Spain
Portugal
What is social engineering and how did it come about?
Social engineering or "attack on a person" is a set of psychological and sociological techniques, methods and technologies that allow you to obtain confidential information.
Cybercriminals who use these techniques in practice are called social engineers. When trying to find access to a system or valuable data, they use the most vulnerable link — a person. The simplest example is a phone call where an attacker pretends to be someone else, trying to find out confidential information from the subscriber, playing on the feelings of a person, deceiving or blackmailing him. Unfortunately, many people continue to peck at such fishing rods and trustfully tell social hackers everything they need. And there are a lot of techniques and techniques in the arsenal of scammers. We will talk about them later.
Now social engineering has acquired a strong connection with cybercrime, but in fact this concept appeared a long time ago and initially did not have a pronounced negative connotation.
People have been using social engineering since ancient times. For example, in Ancient Rome and Ancient Greece, specially trained speakers were highly respected, who were able to convince the interlocutor of his "wrongness". These people participated in diplomatic negotiations and worked for the benefit of their state.
Many years later, by the early 1970s, telephone hooligans began to appear, disturbing the peace of citizens just for the sake of a joke. But someone realized that it was easy enough to get important information this way. And by the end of the 70s, former telephone hooligans had turned into professional social engineers (they began to be called signers), capable of masterfully manipulating people, identifying their complexes and fears by intonation alone.
When computers appeared, most engineers changed their profile, becoming social hackers, and the concepts of "social engineering" and "social hackers" became synonymous.
how to protect yourself online
Vivid examples of social engineering
An illustration of what a skilled social engineer is capable of can be found in cinema. You may have watched the movie "Catch Me if You Can", based on real events — the story of the legendary fraudster Frank William Abagnale Jr. During five years of criminal activity, his forged checks totaling $ 2.5 million were in circulation in 26 countries around the world. Hiding from criminal prosecution, Abignail showed amazing abilities in reincarnation, posing as an airline pilot, a professor of sociology, a doctor and a lawyer.
Sometimes it's enough just to ask. An example is the theft of $40 million from The Ubiquiti Networks company in 2015. No one hacked into operating systems or stole data — the security rules were violated by the employees themselves. The scammers sent an email on behalf of the company's top manager and asked the financiers to transfer a large amount of money to the specified bank account.
In 2007, one of the most expensive security systems in the world was hacked — without violence, without weapons, without electronic devices. The attacker simply took $28 million worth of diamonds from the Belgian bank ABN AMRO due to his charm. Fraudster Carlos Hector Flomenbaum, a man with an Argentine passport stolen in Israel, gained the trust of the bank's employees a year before the incident. He posed as a businessman, made gifts, in short, established communication. One day, the staff gave him access to a secret vault of precious stones valued at 120,000 carats.
Have you heard how Victor Lustig not only filled the United States with fake bills and made a fool of Al Capone, but also sold the heritage of Paris — the Eiffel Tower? Twice, by the way ;). All this has become possible with the help of social engineering.
All these real-life examples of social engineering show that it adapts easily to any conditions and to any environment. Playing on a person's personal qualities or lack of professional ones (lack of knowledge, ignoring instructions, and so on), cybercriminals literally "hack" a person.
The most popular methods of social engineering
An attack on a person can be carried out in many scenarios, but there are several of the most common techniques of attackers.
Phishing
The feeling that is being played on: inattention
The method of collecting user data for authorization is usually mass e—mail spam. In the classic scenario, a fake email from some well-known organization arrives at the victim's email asking them to click on the link and log in. To create more trust, scammers come up with serious reasons for clicking on the link: for example, they ask the victim to update the password or enter some information (full name, phone number, bank card and even CVV code!).
And it seems that the person does everything as it says in the letter, but... he got caught! The criminals have thought through his every move, which is why they manage to get people to do what they want.
You can read more about how to recognize a fake website and protect yourself from phishing in this post.
Trojan
The feeling that is being played on: greed
The virus got its name for a reason based on the principle of the Trojan horse from the ancient Greek myth. The only bait here is an email message that promises quick profits, winnings or other "mountains of gold" - but as a result, a person receives a virus with which intruders steal his data. Why is this type of data theft called social engineering? Because the creators of the virus know well how to disguise the malware so that you can surely click on the right link, download and run the file.
how cybercriminals work
Qui pro quo
The feeling that is being played on: credulity
Or "quid pro quo", from the Latin "quid pro quo". Using this method, the attacker introduces himself as a technical support employee and offers to fix the problems in the system, although in fact there were no problems with the software. The victim believes in the presence of malfunctions and, following the hacker's instructions, personally gives him access to important information.
Pretexting
The feeling that is being played on: credulity
Another technique used by cybercriminals is called pretexting (an action worked out according to a pre-prepared scenario). In order to get hold of information, the criminal pretends to be a person known to you, who allegedly needs your information to perform an important task.
Social engineers represent employees of banks, credit services, technical support, or your friend, family member — a person you trust by default. For greater reliability, they tell the potential victim any information about her: name, bank account number, the real problem with which she contacted this service earlier. A well—known example is black "call centers", when prisoners, disguised as employees of large banks, call citizens and trick them into transferring money. The most striking case occurred in Matrosskaya Tishina, where fraudsters fraudulently received 7 million rubles.
Reverse Social Engineering
The feeling on which they play: credulity, inattention
The technique is aimed at ensuring that the victim himself turned to a social engineer and gave him the necessary information. This can be achieved in several ways:
Implementation of special software
At first, the program or system works properly, but then a failure occurs that requires the intervention of a specialist. The situation is set up in such a way that the specialist who will be asked for help is a social hacker. By setting up the software, the fraudster performs the necessary manipulations for hacking. And when a hack is discovered, the social engineer remains out of suspicion (on the contrary, he helped you).
Advertisement
Attackers can advertise their services as computer masters or other specialists. The victim turns to the hacker herself, and the criminal not only works technically, but also extracts information through communication with his client.
How to protect yourself?
If you do not want to become another victim of social engineers, we recommend that you follow the following protection rules:
Remain skeptical and vigilant. Always pay attention to the sender of the emails and the address of the site where you are going to enter some personal data. If this is mail on the domain of a large organization, make sure that the domain is exactly like this and there are no typos in it. If in doubt, contact technical support or a representative of the organization through official channels.
Do not work with important information in front of strangers. Scammers can use so—called shoulder surfing, a type of social engineering where information is stolen over the victim's shoulder — by peeping.
Do not go to suspicious sites and do not download questionable files, because one of the best assistants of social engineering is curiosity.
Do not use the same password to access external and corporate (work) resources.
Install an antivirus — all major antiviruses have a built-in check for malicious resources.
Please review your company's privacy policy. All employees should be instructed on how to deal with visitors and what to do when illegal entry is detected.
