Social engineering and trust

[CarderPlanet]

Salute, carders, now we will talk about social engineering and trust as a human factor.

The reasons why email addresses or social media accounts are taken away are completely different. But when close people found out my reason, I received condemnation. To some extent, I always understood that the goal of gaining access to the victim's social networks in order to receive certain correspondence is very immoral. On the other hand, I consoled myself with the thought that if the comrades had fallen into such a hook, then it meant they needed it.

These were two victims who had the information I needed. Both are men. I could find out this information only from them, but with one I hardly know, and the second was my sworn enemy. Their frequent activity on social networks gave hope that with someone in correspondence they discussed what I needed.

It was so important to me that for a couple of days I was just thinking how to get information. The thought of "hacking" came. But how? Moreover, in recent years, everyone has become more or less literate (set good passwords). In addition, today's applications have achieved a high level of protection. Therefore, technical hacking disappeared almost immediately in my thoughts. I made the decision to use social engineering. That being said, the method shouldn't be too complicated.

Different ideas and thoughts came to mind. I went over in my head the different weaknesses of each of them. And suddenly it dawned on women. He immediately wrote to a friend, asking if she wanted to take part in one extravagant case. We thought about different scenarios, but in the end I abandoned this idea, since everything turned out too complicated.

As a result, another idea came up.

I have registered a fake account. In the same social networks, I found a very pretty girl in some small Ukrainian town. The main thing is that it does not interfere with the fake. Then he began to fill out a questionnaire on facebook, uploaded a few photos. To be truthful, I needed "friends." I scanned various people who are very active (they, as a rule, add friends indiscriminately), filled a base of 10 people, and then many began to ask for friends themselves. Since my fake girl turned out to be very cute, I already had more than 50 friends in the evening.

The next day I was in for a fiasco. Facebook got suspicious and offered several photos of my friends, where it asked me to sign these photos with the question “Who is in the photo”. Of course, I did not know a single person and could not restore my account. And everything started anew, but gradually.

Friends have already been added selectively. Often these were those whom I knew at least from memory and could bypass this test. Joined the same groups in which the same victims participated. I found some articles that were thematically suitable for these groups, and began to publish. All this took about five days. I had a lie that, if I discovered it once, could not be repeated, so I acted very carefully and slowly.

One day he waited and began to receive comments on publications in the group from the victim. I deliberately published the most interesting topics for a particular person. It was not difficult to find out his interests; it was enough to look at which publications he was actively reflecting on. At first, there were just some replies, but I was waiting for the interactive and it happened, some kind of conversation ensued. From ordinary comments to publications, we gradually switched to personal correspondence. Then I watched his "likes" on "my" photos. After some time, they were offered a long-awaited friendship, which spilled over into acquaintance.

- Girl Nastya. Very nice. I work in an IT company as the most ordinary employee and try to become a programmer. If I can cope with one task, then they will definitely raise me up the career ladder and make a good salary.

The information is the simplest and most common, non-binding, not suspicious. While in correspondence I answer questions, invent a story of a lifetime, promise dates in some future. And in parallel, I register an account with a free hosting provider. I quickly make out a couple of static pages "Lorem ipsum", create comments there, supposedly left by someone else, and an authorization button leading to a form that looks like a facebook login form.

Yes, primitively, but this friend had nothing to do with IT, so I took this into account and just asked to leave a comment for the test on my "test project".

- My task is to leave a comment through the social network, - I write to him.

In the heat of feelings, he runs to the site, tries to log in and writes back that he cannot leave a comment, since after authorization the previous page appears again and there is no comment entry form.

- Oh, I found a mistake, I need to fix it, - Nastena answers him.

Of course, further Nastya became less active, and then stopped going online altogether. The fact that he tried to somehow contact her, ask for a phone number, etc., I already read from his account. Also lucky. He used the same password everywhere, which easily allowed me to get into VK and Mail.ru mail.

For the second victim, he had to work hard to create login forms for other social networks and mail, since he used different passwords everywhere. But with joy, for the sake of a beautiful lady, he tried all the methods, in fact, kindly giving me entrance.

Epilogue

Everything is simple to madness and does not even look like a kind of manual. But still, this is not a manual, but a moral: you cannot trust anyone, especially strangers on the Internet, especially beautiful strangers. Well, double authorization, which is already available almost everywhere, would have saved both.

