The art of reasoning is the art of deceiving oneself.
Introduction:
Even the most advanced security system is useless if it is managed by a psychologically unstable, naive and / or gullible person.
Remember the joke about the dissertation on the topic of the dependence of the speed of brute force passwords on the temperature of the soldering iron (iron)? For some reason, many people forget that not only the machine, but also its operator can act as an object of attack. Moreover, the operator is often the weakest link in the security system.
We can only be surprised that over the past millennia, humanity has not learned to resist fraudsters and distinguish truth from lies. Even more surprising is that the arsenal of intruders has not undergone any fundamental changes. On the contrary, with the development of communication technologies, their task has become much easier. When communicating over the Internet, you do not see or hear your interlocutor, moreover, there is no guarantee that the message was actually sent to the person whose name is in the header.
The attacker can be in the next Chris Kaspersky 2 room, or in the next city, or even on the next continent! All this significantly complicates identification, search and proof of the attacker's involvement in the attack. Should we be surprised at the huge popularity of social engineering among young people? Fortunately, the vast majority of scammers follow identical or similar patterns.
Therefore, studying the techniques of their work allows you to recognize deception and not fall for the bait. The author of this article has compiled an extensive collection of the hacker arsenal, the most popular exhibits of which are presented below. Of course, this publication does not claim to be an exhaustive guide to ensuring your own security, but it does give you a general idea of how to steal money and/or information.
Misleading (deception)
Deception is the main component of social engineering, which includes a whole range of various techniques: impersonating another person, distracting attention, forcing psychological tension, etc. The ultimate goals of deception are also very diverse. Below we will look at the more popular ones: taking money, obtaining unauthorized access to confidential information, and avoiding responsibility by transferring suspicion to an outsider.
Withdrawal of money.
It's only in American action movies that masked robbers break into a bank and demand money for a barrel at gunpoint. In Russia, everything is much simpler. The ubiquitous mess and negligent attitude to one's own duties make it possible to assign someone else's salary with a simple signature in the statement. The author of this article was shocked to the core when he discovered that many publishers pay royalties without requiring a passport or other
identification card!
The situation is seriously complicated by the fact that the publisher does not know all of its correspondents by sight, since many of them live in another city or even country. To prevent fraud, all monetary issues should be resolved not by e–mail, by phone, and even better-pay a fee only after the conclusion of the contract. (The contract can also be forwarded by regular mail or, at the very least, by fax). By the way, there are also unscrupulous authors who, having received money, demand it again, arguing that the fee was allegedly received by someone else who pretended to be them.
Free purchase of software products
Embezzlement of money is a rather risky method of fraud and, if unsuccessful, it can lead to long-term imprisonment. Therefore, many people prefer to steal not money, but their material embodiment. Let's assume that an attacker needs some software package and / or technical advice. Hack the demo version or attack the developer's local network? Fraught! It is better to introduce yourself as a journalist and ask for one copy of the program in exchange for a promise to advertise it in some popular magazine. What firm wouldn't fall for such a tempting prospect?
If you want to avoid fraud – send the product through the publisher instead of directly. He probably knows his journalists! However, it is quite possible for a local journalist to take a product, but not write an article. Or write it, but for reasons beyond their control, they can't publish it…
It will be more difficult for an attacker if the product they need is so specific that it is not available on the market at all. Turnkey development is usually expensive, very expensive, but if you show a little ingenuity… Here on the website of ala (dwad/daw) there is an ad about a highly paid job on the Internet. Recruitment of employees, of course, takes place on a competitive basis and each candidate is given a test task, according to the results of which they are judged on their professionalism. Did you fail the test? Don't be discouraged!
It is very difficult to protect yourself from such deceptions, since a similar recruitment scheme is widely used by legal firms. On the contrary, very few employers are willing to pay for the work of cats in a poke. Finding a good job is generally a roulette wheel, and you can't do without frustration here.
Unauthorized access.
Techniques for password theft.
Probably the most well-known method of password theft is to call the victim on behalf of the system administrator or, on the contrary, to the administrator – on behalf of a certain user.
The request in both cases is the same-under whatever pretext, inform the pa of the role for a certain resource. Fortunately, the relevance of attacks of this type has significantly decreased over the past year – after all, life teaches you something! However, do not be under any illusions about your security. It is mostly imaginary.
The best way to find out the password is not to ask for it. On the contrary, strictly on strictly forbid to speak! It may look, for example, like this: Hello, hello! those! Security expert Vasya Pupkin is conducting an explanatory conversation with you. Do you remember that never, under any circumstances, to anyone!don't tell anyone your password? Remember that the password must consist of a combination of letters and numbers? By the way, what is it like for you? It is amazing, but many people, skipping the explanatory conversation by ear, call their valid password!
What if users are smart enough not to tell their password to the first person they meet? Then, given that so many of us tend to assign the same passwords to all resources, the attacker will simply slip the victim a resource that requires authentication (for example, offer to subscribe to a mailing list). In extreme cases, it will learn, if not the password itself, then at least the victim's habits – whether she chooses dictionary words as passwords, and if so, by what principle.
Of course, for such an analysis, you will have to track several password assignments, but no suspicions of the victim (even the most qualified!) it won't trigger it. Therefore, never assign the same or similar passwords to different resources! For low-skilled users, there are other tactics in store. Most likely, they have already been warned not to disclose their password in any case. But have they been told where this password is stored and how it can be circumvented?
