Social engineering

[Carding]

Social engineering is a method of manipulating the thoughts and actions of people. It is based on the psychological characteristics of the individual and the laws of human thinking.

Sometimes you can find the interpretation of social engineering as a method of unauthorized gaining access to classified data, which is not entirely true: a number of techniques of psychological influence can be used legally. However, these days, obtaining sensitive information that has value is still one of the main areas of application of social engineering.

In social engineering, there are several techniques used to accomplish a given task. All of them are based on mistakes made by a person in behavior. For example, phishing is used to collect usernames and passwords by sending emails and messages encouraging the victim to provide information of interest to the attacker. Pretext is about impersonating another person in order to obtain the desired data. Such an attack is carried out by telephone or mail. It is preliminarily prepared to inspire the user's confidence.

You can get information about a person through open source sources, mainly from social networks. One social engineering technique is "shoulder surfing", which is used in transportation, cafes and other public places to observe computer devices and telephones over the victim's shoulder. There are situations in which the user himself offers the fraudster the necessary information, being confident in the decency of the person. In this case, they talk about reverse social engineering.

Social engineering threat classification

All threats directed at the user through social engineering can be divided into several groups.

• Threats from using the phone. The telephone is the most popular means of communication, therefore it serves as an excellent tool for influencing a person. It is easy to impersonate someone else on the phone, therefore, using acting, the attacker easily convinces the victim to transfer a certain amount to a bank account or provide personal information. There are widespread methods of fetching money through messages ("smishing") and phone calls about winning competitions or lotteries, requests for money transfers for urgent needs. For safety, it is recommended to be skeptical about dubious SMS-messages, ignore the links coming in them. It is necessary to verify the identity of the subscriber, use the number identification service.
• Threats from emails (phishing). By e-mail, letters may come containing false information on behalf of banks and other institutions, forcing you to follow the link and enter your personal data. By mail, as well as by phone, you may receive false requests for help to loved ones, messages about gifts, winnings and other free bonuses, for which you need to transfer money. You can protect yourself from intruders by ignoring letters from unknown addressees.
• Threats when using the instant messaging service. Users quickly appreciated the convenience of instant messengers. The availability and speed of this method of communication makes it open to all kinds of attacks. For safety, you should ignore messages from unknown users, do not provide them with personal information, do not follow the links sent.

Object of influence

Social engineering is directed not at computer hardware, but at its user. Of interest are all solvent persons, as well as users with valuable information, employees of enterprises and government agencies.

The method is used to carry out financial transactions, hacking, stealing information (for example, customer databases, personal data) and other unauthorized access to information. Social engineering helps competitors conduct intelligence, identify organizational weaknesses, and entice employees.

Source of threat

Attackers use social engineering to gain material gain or to extract data for resale. Social engineering can be used as one of the tools for complex targeted cyberattacks.

The source of the threat can be emails, text messages in any instant messenger, SMS messages and phone calls. Fraudsters can impersonate employees of banks and other financial organizations, government officials, employees of law enforcement agencies, Internet providers, representatives of postal services and large web resources, etc.

Risk analysis

To protect the company from fraud, it is necessary to train staff to recognize and respond to social engineering, prohibit employees from sharing passwords or have one common password, ensure the protection of customer bases and other confidential information, and apply a special confirmation procedure for persons requesting access to any data.

An anti-phishing option has appeared in browsers, warning site visitors about the unreliability or danger of the resource. Spam filters can help protect against threats sent in emails. There is a monitoring service demanded by companies that are most frequently attacked by intruders. More complex authorization methods will also reduce risks.

 

[Carding 4 Carders]

Why should you study social engineering? What is SI? Examples of SI.​

You can become a hacker and break computers, but hacking a person is several times easier. ("People are the most vulnerable" - Mitnick's quote).

I read the "SI database" myself - it was Mitnick's books, "Social hackers" and about 50 articles on this topic. But what's the point? Yes, almost none in my case! It is not enough to read, you should apply the acquired knowledge after reading the information! And only then will you be able to fix them in your memory and apply them in the future. So I decided to take this whole basic "course" all over again. Learn from other guys mistakes.