 

[Tomcat]

What attacks are used in SE?
Emulating an employee with an urgent problem of access to the system. "Social engineering is used very often, especially for a burglar to do the" fine work "of stealing documents, etc. It has its roots in psychology and is now developing as a separate part. He is trained by spies, secret agents - in general, everyone whose business comes down to secret infiltration and covering their tracks. Human nature is such that we draw conclusions, analyze, but are these conclusions so often our own? Or do they need someone else like that? The most interesting thing is that a person does not notice anything. Until the very last moment, he believes that he decided so himself. Subtle manipulation of consciousness has been used at all times: even in antiquity. The "night demons", or ninja, suggestive of medieval Japan very actively practiced these abilities of the human mind along with hypnosis and so on. This method is also present in the skills of crackers (by the way, hackers too). Here, of course, everything is complicated by the fact that the attacker rarely comes into direct physical contact with the victim, which in some way complicates the task. In addition to hackers, social engineering is actively used by spammers in order to force the user to purchase this or that product.

Many people say that no one can be trusted. This is not so: you can and even need to trust, but only check, and the check is meant to be quite complicated. However, we will talk about this below. For now, let's define the targets of the attackers.

Social engineering goals
As already mentioned, the goals can be very different, but the same meaning is implied. This is the meaning of stealing information. Those who use social engineering pretend to steal information without too much attention, usually by making a copy. Then they can do whatever they want, sell, resell, blackmail the original owner, etc. However, statistics show that in most cases they work so subtly at the request of a competing organization, etc.

Methods and attacks
So we're getting to the attack methods. Social engineering is not only a psychological method of influencing a person directly, it also includes the use of the features of human psychology. Let's take a look at the most popular methods / types of attacks.

Human denial of service (HDoS)
You have noticed that the name is very similar to DoS. "Human denial of service" if translated. This has nothing to do with denial of service for servers. The essence of the attack is to force a person (imperceptibly for him, of course) not to react to certain situations. For example, to make sure that your every word is perceived as truth unconditionally and without comprehension. Distraction is also a type of attack. Let's say you make a false impression that you are performing one operation, but in fact you are doing something completely different. Thus, a victim who is too busy with one simply does not notice the other. Attacks of this kind are quite difficult to carry out, because. it is necessary to calculate well the psychology of the victim, her knowledge and reactions to such incidents. Let ' s say a distraction is the emulation of an attack on a port. While the administrator is busy with the "attack" logs, you can easily penetrate the server and take whatever you need. But at the same time, the administrator can know perfectly well that there are no vulnerabilities on this port, and then your penetration will be instantly detected. That is why it is necessary to understand: what level of knowledge does the administrator have?

Technical social engineering
This type of attack includes all those in which there is no “victim” and “impact on it” as such. In attacks of this type, the principles and stereotypes of society are used, which refers them to social engineering. As an example, the following reasoning can be cited: "Well, since the cameras are standing, then, most likely, no one will climb" or "The larger the organization, the stronger the opinion of people about its security"... These stereotypes are found everywhere - most believe that if this is, say, the site of a security organization, then no one can hack it. This is not so: everything can be hacked without exception. This method is more commonly known as situation analysis. A person sees that it will not be possible to go through the usual way (standard), and begins to look at other options, ie is engaged in analyzing the situation in which he found himself.

Call ...
Direct voice contact is implied. The attacker calls the victim and misleads the user with well-formed speech. This goes most smoothly when the attacker needs to introduce himself to those whom the victim does not know. It is enough just to overestimate your position and speak in a cold, angry tone. Naturally, the "boss" mechanism will work for the user, and he will become courteous, polite and will be ready to lay out whatever you ask him to do. It is most convenient to use this kind of attack in a company with a large staff, where people do not know each other and will willingly believe. Things get complicated when it comes to a medium to small company. There the staff is small, and it is very, very difficult to "wedge" into it. Then the attacker needs to act on behalf of the boss. What does it mean? I explain: the attacker calls and says that, at the request of the administrator, he is checking the functionality of the security system. Asks for a password / username and confirms the normal operation of the system. This is how an unsuspecting user gives himself the necessary information. Another way is to use a voice changer. Thus, the attacker simply imitates the voice of the one on whose behalf the operation is to be performed.