Remember, a low-skilled operator is like a monkey with a grenade! By the way, constantly changing passwords is the worst way out of the situation, creating more problems than solving them. No one will try to remember long, constantly changing, and even meaningless passwords! Everyone will... record them! No amount of threats from the administrator will correct the situation, but, on the contrary, it will worsen. Put yourself in the shoes of a user who keeps such a piece of paper with a password in a cherished place.
Now imagine that a certain well-wisher from a neighboring department calls you and informs you that you are waiting for a total search for password pieces of paper, followed by the dismissal of everyone who has such a piece of paper. I don't know if you'll burn your paper or drink it with milk, but there's a non-zero chance that someone will get rid of incriminating evidence through a window or a trash can. The attacker can only rummage well in the trash or under the windows of the company.
System administrator attack.
In the event that the password fails to be obtained, the attacker will have no choice but to resort to an attack on technical means (i.e. directly on computers). However, it is almost useless to break a properly configured and well-protected system head-on. Now, if there was a hole in it... one of the non-technical ways of punching holes looks something like this: an attacker calls the administrator and reports that he has learned from reliable sources about an impending (or already committed) attack.
Avoiding responsibility.
To successfully complete an attack means to solve only half of the problem. The attacker has yet to cover his tracks – to evade responsibility and not get caught. And this, by the way, is much more difficult! Therefore, experienced scammers, having stolen a certain amount of money, without a shadow of pity transfer most of it to the account of one of the company's employees, who in principle fits the role of the kidnapper.
And, secondly, even if caught, he will be able to claim that he is not the leader, but a pawn and did not know that the money was stolen at all. Provided that the attacker keeps a smaller part of the loot, such a legend will sound very convincing. Therefore, when debriefing flights, never grab the first accused person who comes to hand – in most cases, they are really innocent of anything. Another way to translate the arrows is to psychologically process people who are obsessed with imitating hackers, but are not hackers.
Mask, I know you or how intruders impersonate another person.
E-mail, of course, is a good thing, but it's too insecure. It is not surprising that many of us prefer to solve all more or less important things over the phone (so, at least, you can hear the voice of the interlocutor). An attacker posing as another person may be seriously puzzled by a request to leave their phone number. Of course, you can simply connect to the "noodles" on the landing or use a payphone (many payphones can also receive incoming calls). However, there are more sophisticated techniques. Let's look at two of the most popular ones:
Capture your phone number.
Let's say an attacker impersonates an employee of such and such a company. In the phone book, he finds the phone number of the secretary of this company and asks to connect him with the security guard, and at the same time – to tell him his phone number (why – the fraudster will not be difficult to come up with). If the guard really has a phone (and, what, there are guards without a phone?), the following combination is played. By giving the victim the phone number of the firm's secretary, and by giving the extension number;
Alternatively, the attacker can ask the security guard to tell the caller: Call Vasya back at this address! That is, by phone. If the guard does not go into details, the victim will again think that if Vasya is known, then he is undoubtedly a genuine employee of this company. Of course, the security guard can remember the appearance of the attacker (and will remember for sure, if he is a professional), but appearance is not passport data and the fraudster has yet to be found. In addition, a personal meeting with the security guard is absolutely optional.
You can't change the meeting place.
In some cases, the capabilities of telephone and computer networks are insufficient and the attacker has to resort to live meetings.
How can you convincingly impersonate another person, so that the victim does not have a shadow of doubt?
The technique of entering a protected object without using lock picks.
Infiltrating the firm, even if there are at least a dozen guards at the door, is often easier than ever.
At first glance, knowledge of passport data makes it easy to find the attacker.
SPAM and everything related to it.
Mass mailing is an ideal tool for finding simpletons.
If you can still get something by selling your shares on time, then network earnings are just plain stupid, which does not bring any income at all. Since this sad circumstance finally began to reach freebie lovers, interest in the super business began to gradually weaken. You do not need to be a clairvoyant to predict the imminent appearance of messages offering small earnings. Against the background of the rest, this will look very convincing, but, nevertheless, it will remain the same lie.
Blackmail.
If attempts to obtain what is required by deception do not lead to anything, then the attacker may dare to directly blackmail the company's employees. Statistics show that the threat of physical violence is quite rare, and if it occurs, then in the vast majority of cases it remains only a threat. In the first place, promises to tell a jealous husband (wife) about adultery are in the lead – it doesn't matter if it actually took place or not.
Fearing for the breakup of the family, many of us commit minor (from our point of view) official crimes, which, however, turn out to be significant losses for the company. Second place is taken by threats to convince your son (daughter) that you are not your real parents. Since serious conflicts often occur between children and parents during adolescence, the probability that a child will believe an outsider's uncle, which will cause a serious emotional trauma to himself, is by no means zero! There is only one way to deal with such blackmailers – full mutual trust between family members.
Playing on feelings.
Since blackmail is a punishable offense, attackers use more legal means whenever possible. For example, having won the heart of a certain employee, a fraudster may one day claim that he lost money at cards and now has to work off his debt as a farmhand in Kazakhstan for many years. However, there is one option... if his passion copies such and such confidential documents, he will be able to sell them, then there will be no need to leave anywhere and the love affair will continue... However, it is not necessary to play on love.
Therefore, administrators are strongly advised to prohibit the use of ICQ for all staff or, at worst, at least control the content of conversations. (Immoral, of course, but what can you do). Of course, do not forget about email. And it is even better not to accept romantic or psychologically unstable people for responsible positions, even if they are good specialists.