Many of you believe that SI is only needed to divorce people. This is partly true, but it also has its own subtleties with different nuances.

So what can you achieve with SI?

* Social engineers are very good at "pushing" unnecessary junk to people, for example, teas for weight loss, fish bite activators, etc. But also personal old items that will "become" a rarity for your client. And with such skills, you will definitely not find yourself at the bottom of society, because you can sell your grandmother's "medicinal" seeds, a plot of land on which the treasures of Genghis Khan are buried.

* Thanks to SI, you can find good connections, and this is a very important point of success these days. You will get a good white job or join a team of experienced guys who work according to black/gray schemes. And you don't have to have technical knowledge, your weapon is the correct application of your skills.

* With the help of SI, you can get what you want from a person, of course, if Your skill in this matter is much higher than average. You can breed both a "non-giving" for sex, and a major for money, who will not even guess that you have divorced him.

• You can become a sorcerer, a prophet, or even lead a new sect. At the expense of large revenues from this niche, you know very well.

• There are actually many examples of using social engineering. With C, you can get anything, there are no limits. And the goal is not even to get a benefit, and for me personally, social engineering is constantly improving my skill with each refund that I received with the help of SI.

At the very heart of SI lies the potential for selfless self-will, which is rather characteristic of art. Virtuosity, skill, originality, and self-expression are important - and not for any short-term goals like filling your pockets. The main goal is to improve your skills" - the quote is not mine, but it remained in my head.

You only need to practice daily, start small guys! Use SI techniques to start with your family and friends. It will be easier for you to analyze their behavior, you already know from habit, and accordingly it will be easier to bring them to your desired result than with a stranger.

I think everyone understood that SI is a human hack.

Initially, I will write how to behave, the basics:

1. Self-confidence.
If you are not confident in yourself, you can not even climb here, it is immediately noticeable, just remember your own or someone else's speeches, when people look insecure, do not even want to listen to them. It's like the foundation of everything

2. Autosuggestion.
Autosuggestion is my specialty, I start to believe myself in any nonsense in a matter of seconds, but it also kills me, my reaction is almost always fake, more on that later. If you believe in yourself, this is already strong, but this is not all, look from the other side, through the eyes of another person, if not everything is so smooth, then you should go through the options for how to approach it better. If you don't believe yourself, think about why, change something in the story.

3. Remember everything.
I always remember what and where I even exaggerated in my story, I remember everything about what I lied, to the smallest detail, guides how to recognize a liar, in the style of telling everything backwards just disappear. If you remember all your lies, the chance that you will be caught is minimal, all my friends think that I have never lied to them seriously, and this is also an experience, you will remember everything that you have ever lied about, you will build your own templates, it will be easier for you to come up with kilometer stories so that another schoolboy would give you Also, the person is very flattered that you will remember all sorts of little things about him, I also have no problems with this, I always listen to people, remember their preferences, etc., this opens up new ways of approach, also notice something in their appearance, helps to lick once again.

4. Try on masks
Find the main styles of behavior for yourself, substitute them where you need them, confident, just a pussy who can't do anything himself, a person who doesn't climb anywhere, on the contrary, one who fucks everything and everything, experiment, get experience, your personal behavior patterns will never hurt.

5. Notice the little things
It reminds me of point three, but it's not a bit like that, here you have to analyze the behavior, habits of people, even the environment, the house, his friends, etc., find weak points, find something that you can cling to, for example, Hobbies, find a common topic for conversation

6. Buy a person's trust
At the first meeting, it is necessary to somehow arouse his trust, shoot a whitefish, buy coffee, or something else, immediately find a common topic of conversation on a Grand scale and cling to the little things, analyze

7. Know how to keep the conversation going
Always be able to support the conversation, as an example, ask insignificant questions if this is the first meeting, find out little things about the person who works/studies, his hobby, start from this, ask a question with a continuation, so that the answer can push the conversation further, if only you are conducting the conversation, let the interlocutor talk too, create no comments, start being silent and look directly at the interlocutor, as described above, analyze, look for threads that would

8. Learn how to sell yourself
Sell yourself, make yourself the best choice in a person's life, make yourself just an ideal.

