The secret weapon of social engineering

[Hacker]

​

The art of reasoning is the art of deceiving oneself.

Introduction:
Even the most advanced security system is useless if it is managed by a psychologically unstable, naive and / or gullible person.
Remember the joke about the dissertation on the topic of the dependence of the speed of brute force passwords on the temperature of the soldering iron (iron)? For some reason, many people forget that not only the machine, but also its operator can act as an object of attack. Moreover, the operator is often the weakest link in the security system.
We can only be surprised that over the past millennia, humanity has not learned to resist fraudsters and distinguish truth from lies. Even more surprising is that the arsenal of intruders has not undergone any fundamental changes. On the contrary, with the development of communication technologies, their task has become much easier. When communicating over the Internet, you do not see or hear your interlocutor, moreover, there is no guarantee that the message was actually sent to the person whose name is in the header.
The attacker can be in the next Chris Kaspersky 2 room, or in the next city, or even on the next continent! All this significantly complicates identification, search and proof of the attacker's involvement in the attack. Should we be surprised at the huge popularity of social engineering among young people? Fortunately, the vast majority of scammers follow identical or similar patterns.
Therefore, studying the techniques of their work allows you to recognize deception and not fall for the bait. The author of this article has compiled an extensive collection of the hacker arsenal, the most popular exhibits of which are presented below. Of course, this publication does not claim to be an exhaustive guide to ensuring your own security, but it does give you a general idea of how to steal money and/or information.

Misleading (deception)
Deception is the main component of social engineering, which includes a whole range of various techniques: impersonating another person, distracting attention, forcing psychological tension, etc. The ultimate goals of deception are also very diverse. Below we will look at the more popular ones: taking money, obtaining unauthorized access to confidential information, and avoiding responsibility by transferring suspicion to an outsider.

Withdrawal of money.
It's only in American action movies that masked robbers break into a bank and demand money for a barrel at gunpoint. In Russia, everything is much simpler. The ubiquitous mess and negligent attitude to one's own duties make it possible to assign someone else's salary with a simple signature in the statement. The author of this article was shocked to the core when he discovered that many publishers pay royalties without requiring a passport or other

identification card!
The situation is seriously complicated by the fact that the publisher does not know all of its correspondents by sight, since many of them live in another city or even country. To prevent fraud, all monetary issues should be resolved not by e–mail, by phone, and even better-pay a fee only after the conclusion of the contract. (The contract can also be forwarded by regular mail or, at the very least, by fax). By the way, there are also unscrupulous authors who, having received money, demand it again, arguing that the fee was allegedly received by someone else who pretended to be them.

Free purchase of software products
Embezzlement of money is a rather risky method of fraud and, if unsuccessful, it can lead to long-term imprisonment. Therefore, many people prefer to steal not money, but their material embodiment. Let's assume that an attacker needs some software package and / or technical advice. Hack the demo version or attack the developer's local network? Fraught! It is better to introduce yourself as a journalist and ask for one copy of the program in exchange for a promise to advertise it in some popular magazine. What firm wouldn't fall for such a tempting prospect?
If you want to avoid fraud – send the product through the publisher instead of directly. He probably knows his journalists! However, it is quite possible for a local journalist to take a product, but not write an article. Or write it, but for reasons beyond their control, they can't publish it…
It will be more difficult for an attacker if the product they need is so specific that it is not available on the market at all. Turnkey development is usually expensive, very expensive, but if you show a little ingenuity… Here on the website of ala (dwad/daw) there is an ad about a highly paid job on the Internet. Recruitment of employees, of course, takes place on a competitive basis and each candidate is given a test task, according to the results of which they are judged on their professionalism. Did you fail the test? Don't be discouraged!
It is very difficult to protect yourself from such deceptions, since a similar recruitment scheme is widely used by legal firms. On the contrary, very few employers are willing to pay for the work of cats in a poke. Finding a good job is generally a roulette wheel, and you can't do without frustration here.
Unauthorized access.

