Блог шоплифтера
Member
- Messages
- 20
- Reaction score
- 4
- Points
- 3
In this article, we will raise the topic of social engineering (SE). After all, only with the help of SE knowledge and skills can you realize your technical skills and knowledge.
If we attack the base, then we have a certain percentage of people who will click on the link and enter the data. This can be 5-10-50% of the total. It all depends on our training and knowledge of the target audience.
It is completely different when you need to get access to a specific person or company. In most cases, left-hand letters to social networks and mail are indispensable. It is very important to use SI to gain confidence or to use one of the techniques. To do this, I wanted to talk about possible techniques that Kevin Mitnick describes in detail in the book "The Art of Deception".
Scheme 1: Do no harm
At the beginning of the book it is very well described that you need to work carefully from the participants in the process. A social engineer needs to make a lot of calls and send enough emails, and at certain points our target may suspect something suspicious. The attacker is considered to burn the source if he makes it clear to the victim that an attack has occurred. This information can be transferred to management, security, etc. After that, it is very difficult to use this source for future attacks.
You should always monitor the mood of the person on the other end of the line. From the state of "I completely trust you" to "I will go to the police." It is also worth paying attention to how the person answers the questions. If you understand that there are doubts and suspicions, then you need to reduce the number of questions to the victim and use the "question topic" technique. The topic of the question is an opportunity to understand by the tone of voice whether a person is suspicious of such a call. If the tone of voice does not change and the victim answers the question, then in general it is possible to continue the conversation in it there is no suspicion.
Legend. Confident justification removes suspicion. We can say that information is needed to write a scientific paper from a university or conduct social research. Your legend should be credible and as close to the truth as possible.
2-3 additional questions at the end. Be sure to ask a few additional questions after receiving the necessary information. If even after some time suspicions arise, the victim will remember these last 2-3 questions.
Scheme 2: Receiving information
To communicate with employees of companies or a goal, it is necessary to know as much information as possible so that our goal has confidence in key characteristics. Sometimes, to get all this data, you need to make several calls and collect all the information bit by bit. To do this, you need to prepare well and take into account the recommendations.
To get contacts, you can call the company where the victim works and present a legend about how you worked with some department or a specific person, but then lost contact. There is nothing suspicious about this, and for the company, customers = money. And in most cases, they will share the necessary contacts with you.
In all conversations, it is necessary to have a friendly tone and use professional slang. This allows you to get a minimum of trust among the employees of the company.
Possession of corporate information. Thus, it is possible to increase the level of trust by knowing the names, structures and positions of employees, as well as certain working conditions, server names, certain procedures, etc.
Scheme 3: "Working with specific employees of the company"
Very often, the victims of social engineers are new workers and maintenance personnel who do not have access to computer systems and networks. New employees always want to help and prove themselves, so they make good contacts and may not know all the rules of work in the company.
Personnel on duty or other staff can bring out printed material that is very important without suspecting any danger. In the book, this is described in the story with the reference book of test numbers, which was obtained by simple deception. The social engineer called and introduced himself from the telephone magazine publisher and indicated that he could not produce new issues until he received the old one. Thus, the magazine was left outside the door and successfully obtained by the social engineer.
Do not provide access to computer servers and systems to new employees without training in information, systems, and networks.
All employees must undergo information security training, regardless of whether they have access to automated systems or not.
All information must be classified. If the information does not have a designation in the company's information security policy, then it should be classified as confidential.
Scheme 4: "Let me help you"
This is a very effective scheme. People are subconsciously grateful to those who are ready to solve their problem. And social engineers are using this moment to their advantage. They know how to create a problem and then provide an option for a solution. After expressing gratitude, you can convey the necessary virus or get the necessary information, because no one suspects about any threat.
Chapter 5 perfectly describes the story when a social engineer called one of the employees and introduced himself from the help desk. He indicated that it would be possible to turn off the Internet and if this happens, then it is worth contacting a specific phone. After that, a social engineer called technical support and asked to disable access to his computer, posing as an employee of the company. The scheme worked and the target called back the number they had left. After that, the social engineer asked to connect the Internet to the support service, and against the background of this problem, he suggested installing a program that would avoid this in the future. It was a virus that allowed full access to the target's computer.
Do not involve outside employees who can solve your problem. It is worth paying close attention to the problems that were discussed earlier. Or someone warned and indicated the number for calls.
If it so happened that you had to involve employees to solve the problem from outside, then you do not need to take any action after solving the problem. Especially if a person asks you to enter commands on the command line or run a file.
The scheme with a simple request for help works quite effectively. By nature, people tend to help others. Usually the social engineer puts himself in the position of "I'm in trouble - I need help." The better thought out your "problem", the more chances of success.
The book describes a good example of an attack at a time when it snowed and the road conditions were bad. Then the social engineer took advantage of the situation and used the bad conditions on the road as a misfortune and asked for access to work from home. In this way, it was possible to bypass two-factor authentication.
Companies need to use the employee number directory. It should be stored as confidential information. Then you can check the information and clarify whether the caller is really an employee of the company.
It is necessary to develop a procedure that accurately describes the situation of granting access to a particular system. To do this, it is necessary to take into account access levels, information security policies, etc.
You should always be attentive to such requests. Indeed, in this story, the leader himself confirmed such a request and "helped" the social engineer to gain access.
Conclusion
Despite the fact that the book was published in 2004, many techniques are still relevant today. The main thing is to have an idea of how it works in practice. Thus, it is necessary to be attentive to all kinds of requests and education, as among them there may be attacks from social engineers.