Something in the style of “5 steps”, how sellers work in stores, sell absolutely unnecessary goods.

Present it, advertise it well as an ideal, make a “promotion”, compare it with others, and prove exactly why you need it. Well, or copy-paste from Google:

1. Establishing a contact.
2. Identification of needs.
3. Product presentation.
4. Overcoming objections.
5. Completion of the transaction.

I can write this forever, there are many subtleties, I painted the main ones that I pulled out of myself right away, think for yourself, it never hurts

I told you the main thing about your behavior and setting yourself up for a lie, let's just say the initial setup. All this will help you build your own personal templates, with the help of well-developed templates, everything will immediately become easier.

Social engineering is the scammer's best weapon. More precisely, a method of unauthorized access to information or information storage systems without the use of technical means. The main goal of social engineers, as well as other hackers and crackers, is to gain access to secure systems in order to steal information, passwords, credit card data, etc.the Main difference from simple hacking is that in this case, its operator is chosen as the object of attack not the machine, but its operator. Therefore, all methods and techniques of social engineers are based on exploiting the weaknesses of the human factor, and this is considered extremely destructive, because an attacker receives information, for example, through a normal telephone conversation or by entering an organization under the guise of its employee. To protect yourself from this type of attack, you should know about the most common types of fraud, understand what hackers want, and organize a suitable security policy in a timely manner.

Social engineering has acquired a strong connection with cybercrime, but in fact this concept appeared a long time ago and initially did not have a pronounced negative connotation. If you think that social engineering is such an invention from dystopian books or questionable psychological practice, then this article will change your mind.

Let's look at some examples of social engineering:

To achieve their goals, attackers exploit human curiosity, benevolence, politeness, laziness, naivety and other very different qualities. An attack on a person (as hackers call social engineering) can be carried out in many scenarios, depending on the situation, but there are several of the most common techniques of attackers.

1. Phishing - This method is largely effective due to the user's inattention.

Example: your email address receives an email from an unknown resource. The email contains a link that you can click on. By clicking on the link, you will be asked to log in. You enter your password and login without even looking at the site address, and fraudsters thus get the necessary data for hacking, and then perform any actions on your page.

2. Trojan - a virus that got its name from the principle of operation similar to the Trojan horse from ancient Greek myth. You download a program or even a picture and that's it, the virus is already on your computer. It is used to steal data. Often, the virus is downloaded automatically when you click on a banal link.

But why is this type of theft called social engineering? Because the developers of the virus are well aware of how to make the file as attractive as possible, so that you 100% click on it or download it.

3. Qui pro quo (from latin quid pro quo) - translates as "something for what". More affordable - it works on a "quid pro quo" basis. The fraudster introduces himself as a technical support employee. Some people will not even pay attention, and will be happy to tell you the necessary information. They will also perform all the necessary actions for the fraudster.

There is also reverse engineering. This is a type of attack in which you yourself contact the attacker and provide him with the necessary information.

Reverse engineering is achieved in several ways:

The situation is set up in such a way that your system starts to work incorrectly, and you try to find a specialist to help. Everything is done in such a way that the specialist you turned to is a fraudster. By correcting your "alleged" problem, the hacker performs the necessary actions for hacking. Sometimes, in order to get the necessary information, it is not enough for him to have access to a computer, but to communicate directly with the victim. This method is also good because when a hack is detected, the specialist remains above suspicion.

Security methods:

The most important thing is vigilance and skepticism. Carefully look at the address of the resource where you are going to enter your personal data.

If you get a call and introduce yourself as an employee of an organization or website, it is important to understand that they should already have all the necessary information and they don't need to know your confidential data. To identify a person, it is often necessary to name the last digits of any data, and if you are asked to name them in full, then you should already be wary.