Techniques for password theft.
Probably the most well-known method of password theft is to call the victim on behalf of the system administrator or, on the contrary, to the administrator – on behalf of a certain user.
The request in both cases is the same-under whatever pretext, inform the pa of the role for a certain resource. Fortunately, the relevance of attacks of this type has significantly decreased over the past year – after all, life teaches you something! However, do not be under any illusions about your security. It is mostly imaginary.
The best way to find out the password is not to ask for it. On the contrary, strictly on strictly forbid to speak! It may look, for example, like this: Hello, hello! those! Security expert Vasya Pupkin is conducting an explanatory conversation with you. Do you remember that never, under any circumstances, to anyone!don't tell anyone your password? Remember that the password must consist of a combination of letters and numbers? By the way, what is it like for you? It is amazing, but many people, skipping the explanatory conversation by ear, call their valid password!
What if users are smart enough not to tell their password to the first person they meet? Then, given that so many of us tend to assign the same passwords to all resources, the attacker will simply slip the victim a resource that requires authentication (for example, offer to subscribe to a mailing list). In extreme cases, it will learn, if not the password itself, then at least the victim's habits – whether she chooses dictionary words as passwords, and if so, by what principle.
Of course, for such an analysis, you will have to track several password assignments, but no suspicions of the victim (even the most qualified!) it won't trigger it. Therefore, never assign the same or similar passwords to different resources! For low-skilled users, there are other tactics in store. Most likely, they have already been warned not to disclose their password in any case. But have they been told where this password is stored and how it can be circumvented?
Remember, a low-skilled operator is like a monkey with a grenade! By the way, constantly changing passwords is the worst way out of the situation, creating more problems than solving them. No one will try to remember long, constantly changing, and even meaningless passwords! Everyone will... record them! No amount of threats from the administrator will correct the situation, but, on the contrary, it will worsen. Put yourself in the shoes of a user who keeps such a piece of paper with a password in a cherished place.
Now imagine that a certain well-wisher from a neighboring department calls you and informs you that you are waiting for a total search for password pieces of paper, followed by the dismissal of everyone who has such a piece of paper. I don't know if you'll burn your paper or drink it with milk, but there's a non-zero chance that someone will get rid of incriminating evidence through a window or a trash can. The attacker can only rummage well in the trash or under the windows of the company.

System administrator attack.
In the event that the password fails to be obtained, the attacker will have no choice but to resort to an attack on technical means (i.e. directly on computers). However, it is almost useless to break a properly configured and well-protected system head-on. Now, if there was a hole in it... one of the non-technical ways of punching holes looks something like this: an attacker calls the administrator and reports that he has learned from reliable sources about an impending (or already committed) attack.

Avoiding responsibility.
To successfully complete an attack means to solve only half of the problem. The attacker has yet to cover his tracks – to evade responsibility and not get caught. And this, by the way, is much more difficult! Therefore, experienced scammers, having stolen a certain amount of money, without a shadow of pity transfer most of it to the account of one of the company's employees, who in principle fits the role of the kidnapper.
And, secondly, even if caught, he will be able to claim that he is not the leader, but a pawn and did not know that the money was stolen at all. Provided that the attacker keeps a smaller part of the loot, such a legend will sound very convincing. Therefore, when debriefing flights, never grab the first accused person who comes to hand – in most cases, they are really innocent of anything. Another way to translate the arrows is to psychologically process people who are obsessed with imitating hackers, but are not hackers.
Mask, I know you or how intruders impersonate another person.
E-mail, of course, is a good thing, but it's too insecure. It is not surprising that many of us prefer to solve all more or less important things over the phone (so, at least, you can hear the voice of the interlocutor). An attacker posing as another person may be seriously puzzled by a request to leave their phone number. Of course, you can simply connect to the "noodles" on the landing or use a payphone (many payphones can also receive incoming calls). However, there are more sophisticated techniques. Let's look at two of the most popular ones:

Capture your phone number.
Let's say an attacker impersonates an employee of such and such a company. In the phone book, he finds the phone number of the secretary of this company and asks to connect him with the security guard, and at the same time – to tell him his phone number (why – the fraudster will not be difficult to come up with). If the guard really has a phone (and, what, there are guards without a phone?), the following combination is played. By giving the victim the phone number of the firm's secretary, and by giving the extension number;
Alternatively, the attacker can ask the security guard to tell the caller: Call Vasya back at this address! That is, by phone. If the guard does not go into details, the victim will again think that if Vasya is known, then he is undoubtedly a genuine employee of this company. Of course, the security guard can remember the appearance of the attacker (and will remember for sure, if he is a professional), but appearance is not passport data and the fraudster has yet to be found. In addition, a personal meeting with the security guard is absolutely optional.