Personal eye contact
This is the most difficult operation. Only professional psychologists or specially trained people can perform it.
This is done in the following way: it is necessary to find an approach to the victim - so to speak, a "gate". This is calculated by analyzing his questions. For example, he very often asks the same question, but aimed at different areas - here they are, the "gate". The main thing for the attacker in this case is to talk to the victim “within these gates”, which will subsequently lead to the fact that the victim will like him very much as a person, and she will lay out everything that is necessary right away, “behind the eyes”, considering that that does not tell anything particularly important. This is the whole trick. It is very difficult, and if the voice can be faked, then facial expressions, skin color (meaning color change with excitement, etc.), the reaction of the pupils is not easy to fake.

Email
The most common "channel for work" is email. For social engineering, mail is used very actively. And, again, there are some difficulties here when trying to fog the mind with its use. The point is that if the attacker is going to send a “false letter” on behalf of a person with whom the victim is familiar, it is necessary to very accurately copy the writing style of the “false sender”. It's easier when the victim does not know the "sender". In addition, you need to take care of the header of the letter (header). This can be done using a standard mailer client. You can also do it manually. You can also use a telnet client when writing and sending a letter. Connecting to the standard port 25 of the mail server will allow you to do this. The last line, starting with Received, is usually the sender's address.

Instant messaging systems
So we got to icq. The program was developed not so long ago, but everyone actively uses it, despite its many shortcomings. Currently, there are many programs on the Web that can affect the operation of icq in one way or another. The list of their capabilities also includes sending a message on behalf of another user. Also, an attacker can carry out an attack in the form of specially formed text.

Preparing an attacker
As discussed earlier, an attacker must have a good understanding of psychology. There are three stages of preparation for this kind of attack:
... Determining the exact target. Determining the location of the final destination.
... Collecting information about the object of processing (victim).
... Development of an action plan. Moral preparation / training.
Let's take a closer look at each of the points.

Determining the exact target. Determining the location of the final destination
So, perhaps, the key to the success of any operation is precisely the exact knowledge of what you came for. This includes location. Let's remember for a second any of the robbery films - all serious options are thought out, and it is clearly defined why they are being carried out. Let's say the guys came to rob a bank, but they don't know where the money is, so they wander around the building in search of "an apartment where the money is." It's the same here. The attacker first tries to clearly define what kind of information he is hunting. If this is clear, then the operation is carried out quickly: by misleading the victim, root is obtained and the necessary information is copied. Moreover, knowing the exact location of information on the disk allows you to do it very, very quickly,

Collecting information about the object of processing
This is very important - perhaps more important than anything else. After all, before writing a letter, calling and meeting with the victim, you need to study her. This will allow you to understand the character of a person, his vulnerabilities, habits, etc. After all, if at a meeting an intruder offers to go to the object's favorite restaurant, this will already dispose him to him. In some cases (when it is necessary to forge the style of writing or communication), the attacker also studies who he is going to impersonate. This, naturally, delays the process of preparing the operation (attack), but significantly increases the chances. Almost everything can serve as a source of information about an object: analysis of traffic, mail, even cashier's checks (this will allow you to find out what goods he buys, how often, how much he usually spends, etc.). An attacker can watch an object for hours - this also gives a huge amount of information. By the way, specially trained people can reduce the time required to obtain information to a minimum. For example, special agents who are trained in making instant calculations and conclusions. Just one detail can lead to a whole chain of conclusions, but these are trained - most have to sit and watch)

Development of an action plan. Moral preparation / training
This is where you can see all the brilliance of the SE. But not always - this is because the majority of "home-grown craftsmen" simply take a textbook, copy an example, modify it to suit their situation, and that's it. In fact, it is necessary to calculate all the words (looks, facial expressions) depending on the object, because people are different, and everyone's reaction to the same word is different. One person will sincerely laugh if you play a little joke on him, and the other will immediately be offended, here. At this stage, simply colossal work is carried out in the field of psychology: literally every word is compared with the psychological model of the victim studied.

Access level
Naturally, when carrying out an attack using SE, just as in conventional attacks, there is a classification of the degree of access for a successfully carried out attack. This degree depends on the level of preparedness of the attacker and who the victim is. For example, if you decide to get hold of a regular user password, then when you use it, you will have user rights regardless of how you are prepared. Conversely, if you are poorly prepared, you will not even get user rights). There are four levels in total, below they are listed in descending order of authority:
... Administrator.
... Boss.
... User.
... Familiar.

This is how attacks using psychology are carried out. That's all. In general, my article contains a very small part of everything that can be told about social engineering and this is understandable, because the ability to manipulate people, so that they do not suspect about it, is very difficult (from a professional point of view ) and requires an explanation of all the little things. We don't need little things - let psychologists and those who need it do it.