When working with important information, it is important to feel what is happening around you. Quite a large amount of data was peeked over the victim's shoulder.

This article is presented for informational purposes only and does not carry a call to action. All information is aimed at protecting readers from illegal actions.

Do not click on the link to the resource if you do not clearly understand where you are trying to get to and why. Remember, the biggest advantage of being a villain is your curiosity. It is better to ignore the situation, then little will change in your life. Never disclose your personal information without a good reason.

 

[Carding]

How to persuade and influence people: structure and methods of persuasive influence​

Any attempt to sharply impose the right opinion will only lead to a negative result, because a person always opposes the restriction of freedom of choice. Every influence can contain elements of suggestion and persuasion, but in different amounts. Here is the structure of persuasive influence and methods of influencing by persuasion.

Conviction - this is a way of influencing people's minds, addressed to their own critical perception.

Using the method of persuasion, psychologists come out of the fact that it is aimed at the intellectual and cognitive sphere of the human psyche. Its essence is to use logical arguments to first get a person to agree internally with certain conclusions, and then on this basis form and consolidate new attitudes (or transform old ones) that correspond to the goal set.

When convincing, you must follow certain rules:

• the logic of persuasion should be accessible to the target's intelligence;
• it is necessary to convince evidently, based on the facts known to a person;
• in addition to concrete facts and examples (without them it is impossible to convince those who lack broad horizons, developed abstract thinking), information should contain generalized statements (ideas, principles);
• convincing information should look as plausible as possible;
• the reported facts and General statements should be such as to cause an emotional reaction.

The criterion for the effectiveness of persuasive influence is conviction. This is a deep confidence in the truth of the acquired ideas, ideas, concepts, images. It allows you to make unambiguous decisions and implement them without hesitation, to take a firm position in evaluating certain facts and phenomena.

Through conviction, people form attitudes that determine their behavior in specific situations.

An important characteristic of conviction is its depth. It is directly related to the previous upbringing of people, their awareness, life experience, ability to analyze the phenomena of the surrounding reality, and many other factors.

Deep confidence is characterized by great resilience. As practice shows, in order to shake it, logical conclusions alone are not enough. Persuasive influence should be carried out in the following cases:

• When the object of influence is able to perceive the received information.
• If a person is psychologically able to agree with the opinion imposed on him. Therefore, the correct choice of the goal of psychological influence and the content of communication are equally important.
• A person is able to compare different points of view, analyze the argumentation system. In other words, persuasive influence is effective only if the subject is able to understand and appreciate what is being presented to them.
• If you have time to convince. It usually takes time to convince people of something, especially something that benefits the other side. Changes in the field of rational thinking of people occur only after comparing and thinking about the facts, which involves significant time costs. In addition, the diverse content of persuasive influence requires repeated confirmation by various arguments and facts, which also "stretches" the process.

Structure of persuasive influence
Persuasive influence usually includes:

• impact of the information source;
• impact of information content;
• impact of the information situation.

Impact of the information source. The effectiveness of persuasion depends to a certain extent on how the people who perceive it relate to the source of information.

Impact of the information content. First, the impact of information content largely depends on how well it is proven and convincing.

Evidence is based on the logic, plausibility, and consistency of the material presented. In other words, what matters is not only what is reported, but also how it is done. Evidence does not automatically include persuasiveness.

Experts assume that:

• the content of informational materials should be well thought out and comply with the laws of formal logic;
• the concrete in the content of an informational message seems more convincing than the abstract;
• the more dynamic the text, the more vivid and diverse the facts it contains, the more it attracts attention;
• it is better to perceive what is close to the interests and needs of the object of your action;
• it is better to understand what is presented in small semantic parts (blocks).);
• it is better to assimilate what causes an emotional response in the object of influence.;
• the material that is presented in accordance with the national traditions of object perception is better perceived, comprehended and assimilated.

Persuasion cannot be reduced to a simple presentation of the information that is being sought to convince the opponent of its correctness, and to the subsequent presentation of arguments in support of it, as required by the rules of formal logic. There are many more ways to convince people.

