Magicians, sorcerers and their methods of social engineering

[Lord777]

This is not an instruction. This is an article, one of many that any businessman who is trying to hone his practice will not be amiss to read.
Once upon a time there was a girl named Marina in the town of Krasnoarmeysk near Moscow. She loved and believed, so much so that she was ready for anything. And he, the scoundrel, began to walk. Good people advised the unfortunate grandmother who makes a love spell. She paid 1200 rubles - it worked, for three whole weeks. Then the guy took it, and again went on a spree. The girl laid out even more money, asked for a stronger spell-so that for life. The fortune-teller took the money willingly, and she made a strong spell, but she didn't guarantee it for life.

Magic has been around since the earliest days of human civilization. The ancients conjured the forces of nature, trying to avoid damage from bad weather. Mystical activities preceded any business, whether it was a military campaign, hunting, or even cooking. No decisions were made without the shaman's advice - there are many examples in history when these people actually ruled a tribe or state. Without sufficient knowledge to explain what was happening around them, man had no choice but to trust the gods and their intermediaries on Earth.

Human vices also originated at the dawn of human civilization. They also fought crime with the help of mysticism. So, the ancient Egyptians, concerned with the problem of protecting property from the encroachments of thieves, left a terrible inscription on the house with a magical curse to anyone who covets private property, or, for example, a promise of divine punishment. According to sources, no one came close to such a house.

Superstitions and prejudices became relevant again in the third millennium.
Many of our contemporaries use magic services today. The resulting conjuncture allowed the formation of a whole class of people who exist at the expense of "magic" incomes. Methods of divination and divination are multiplying every day. In Japan, for example, a popular fortune teller practices, which predicts the future of women by the shape of their breasts. There is an incredible demand for the services of a fortune teller who guesses on the client's mobile phone.
Note that the following concepts are firmly established in our vocabulary: "psychic", "karma", "aura", "love spell", "damage", etc. Almost no one thinks to doubt the existence of poltergeists and brownies, and "living" aliens were met by a friend of a friend of every second of us.

And the horoscope? What only there is no-eastern, zodiac… Almost any publication considers it a duty to post a star forecast on its pages. Everyone clearly knows under which zodiac sign and in which year according to the eastern (Druidic, floral, etc.) calendar, was born. Without checking your horoscope (s), you may be afraid to leave the house: what if the stars don't advise you?

You may not believe in magic, parapsychology, and other healing techniques, but the scale of the business based on such services is impressive. In Moscow alone, there are about 30 large centers and schools operating on this market. The monthly turnover of such institutions ranges from $60 thousand to $120 thousand. But almost 80% of the entire market belongs to singles.

It is not difficult to find witches and hereditary sorcerers, just open any newspaper with ads. Despite the abundance of suggestions, the principle of operation of all these gifted magicians, oddly enough, is the same. They usually work in their own apartment, less often in a rented room. One of the rooms is usually equipped for a ritual hall: on the walls there are Hindu and Buddhist symbols, Tantric swastikas.

Magic menu.
All occultists have the same set of services. The scheme of "service" is simple: as a result of all sorts of magical actions, it certainly turns out that the client has the heaviest damage, evil eye or curse, which must be removed in the shortest possible time, otherwise the whole life of a person will be haunted by trouble. Of course, only a magician can do this. The procedure is incredibly complex, so the unfortunate person will have to pay a tidy sum.

But that's not all. Do you want to return or love a loved one with a 500% guarantee, correct karma, eliminate breakdowns in the biofield, get rid of the evil eye, damage, the crown of celibacy, block the energy replacement of organs? Gild the handle: the procedure will cost $20-1000. They will be happy to tell you about the past or the future for $3-50, and they will easily program you for wealth for $50-1000. Some will easily restore potency.

By the way, magicians and sorcerers are sensitive to the economic situation: often there are ads of "magic" offices advertising their "spells for debt repayment". The magician will return the money for only 10-20% of the debt amount, the stolen car is not a problem to return to the owner for $500-3000, sexual reorientation costs $1-5 thousand. A missing person will be found for $50-300, and a dog - for $20-100.

