Man
Professional
- Messages
- 3,222
- Reaction score
- 909
- Points
- 113
This article is written for educational purposes so that you understand how the criminal's brain works and know how not to fall for a provocation.
Salute to all, dear friends!
Social engineering is a game on human feelings and emotions. This is how two completely different directions - hacking, which uses the straightforwardness of the computer and the fact that it will execute any code that the system allows it to, relying on clearly established rules, and social engineering, in which there are no clear rules, which allows SI to exist as such - are combined with each other.
The main feelings that are used to extract one's own benefit in this area are interest and fear.
For the sake of interest, people go to abandoned factories, climb to the tops, climb trees, and also... Download new software with an enticing description. Yes, often only one interest pushes people to do all this...
Of course, you can write it off as the fact that the person who gets into the flash drive will do it in order to find the owner through the files, but this is not entirely true.
Firstly, personal data may be stored there and it will look like a recount of money in the found wallet if you intend to return it.
Secondly, it was lost in the elevator, which means that most likely it was lost by a person who lives in this building, and it would be enough to simply stick a notice near the elevator about the find.
But let's be honest: it's that same notorious curiosity that makes you open a flash drive and look through its contents.
Now the topic of autorun, in its usual sense, cannot be turned around, since, starting with Windows 7, autorun is disabled by default on removable media.
Let's look at another case - attracting attention through the interests of the target.
The technique here is a little more complicated than the first case and you need to start showing creativity.
If you have collected information about your victim and found out that she is interested in games on steam and she is 40 years old, and he spends time on the forum www.игрыстим.ру, you know his nickname and his activity, you know what game he plays and what questions he asks.
1) The victim definitely noticed it;
2) Based on the content, she became interested in writing to us.
Well, for example, let's say that a person is interested in customization of some game and mods for it. Accordingly, we can conclude that a thread on the forum about modifying models of his favorite game will not go unnoticed by him. It is enough to write that the release is not public yet, but for testing you can give the mod personally to each writer.
Rest assured, if you have chosen the right topic, the chance that he will fall for our bait is approximately 90%.
Even in the example above, there is a tiny chance that it won't work. You need to be mentally prepared for such a development. It is possible that the topic was poorly prepared or you didn't hit the target with the chosen interest. There may be many reasons, but all of them are just a reason to rethink everything and try again.
Creating situations in which you can control a victim through fear is a difficult task. Or rather, it is more difficult than acting through interest. Especially considering that the work is carried out within the Internet. Agree, it is quite difficult to make the victim afraid if the only tools you have are a keyboard and a monitor.
As the most primitive example of the use of fears, we can consider messages on websites with aggressive advertising that the computer is infected with a virus and needs to be checked.
For non-tech-savvy people, it is the fear of infecting the device that will prevent them from bypassing this trick.
Another example. for technically unsavvy people, may be the appearance of a page about the fact that they have violated the law on sites with adult content. In this case, the site itself contains enticing prohibited content, and inside, the victim is redirected to a page with a message about the violation of the law by a timer. The fear of being caught on prohibited content makes you "immediately pay a fine" or download software to "check your computer for prohibited files."
Above we have given the most primitive examples, which, to our surprise, still work.
However, any, even the most complex scheme, no matter what it is based on, is built approximately according to the following scenario:
Salute to all, dear friends!
Social engineering is a game on human feelings and emotions. This is how two completely different directions - hacking, which uses the straightforwardness of the computer and the fact that it will execute any code that the system allows it to, relying on clearly established rules, and social engineering, in which there are no clear rules, which allows SI to exist as such - are combined with each other.
The main feelings that are used to extract one's own benefit in this area are interest and fear.
For the sake of interest, people go to abandoned factories, climb to the tops, climb trees, and also... Download new software with an enticing description. Yes, often only one interest pushes people to do all this...
1. INTEREST
Example from the book:
If you throw a flash drive with a virus in the startup in the elevator, you can be sure that it will be opened and viewed. You can write any files that are not conspicuous to the flash drive itself.Of course, you can write it off as the fact that the person who gets into the flash drive will do it in order to find the owner through the files, but this is not entirely true.
Firstly, personal data may be stored there and it will look like a recount of money in the found wallet if you intend to return it.
Secondly, it was lost in the elevator, which means that most likely it was lost by a person who lives in this building, and it would be enough to simply stick a notice near the elevator about the find.
But let's be honest: it's that same notorious curiosity that makes you open a flash drive and look through its contents.
Now the topic of autorun, in its usual sense, cannot be turned around, since, starting with Windows 7, autorun is disabled by default on removable media.
Let's look at another case - attracting attention through the interests of the target.
The technique here is a little more complicated than the first case and you need to start showing creativity.
If you have collected information about your victim and found out that she is interested in games on steam and she is 40 years old, and he spends time on the forum www.игрыстим.ру, you know his nickname and his activity, you know what game he plays and what questions he asks.
- The goal is to create a forum post to:
1) The victim definitely noticed it;
2) Based on the content, she became interested in writing to us.
Well, for example, let's say that a person is interested in customization of some game and mods for it. Accordingly, we can conclude that a thread on the forum about modifying models of his favorite game will not go unnoticed by him. It is enough to write that the release is not public yet, but for testing you can give the mod personally to each writer.
Rest assured, if you have chosen the right topic, the chance that he will fall for our bait is approximately 90%.
- Why 90%?
- Remember: in social engineering there are simply no 100% working methods, there is only practice.
Even in the example above, there is a tiny chance that it won't work. You need to be mentally prepared for such a development. It is possible that the topic was poorly prepared or you didn't hit the target with the chosen interest. There may be many reasons, but all of them are just a reason to rethink everything and try again.
2. FEAR
If curiosity is not expressed so vividly in some people, then the feeling of fear is inherent in each of us. It is so strong that it is capable of destabilizing the state of absolutely any person, you just need to find an approach.Creating situations in which you can control a victim through fear is a difficult task. Or rather, it is more difficult than acting through interest. Especially considering that the work is carried out within the Internet. Agree, it is quite difficult to make the victim afraid if the only tools you have are a keyboard and a monitor.
As the most primitive example of the use of fears, we can consider messages on websites with aggressive advertising that the computer is infected with a virus and needs to be checked.
For non-tech-savvy people, it is the fear of infecting the device that will prevent them from bypassing this trick.
Another example. for technically unsavvy people, may be the appearance of a page about the fact that they have violated the law on sites with adult content. In this case, the site itself contains enticing prohibited content, and inside, the victim is redirected to a page with a message about the violation of the law by a timer. The fear of being caught on prohibited content makes you "immediately pay a fine" or download software to "check your computer for prohibited files."
Above we have given the most primitive examples, which, to our surprise, still work.
However, any, even the most complex scheme, no matter what it is based on, is built approximately according to the following scenario:
- Resource Monitoring
- Gathering current news and determining N-number of victims
- Processing each victim. Gathering information.
- Finding an approach
- Creating a friendly contact
- Attack
- Working off