Select three main categories of arguments for persuasion:

1. True facts. The irrefutable information contained in the message text sets people up to evaluate the entire text (including its recommendations) as the correct one.
2. Arguments that provide psychological satisfaction because they appeal to positive expectations.
3. Arguments that appeal to negative expectations.

According to the way arguments are presented, so-called "one-way" and "two-way" messages are distinguished.

A "one-way message" is a text that contains arguments only for the source of information. Such messages are more effective when the subject of psychological influence does not have hostile feelings towards the source of information and, in addition, has a low level of education. A person in this case is able to relatively easily accept the point of view of the source of information. A "one-way message" can also be used to persuade people of different educational backgrounds.

A "two-way message" contains both the arguments of the source of information and the counterarguments of the opponent, which are to be exposed. This construction of the text serves as an incentive to active mental activity of the subject, as a result of which there is a revision of the previously formed judgments of the subject.

"Two-way communication" is mainly aimed at people with a high level of education who need to compare different views, points of view, opinions, and assessments. At the same time," two-way communication " seems to pre-empt the opponent's argument and creates a prerequisite for developing a certain immunity against it.

The order of arguments also matters. In particular, it will be reasonable to place information that is directly focused on changing the setting ("strong arguments") before any other information that is not related to solving this problem. In most cases, the location of "strong arguments" in the middle of the message text is considered the most effective (the so-called "pyramid model" of influence).

The effectiveness of texts with "strong arguments" located at the beginning and end of the message depends on the attitudes of the object of psychological influence. If they show a significant interest in the topic of the message (i.e., they have positive attitudes on this issue), then the text that contains" strong arguments " at the end of the message is more effective (the so-called "culmination model" of influence).

If the person is indifferent to the subject of the message, then it is better to place "strong arguments" at the beginning of the text ("anti-climax model") in order to immediately attract the necessary attention.

The impact of a persuasive message on the opponent largely depends on what appeals (slogans) are selected in it and how they are presented. Distinguish between:

1. Direct calls. They presuppose a belief based on the presentation of strong direct arguments.
2. Indirect calls. They represent persuasion through hints and promises.
3. Undefined calls. They encourage the subject to independently come to conclusions that logically follow from the arguments presented to him, although there are no specific sentences in the message text.

Making a persuasive impact
To get the maximum effect, persuasive influence must meet certain requirements:

1. Be properly oriented and planned.
2. Be directed to a specific object.
3. Be focused primarily on the intellectual and cognitive sphere of the object's psyche.
4. Be directed to initiate a specific behavior.

The main principles for the implementation of persuasive influence should be:
1. The principle of repetition. Repeated repetition of the message gives an effect that cannot be obtained with a single exposure.
2. The principle of achieving primary impact. If the subject has received some important message, then in his mind there is a readiness to perceive subsequent, more detailed information confirming the first impression.
3. The principle of ensuring trust in the source of information.

Techniques for achieving trust in an information source currently also include:

• creating an image of "special awareness" about those events that, for some reason, are hushed up by official sources (this is achieved by transmitting facts whose accuracy is known or can be easily verified);
• creating an image of "objectivity, independence and alternative", which is achieved by quoting documents, expert assessments, opinions of eyewitnesses of events, etc.

4. The principle of activating the mental processes of perception of information content by an object.

Methods of persuasive action
Persuasion implies a "soft" influence on a person, with the goal of radically correcting their views in order to influence subsequent behavior. This option is the most ethical way to influence, because there is no gross violence or introduction into the subconscious of the object.

The persuasion method is used for:

• long-term change of ideas and attitudes of a person in the required direction;
• engaging in cooperation;
• motivations of the object to the desired action.

Technically speaking, persuasion is an explicit and sometimes hidden discussion, supplemented by some stimulating influence.

Each person has his own attitude towards something or someone. There are three gradations of this attitude:

• clear liking (tendency to accept something);
• indifference (with a slight bias in one direction or another);
• negation (rejection).

Any attempt to crudely impose the desired opinion will only lead to a negative result, because a person always resists limiting the freedom of choice.