It may happen that the" gift " is discovered in your possession. This is another wonderful "diagnosis" that witches and witchers "establish". It goes something like this: "Actually, you're a witch yourself. Do you know about this? You can do everything yourself. If you want, come to my black magic course. In three months, I will teach you how to use your gift. Then-initiation into the magi. You can cast a spell on anyone you want and, if you want, make a lot of money in a year. Tuition is "only" $500 per month." By the way, there are more and more parapsychological schools every day.

A few words about other magical services. At your request, a witch or magician will cast a spell on an enemy (as a rule, this action involves manipulating cemetery land) or eliminate a business competitor for $200-2000. This service, according to the magicians themselves, is in high demand. Of course, there won't be any loud spells and bubbling cauldrons. They will talk to the client, read fortunes, make a horoscope, and "work with energy".

However, there are exceptions. We are talking about the so-called ritual magic. For example, a love spell with the help of envolting (this is the name of working with a wax doll). For 24 hours, the voodoo priest continuously sculpts the victim's doll out of wax, gradually mixing in so-called "bindings", the best of which are the victim's hair, nails or blood. The wizard's blood is also added to the wax. Then the customer must defend the morning and evening services in the church with the doll for three days - this is how the victim's guardian angel is "driven" into the doll.

To repay a debt, for example, the victim's photo is tied with a red thread to a large stone and the customer throws the stone into the river so that the photo can be seen from under the water. When the image from the photo disappears, the debt will allegedly be returned. Voodoo zombification is extremely rare. In St. Petersburg, these rites cost $30-500, in Moscow at least $1 thousand.

Necromancers are also in demand in the capital - these are sorcerers who use the ashes of the dead for divination. The material for the ceremony is literally dug up in the cemetery. Summoning the spirit, conjuring on the bones or ashes of the deceased, it turns out that you can find out the credit card number of the deceased or the bank account of any of the living millionaires. You can ask the spirit to cause harm to any person or, conversely, order a good deed, paying an amount of $500 or more.

The magic business is quite affordable. It is not difficult to open your own "witchcraft agency": to do this, it is enough to register a company whose charter will state: "Providing consulting services to the population in the field of sociology". After that, you can rent an apartment in any part of the city. Just a few ads are enough and the work front is secured. Just one complication: the competition is high right now.

The presence of magical abilities in witches and witchers can be doubted. Although almost all of them really have one wonderful talent: they can suddenly disappear. And this applies even to more or less well-known personalities in the market. Elena K.: "This summer I used the services of the Academician of Higher Magic Ilya German. I couldn't return the $100 I spent for nothing, or even the photos. At first, the phone was hung up on the other end of the line, and then I was told that the office had moved to no one knows where".

 

[Mutt]

Social engineering 2021

In this article, we will raise the topic of social engineering (SE). After all, only with the help of SE knowledge and skills can you realize your technical skills and knowledge.

If we attack the base, then we have a certain percentage of people who will click on the link and enter the data. This can be 5-10-50% of the total. It all depends on our training and knowledge of the target audience.

It is completely different when you need to get access to a specific person or company. In most cases, left letters to social networks and mail are indispensable. It is very important to use SI to gain confidence or to use one of the techniques. To do this, I wanted to talk about possible techniques that Kevin Mitnick describes in detail in the book "The Art of Deception".

And before analyzing specific schemes, I want to add a quote: "The human factor is the weakest link in security ."

Scheme 1: Do no harm
At the beginning of the book it is very well described that you need to work carefully with the participants in the process. A social engineer needs to make a lot of calls and send enough emails, and at certain points our target may suspect something suspicious. The attacker is considered to burn the source if he makes it clear to the victim that an attack has occurred. This information can be transferred to management, security, etc. After that, it is very difficult to use this source for future attacks.

Recommendations from Mitnick:

You should always monitor the mood of the person on the other end of the line. From the state of "I completely trust you" to "I will go to the police." It is also worth paying attention to how the person answers the questions. If you understand that there are doubts and suspicions, then you need to reduce the number of questions to the victim and use the "Personal question" technique.
A personal question is an opportunity to understand by the tone of voice whether a person is suspicious of such a call. If the tone of voice does not change and the victim answers the question, then in general it is possible to continue the conversation in it there is no suspicion.
Legend. Confident justification removes suspicion. We can say that information is needed to write a scientific paper from a university or conduct social research. Your legend should be credible and as close to the truth as possible.
2-3 additional questions at the end. Be sure to ask a few additional questions after receiving the necessary information. If even after some time suspicions arise, the victim will remember these last 2-3 questions.

