behalf of which it can send out viral messages that defame its reputation.
Social engineering in Russia
There are many precedents for thefts by social engineering methods in Russia. In 2016, such schemes stole 650 million rubles from the cards of Russians. This, according to the Izvestia news agency, is 15% less than in 2015. But by the end of 2017, according to forecasts, this figure will jump to 750 million rubles.
Criminals are developing new schemes - they pose as tax inspectors and extort money to "pay off debt", or they pose as bank employees and demand pin codes.
None of the usual means of protection (antiviruses, firewalls) will help save you from such attacks. It is important to create various options for security policies, educate users, and define the rules for using devices within the company. And also create a warning system about the possibility of a threat, assign those responsible for technical support and organize a double check.
Divorce from top managers
In 2015, $ 40 million was stolen from The Ubiquiti Networks. Nobody hacked operating systems. Nobody stole the data. The safety rules were violated by the employees themselves. The scammers sent an email on behalf of a top manager of the company. They simply asked the financiers to transfer a large amount of money to the specified bank account. This method of social engineering plays on a person's weaknesses. For example, the desire to serve the authorities.
Psychologists conducted an experiment (for more details see the book "The Psychology of Influence" by Robert Cialdini, 2009). On behalf of the head physician, they called the nurses, giving the order to administer a lethal dose of the substance to the patient. Of course, the nurses knew what they were doing, but in 95% of cases they followed the command (the authors of the study stopped it at the entrance to the ward). However, they did not try to confirm the identity of the doctor. Why did the nurses do this? Obedience to authority. The same thing happened in the history of The Ubiquiti.
Hacking a bank
In 2007, one of the most expensive security systems in the world was hacked. No violence, no weapons, no electronic devices. The man took $ 28 million worth of diamonds from the Belgian bank ABN AMRO with his charm.
Fraudster Carlos Hector Flomenbaum, a man with an Argentine passport stolen in Israel, had won the trust of bank employees a year before the incident. He pretended to be a businessman, gave chocolates. On one occasion, employees gave him access to a secret vault of 120,000 carats of gems. Later, this case was recognized as one of the most high-profile robberies.
Moral of the story: it doesn't matter what kind of technology is used and how expensive it is - as long as there is a human factor, the system is vulnerable.
Often times, as in the example above, the social engineer does not even need to gain the trust of the “victims” and manage them. It is enough to competently use the information that is in everyone's sight: mail on the desktop, notifications on the phone screen, or garbage. A social engineer can get data without putting pressure on people.
As you can see, social engineering is actively used for various kinds of scams. And the scale of some really excites the mind.