If we attack the base, then we have a certain percentage of people who will click on the link and enter the data. This can be 5-10-50% of the total. It all depends on our training and knowledge of the target audience.
It is completely different when you need to get access to a specific person or company. In most cases, left-hand letters to social networks and mail are indispensable. It is very important to use SI to gain confidence or to use one of the techniques. To do this, I wanted to talk about possible techniques that Kevin Mitnick describes in detail in the book "The Art of Deception".
Scheme 1: Do no harm
At the beginning of the book it is very well described that you need to work carefully from the participants in the process. A social engineer needs to make a lot of calls and send enough emails, and at certain points our target may suspect something suspicious. The attacker is considered to burn the source if he makes it clear to the victim that an attack has occurred. This information can be transferred to management, security, etc. After that, it is very difficult to use this source for future attacks.
You should always monitor the mood of the person on the other end of the line. From the state of "I completely trust you" to "I will go to the police." It is also worth paying attention to how the person answers the questions. If you understand that there are doubts and suspicions, then you need to reduce the number of questions to the victim and use the "question topic" technique. The topic of the question is an opportunity to understand by the tone of voice whether a person is suspicious of such a call. If the tone of voice does not change and the victim answers the question, then in general it is possible to continue the conversation in it there is no suspicion.
Legend. Confident justification removes suspicion. We can say that information is needed to write a scientific paper from a university or conduct social research. Your legend should be credible and as close to the truth as possible.
2-3 additional questions at the end. Be sure to ask a few additional questions after receiving the necessary information. If even after some time suspicions arise, the victim will remember these last 2-3 questions.
Scheme 2: Receiving information
To communicate with employees of companies or a goal, it is necessary to know as much information as possible so that our goal has confidence in key characteristics. Sometimes, to get all this data, you need to make several calls and collect all the information bit by bit. To do this, you need to prepare well and take into account the recommendations.
To get contacts, you can call the company where the victim works and present a legend about how you worked with some department or a specific person, but then lost contact. There is nothing suspicious about this, and for the company, customers = money. And in most cases, they will share the necessary contacts with you.
In all conversations, it is necessary to have a friendly tone and use professional slang. This allows you to get a minimum of trust among the employees of the company.
Possession of corporate information. Thus, it is possible to increase the level of trust by knowing the names, structures and positions of employees, as well as certain working conditions, server names, certain procedures, etc.
Scheme 3: "Working with specific employees of the company"
Very often, the victims of social engineers are new workers and maintenance personnel who do not have access to computer systems and networks. New employees always want to help and prove themselves, so they make good contacts and may not know all the rules of work in the company.
Personnel on duty or other staff can bring out printed material that is very important without suspecting any danger. In the book, this is described in the story with the reference book of test numbers, which was obtained by simple deception. The social engineer called and introduced himself from the telephone magazine publisher and indicated that he could not produce new issues until he received the old one. Thus, the magazine was left outside the door and successfully obtained by the social engineer.
Do not provide access to computer servers and systems to new employees without training in information, systems, and networks.
All employees must undergo information security training, regardless of whether they have access to automated systems or not.
All information must be classified. If the information does not have a designation in the company's information security policy, then it should be classified as confidential.
Scheme 4: "Let me help you"
This is a very effective scheme. People are subconsciously grateful to those who are ready to solve their problem. And social engineers are using this moment to their advantage. They know how to create a problem and then provide an option for a solution. After expressing gratitude, you can convey the necessary virus or get the necessary information, because no one suspects about any threat.
Chapter 5 perfectly describes the story when a social engineer called one of the employees and introduced himself from the help desk. He indicated that it would be possible to turn off the Internet and if this happens, then it is worth contacting a specific phone. After that, a social engineer called technical support and asked to disable access to his computer, posing as an employee of the company. The scheme worked and the target called back the number they had left. After that, the social engineer asked to connect the Internet to the support service, and against the background of this problem, he suggested installing a program that would avoid this in the future. It was a virus that allowed full access to the target's computer.
Do not involve outside employees who can solve your problem. It is worth paying close attention to the problems that were discussed earlier. Or someone warned and indicated the number for calls.
If it so happened that you had to involve employees to solve the problem from outside, then you do not need to take any action after solving the problem. Especially if a person asks you to enter commands on the command line or run a file.
The scheme with a simple request for help works quite effectively. By nature, people tend to help others. Usually the social engineer puts himself in the position of "I'm in trouble - I need help." The better thought out your "problem", the more chances of success.
The book describes a good example of an attack at a time when it snowed and the road conditions were bad. Then the social engineer took advantage of the situation and used the bad conditions on the road as a misfortune and asked for access to work from home. In this way, it was possible to bypass two-factor authentication.
Companies need to use the employee number directory. It should be stored as confidential information. Then you can check the information and clarify whether the caller is really an employee of the company.
It is necessary to develop a procedure that accurately describes the situation of granting access to a particular system. To do this, it is necessary to take into account access levels, information security policies, etc.
You should always be attentive to such requests. Indeed, in this story, the leader himself confirmed such a request and "helped" the social engineer to gain access.
Conclusion
Despite the fact that the book was published in 2004, many techniques are still relevant today. The main thing is to have an idea of how it works in practice. Thus, it is necessary to be attentive to all kinds of requests and education, as among them there may be attacks from social engineers.
. We call her.