To change the attitude of an individual to something, you need to reorient his attitude. Please note that:

• in the duel of reason and installation, the installation often wins;
• in the course of changing attitudes, a person must be shown the direction and content of the necessary changes; all this must be perceived and understood by them;
• changes will occur the more successfully, the more they are in tune with the needs and motivations of the object.;
• the easiest way is to rebuild installations that are not of fundamental (vital) importance for a person;
• in the case of a completely negative attitude, its reorientation usually requires special sophisticated methods of reprogramming the psyche ("brainwashing") of the person.

Depending on the conditions of the situation and the specific features of the object, you can try to convince it directly (during the conversation) or indirectly (through inspired actions), acting at the same time:

• accentuated and logical;
• imperative (categorical);
• excitative (by stirring up emotions);
• alternatively (by reducing the problem to an "either-or" choice).

Every influence contains elements of suggestion and persuasion, but in different proportions. It is easier to convince those who have:

• vivid and vivid imagination;
• focus more on others than on yourself;
• somewhat low self-esteem (timid and weakly trusting their own opinion subjects).

Difficult to convince people with:

• obvious hostility towards others (the resistance shown, by the way, can often arise as a result of the desire to dominate others);
• a strong spirit of criticism;
• the constant willingness to change their views (in other words, the desire to always have one more position in reserve).

Conclusion
Today we discussed the topic of persuasion, from a fairly scientific point of view. Here's what we found out based on the material above:

Before starting to communicate with the "target", you should thoroughly prepare the person with a number of summing-up preliminary conversations so that the subsequent impact does not come as an unpleasant surprise for him. Otherwise, the outcome of the conversation and further communication will be negative.

 

[Jollier]

Types of social engineering
Almost everyone knows about the existence of social engineering as a tool for manipulating people. But not many are aware that this direction has some branches.

Pretext is a set of actions worked out according to a certain, pre-compiled scenario, as a result of which the victim can give out any information or perform a certain action. Most often, this type of attack involves the use of voice tools such as Skype, telephone, etc.
To use this technique, the attacker must initially have some data about the victim (employee name; position; name of projects with which he works; date of birth). The attacker initially uses real queries with the names of company employees and, after gaining trust, receives the information he needs.

Phishing is an Internet fraud technique aimed at obtaining confidential user information - authorization data of various systems. The main type of phishing attacks is a fake email sent to a victim that looks like an official letter. The letter contains a form for entering personal data (pin codes, login and password, etc.) or a link to the web page where such a form is located. The reasons for trusting a victim to such pages can be different: account blocking, system breakdown, data loss, etc.

Trojan Horse - This technique is based on curiosity, fear or other emotions of users. The attacker sends a letter to the victim via e-mail, the attachment of which contains an "update" of the antivirus, a key to a monetary gain, or compromising information on an employee. In fact, the attachment contains a malicious program that, after the user runs it on his computer, will be used to collect or modify information by an attacker.

Quid pro quo - this technique involves the attacker contacting the user by e-mail or corporate phone. An attacker can introduce himself, for example, as a technical support employee and inform about technical problems at the workplace. Then he informs about the need to eliminate them. In the process of “solving” such a problem, the attacker pushes the victim to take actions that allow the attacker to execute certain commands or install the necessary software on the victim's computer.

Road Apple - This method is an adaptation of a Trojan horse and consists in the use of physical media (CD, flash drives). An attacker usually tosses such media in public places on the company's premises (parking lots, canteens, employee workplaces, toilets). In order for an employee to become interested in this media, an attacker can put a company logo and some kind of signature on the media. For example, "sales data", "employee salary", "tax report" and others.

Reverse social engineering - this type of attack is aimed at creating a situation in which the victim will be forced to turn to the attacker for "help". For example, an attacker can send an email with the phone numbers and contacts of the "support service" and after a while create reversible problems in the victim's computer. In this case, the user will call or e-mail the attacker himself, and in the process of "fixing" the problem, the attacker will be able to obtain the data he needs.