 

[Jollier]

Learn more about trust​

Most people with trust have a huge confusion. They generally do not understand what trust is, they do not know how to handle it, and in general everything is turned upside down.
For example, the overwhelming majority of trust is a PASSIVE thing. I mean, they passively trust. Their trust is just a big hole into which you can do anything. And if you're lucky, they won't put their hand into this hole, and they won't turn it around, and they won't steal something from there, and they won't spit, and they won't throw all the abomination, and so on. They live like cuckoos with open beaks, leaving this entrance for anyone and anything, in the hope that no one will use it to their detriment, that their kind of trust will be VALUED, and even for this very "trust" they will be REWARDED ...
And when something is wrong, and trust is NOT JUSTIFIED, such people are indignant, shocked, embittered, deciding "but now NEVER trust ANYONE." Yeah. And what are they doing?
They do the SAME thing, though with a different sign.
They go into DISTRUST mode. Moreover, they have this mode ACTIVE. They don't just “don't trust” in the sense that there is no a priori trust. They actively distrust. They TO DO disbelief. They generate distrust. They are actively managing a process called "distrust". How do they do it? They IGNORE everything that comes to hand.
Both processes - passive trust and active mistrust - are inherently irresponsible.
In a healthy person, the opposite is true.
She has trust - an active process.
And distrust is passive. It's almost a lack of trust, with just a few important quirks.
The neurotic, with the help of his active, combative, aggressive distrust, fights, and proves something in this world. Someone. Testing for strength. Something or someone. Someone's intentions. And when his aggressive mistrust destroys the chances, miraculous opportunities, his own desires (under the yoke of fear or in the fire of rage or shame), the good intentions of other people, such a person experiences SATISFACTION: of course, his suspicions have come true! It was not in vain that he cherished and kindled a fire in the furnaces of his terrible active distrust for so many years!
Trust in its passive form, like a hole, is not the only way for neurotics to remain innocent about such important processes.
The most active neurotics use their trust (evolutionarily) in a more practical way, but (as a result) it is just as traumatic for themselves and those around them, who are drawn into their field by them.
Some neurotics try to invest their trust as a bank deposit. A kind of trading approach. They don't just wait. They are actively looking for someone to hook on their trust, then to parasitize on this. And if something happens, you can blame the one who was so nobly endowed with his trust, and who did not fulfill his duty, without justifying the great honor.
In fact, trust as a way to avoid responsibility for oneself. This form differs from the first, completely passive form of trust in the activity and purposefulness of a talented "investor". With a hole - he just sits and waits. This one is actively seeking and catching. But in essence, both types are the same. The position of the victim with a clear vector of unhappiness.
And with active mistrust, they also seal the exit from this cave of horrors.
P.S. I understand that I have not disclosed about active trust, I will definitely disclose it. Take a look at this text a little later. Or look for my other texts on this topic.
And further. Why does all this happen to people. Not from their free natural essence. And simply because most of them have NOTHING to USE when checking. Because the process of trust is also an important competence to CHECK reality against reality.
First of all, trust for me is a way to give a chance to reality - a chance to bring something new to me, which I can use. Trust (if we are not talking about basic trust in the world) should be a strictly metered thing. Trust in a person. To a specific person. Trust in a specific process. Sit on this stool - trust it or not. It is useful to know when you trust that the security / reliability of the environment is not infinite. Reliability and safety have limits. Therefore, I usually say: your trust is often close to hope. You don't "trust", you HOPE. Or - you fantasize about someone else's intentions, idealizing them, or someone else's capabilities and desires. Instead of fantasizing, you need to KNOW RIGHT. Trusting or not trusting your subordinate should not be based on hopes or guesses. You must ACTIVELY CHECK to KNOW. And then there will be no place for trust in business relations. As well as a place for distrust. You will simply be AWARE about different scenarios. In advance. This is forecasting.
When you say, "I trust my comrade," you are saying that you have studied him enough, and you can most likely predict his reactions, attitudes and choices in certain situations. But parachutists, paratroopers prefer to refuel their parachutes themselves. When the question of life and death is so acute, with such a short "shoulder" action-check-result, then no one is talking about any "trust". It's just that everyone controls the area that concerns him personally.
A short illustration can be the following principle: "Give in debt such an amount that you are ready to lose without regret." This is also not about "trust". And about responsibility.
And further. Trust is basically (don't believe it!) The ability to tolerate uncertainty. Ability in a given area to tolerate uncertainty. Think about it.

Author: Alexander Vakurov