You can't change the meeting place.
In some cases, the capabilities of telephone and computer networks are insufficient and the attacker has to resort to live meetings.
How can you convincingly impersonate another person, so that the victim does not have a shadow of doubt?
The technique of entering a protected object without using lock picks.
Infiltrating the firm, even if there are at least a dozen guards at the door, is often easier than ever.
At first glance, knowledge of passport data makes it easy to find the attacker.

SPAM and everything related to it.
Mass mailing is an ideal tool for finding simpletons.
If you can still get something by selling your shares on time, then network earnings are just plain stupid, which does not bring any income at all. Since this sad circumstance finally began to reach freebie lovers, interest in the super business began to gradually weaken. You do not need to be a clairvoyant to predict the imminent appearance of messages offering small earnings. Against the background of the rest, this will look very convincing, but, nevertheless, it will remain the same lie.

Blackmail.
If attempts to obtain what is required by deception do not lead to anything, then the attacker may dare to directly blackmail the company's employees. Statistics show that the threat of physical violence is quite rare, and if it occurs, then in the vast majority of cases it remains only a threat. In the first place, promises to tell a jealous husband (wife) about adultery are in the lead – it doesn't matter if it actually took place or not.
Fearing for the breakup of the family, many of us commit minor (from our point of view) official crimes, which, however, turn out to be significant losses for the company. Second place is taken by threats to convince your son (daughter) that you are not your real parents. Since serious conflicts often occur between children and parents during adolescence, the probability that a child will believe an outsider's uncle, which will cause a serious emotional trauma to himself, is by no means zero! There is only one way to deal with such blackmailers – full mutual trust between family members.

Playing on feelings.
Since blackmail is a punishable offense, attackers use more legal means whenever possible. For example, having won the heart of a certain employee, a fraudster may one day claim that he lost money at cards and now has to work off his debt as a farmhand in Kazakhstan for many years. However, there is one option... if his passion copies such and such confidential documents, he will be able to sell them, then there will be no need to leave anywhere and the love affair will continue... However, it is not necessary to play on love.
Therefore, administrators are strongly advised to prohibit the use of ICQ for all staff or, at worst, at least control the content of conversations. (Immoral, of course, but what can you do). Of course, do not forget about email. And it is even better not to accept romantic or psychologically unstable people for responsible positions, even if they are good specialists.

 

[Father]

Today we will talk about social engineering. Or rather, about the methods of manipulation in the discussion. By themselves, manipulations in discussions very often have a logical error in their structure. This is extremely important to understand, because in such cases a person consciously or not makes a logical mistake and defends his idea, which means that this argument cannot be correct. In other manipulations, the opponent uses emotional techniques designed to evoke feelings of guilt in the interlocutor, for example.

Does it matter whether the opponent deliberately uses unfair techniques or does not even know about their logical mistakes? Perhaps it does. At a minimum, after recognizing the manipulation, you can respond harshly (if the person understands that they are manipulating) or gently (if he doesn't understand).

So, what techniques does the manipulator use in the course of a discussion or argument?