Scheme 2: Receiving information
To communicate with employees of companies or a goal, it is necessary to know as much information as possible so that our goal has confidence in key characteristics. Sometimes, to get all this data, you need to make several calls and collect all the information bit by bit. To do this, you need to prepare well and take into account the recommendations.

Recommendations from Mitnick:

To get contacts, you can call the company where the victim works and present a legend about how you worked with some department or a specific person, but then lost contact. There is nothing suspicious about this, and for the company, customers = money. And in most cases, they will share the necessary contacts with you.
In all conversations, it is necessary to have a friendly tone and use professional slang . This allows you to get maximum trust among the company's employees.
Possession of corporate information. Thus, it is possible to increase the level of trust by knowing the names, structures and positions of employees, as well as certain working conditions, server names, certain procedures, etc.

Scheme 3: "Working with specific employees of the company"
Very often, the victims of social engineers are new workers and maintenance personnel who do not have access to computer systems and networks. New employees always want to help and prove themselves, so they make good contacts and may not know all the rules of work in the company.

Personnel on duty or other staff may bring out printed material that is very important without suspecting any danger. In the book, this is described in the story with the reference book of test numbers, which was obtained by simple deception. The social engineer called and introduced himself from the telephone magazine publisher and indicated that he could not produce new issues until he received the old one. Thus, the magazine was left outside the door and was successfully obtained by the social engineer.

Recommendations from Mitnick:

Do not provide access to computer servers and systems to new employees without training in information, systems, and networks.
All employees must undergo information security training, regardless of whether they have access to automated systems or not.
All information must be classified. If the information is not indicated in the company's information security policy, then it should be classified as confidential.
Safety training should emphasize: When in doubt, check, check, and check again!

Scheme 4: "Let me help you"
This is a very effective scheme. People are subconsciously grateful to those who are ready to solve their problem. And social engineers are using this moment to their advantage. They know how to create a problem and then provide an option for a solution. After expressing gratitude, you can convey the necessary virus or get the necessary information, because no one suspects of any threat.

Chapter 5 perfectly describes the story when a social engineer called one of the employees and introduced himself from the help desk. He indicated that it would be possible to turn off the Internet and if this happens, then it is worth contacting a specific phone. After that, a social engineer called technical support and asked to disable access to his computer, posing as an employee of the company. The scheme worked and the target called back the number they had left. After that, the social engineer asked to connect the Internet to the support service, and against the background of this problem, he suggested installing a program that would avoid this in the future. It was a virus that allowed full access to the target's computer.

Recommendations from Mitnick:

Do not involve outside employees who can solve your problem. It is worth paying close attention to the problems that were discussed earlier. Or someone warned and indicated the number for calls.
If it so happened that you had to involve employees to solve the problem from outside, then you do not need to take any action after solving the problem. Especially if a person asks you to enter commands on the command line or run a file.

Scheme 5: "Asking for help"
The scheme with a simple request for help works quite effectively. By nature, people tend to help others. Usually the social engineer puts himself in the position of "I'm in trouble - I need help." The better thought out your "trouble", the more chances of success.

The book describes a good example of an attack at a time when it snowed and the road conditions were bad. Then the social engineer took advantage of the situation and used the bad conditions on the road as a misfortune and asked for access to work from home. In this way, it was possible to bypass two-factor authentication.

Recommendations from Mitnick:

Companies need to use a directory of employee numbers. It should be stored as confidential information. Then you can check the information and clarify whether the caller is really an employee of the company.
It is necessary to develop a procedure that accurately describes the situation of granting access to a particular system. To do this, it is necessary to take into account access levels, information security policies, etc.
You should always be attentive to such requests. Indeed, in this story, the leader himself confirmed such a request and "helped" the social engineer to gain access.

Conclusion
Despite the fact that the book was published in 2004, many techniques are still relevant today. The main thing is to have an idea of how it works in practice. Thus, it is necessary to be attentive to all kinds of requests, since among them there may be attacks from social engineers.