1. Excessive information. The manipulator tries to make a lot of arguments in order to confuse the opponent. Not only is it simply impossible to compare these arguments in response, but also the information channels of the interlocutor can not withstand such a load. When you have only one, but real argument, and the manipulator has dozens of them, the psyche can not stand it, and people around you also consider this as a victory for the manipulator. The opponent can easily lose the main idea when the witnesses of the discussion switch to the manipulator's side.
2. Psychological tricks. This includes absolutely any manipulation of the emotional state of the interlocutor: using feelings of guilt, flattery, playing on self-esteem, irritating the opponent, flattery, humiliating personal qualities and other individual psychological characteristics of a person.
3. Irritating your opponent. It can be put in a separate paragraph, because there is a whole scattering of techniques here: indirect hints, ridicule, irony, sarcasm, unfair accusations. All this is intended to throw the other person off balance in order to knock the logical ground out from under their feet and get personal in response.
4. Use words and terms that are not clear to the opponent. This technique works effectively, because the opponent will hesitate to ask again the meaning of terms, as this will show the superiority of the manipulator. Due to the fact that the opponent is afraid to ask again, then there is nothing to argue about the manipulator wins.
5. Greasing arguments. "You, as an educated and erudite person, will probably agree with the fact that..." - such a phrase puts the manipulated person in a dilemma, accept the argument and flattery in their side in one bottle, or reject the argument and their education.
6. Avoiding the discussion. Demonstrative use of resentment: "It is impossible to discuss serious issues with you", "Your behavior makes it impossible to continue the discussion". It is often used when the manipulator's arguments have run out. Such provocation of conflict seems to put the search for truth out of brackets. Really, what does the truth matter now that you've been wronged?
7. Reading in the hearts. The manipulator doesn't comment on your arguments, it appeals to why you give them, as if trying to understand the reasons for your arguments, and not the essence of what was said. For example: "You're only saying this because you're ashamed." And it doesn't matter if the opponent is right or wrong, it is important to bring up the motives of his words for discussion.
8. Change of accents in utterances. If the opponent cites a particular example, the refutation is made that this cannot be the general picture. Conversely, the overall picture is not always private. However, a logical error in the manipulator argument is that its examples may be exceptions or atypical examples.
9. Incomplete refutation. Why break all the steel arguments of the opponent, if you can find the most vulnerable and thereby prove that all the others are the same?
10. The requirement for an unambiguous answer. The object of manipulation is asked to give an accurate and clear answer using such phrases as:" do not evade"," say directly","say clearly in front of everyone". Despite the fact that this technique seems honest, principled and a sign of determination, in fact, the manipulator wants to get a clear "yes" or" no " to the question that requires a detailed answer. Not all questions in the world can be answered with an unequivocal "yes", even if you are mostly inclined to accept the argument.
11. Adding labels. Offensive metaphors, epithets, and comparisons. Labels are chosen in such a way that cause an emotionally negative attitude of others, which allows you to win a psychological victory. To avoid a fight, the manipulator may label beliefs, attitudes, and ideas rather than the opponent. "Absolutely stupid idea" is not the same as "You are a fool", which means that there is no reason for a physical threat.
12. Relying on a past statement. A brilliant piece of manipulative art. The manipulator gives a slightly modified interpretation of the opponent's past statement and demands an explanation. This has an impact not only on the surrounding audience, but also on the opponent himself-his words seem to be quoted, but so twisted that you need to understand where the substitution took place and at that time the manipulator requires an explanation. If there is enough time to argue, you can easily detect the substitution and expose the manipulation, but if time is limited, the opponent is defeated and shows himself a liar.
13. Apparent inattention. Ignore things that might hurt you. The argument is long, there are many arguments, and it's time to pretend that you "forgot" the most important argument of your opponent.
14. Growing requirements. The manipulator so demands to recognize the perfect trifle that the opponent concedes in view of the unimportance of the argument. But then the stakes rise and the manipulator demands recognition of other requirements. And we know that if we give in to something small, then an avalanche of demands will fall further.
15. Accusation of theorizing. No one likes theorists. Therefore, when people around debaters hear "Well, it's all just theory, it's all on paper", they tend to accept the manipulator's point of view, forgetting that some things simply cannot be implemented without careful preparation on paper and theory.
16. Tug-of-war of others to your side. This technique summarizes everything that was discussed. If the manipulator manages to attract the sympathy of others, it becomes incredibly difficult for the opponent to argue, he feels incredible pressure and condemnation. This technique is manipulative for the reason that it doesn't matter how many people supported your point of view - it doesn't mean anything. Can, of course, say, but not always.

This is not all the techniques that are invented by a person, and in the future will be invented and more. Remember these 16 ways and you will be warned about your opponent's morale, as well as their methods of argument.

Always and everywhere pay attention not to the words during the argument, but to the structure on which they are based. Look for logical errors in a person's argument, especially if you intuitively feel manipulated.

And of course, practice finding manipulative techniques from politicians.

 

[Rdend]

Genius.