Beware, this is a trap: what is social engineering? |
What is social engineering and how did it come about? Cybercriminals who use these techniques in practice are called social engineers. When trying to find access to a system or valuable data, they use the most vulnerable link — a person. The simplest example is a phone call where an attacker pretends to be someone else, trying to find out confidential information from the subscriber, playing on the feelings of a person, deceiving or blackmailing him. Unfortunately, many people continue to peck at such fishing rods and trustfully tell social hackers everything they need. And there are a lot of techniques and techniques in the arsenal of scammers. We will talk about them later. Now social engineering has acquired a strong connection with cybercrime, but in fact this concept appeared a long time ago and initially did not have a pronounced negative connotation. People have been using social engineering since ancient times. For example, in Ancient Rome and Ancient Greece, specially trained speakers were highly respected, who were able to convince the interlocutor of his "wrongness". These people participated in diplomatic negotiations and worked for the benefit of their state. Many years later, by the early 1970s, telephone hooligans began to appear, disturbing the peace of citizens just for the sake of a joke. But someone realized that it was easy enough to get important information this way. And by the end of the 70s, former telephone hooligans had turned into professional social engineers (they began to be called signers), capable of masterfully manipulating people, identifying their complexes and fears by intonation alone. When computers appeared, most engineers changed their profile, becoming social hackers, and the concepts of "social engineering" and "social hackers" became synonymous. how to protect yourself online Sometimes it's enough just to ask. An example is the theft of $40 million from The Ubiquiti Networks company in 2015. No one hacked into operating systems or stole data — the security rules were violated by the employees themselves. The scammers sent an email on behalf of the company's top manager and asked the financiers to transfer a large amount of money to the specified bank account. In 2007, one of the most expensive security systems in the world was hacked — without violence, without weapons, without electronic devices. The attacker simply took $28 million worth of diamonds from the Belgian bank ABN AMRO due to his charm. Fraudster Carlos Hector Flomenbaum, a man with an Argentine passport stolen in Israel, gained the trust of the bank's employees a year before the incident. He posed as a businessman, made gifts, in short, established communication. One day, the staff gave him access to a secret vault of precious stones valued at 120,000 carats. Have you heard how Victor Lustig not only filled the United States with fake bills and made a fool of Al Capone, but also sold the heritage of Paris — the Eiffel Tower? Twice, by the way ;). All this has become possible with the help of social engineering. All these real-life examples of social engineering show that it adapts easily to any conditions and to any environment. Playing on a person's personal qualities or lack of professional ones (lack of knowledge, ignoring instructions, and so on), cybercriminals literally "hack" a person. The most popular methods of social engineering Phishing The method of collecting user data for authorization is usually mass e—mail spam. In the classic scenario, a fake email from some well-known organization arrives at the victim's email asking them to click on the link and log in. To create more trust, scammers come up with serious reasons for clicking on the link: for example, they ask the victim to update the password or enter some information (full name, phone number, bank card and even CVV code!). And it seems that the person does everything as it says in the letter, but... he got caught! The criminals have thought through his every move, which is why they manage to get people to do what they want. You can read more about how to recognize a fake website and protect yourself from phishing in this post. Trojan The virus got its name for a reason based on the principle of the Trojan horse from the ancient Greek myth. The only bait here is an email message that promises quick profits, winnings or other "mountains of gold" - but as a result, a person receives a virus with which intruders steal his data. Why is this type of data theft called social engineering? Because the creators of the virus know well how to disguise the malware so that you can surely click on the right link, download and run the file. how cybercriminals work Or "quid pro quo", from the Latin "quid pro quo". Using this method, the attacker introduces himself as a technical support employee and offers to fix the problems in the system, although in fact there were no problems with the software. The victim believes in the presence of malfunctions and, following the hacker's instructions, personally gives him access to important information. Pretexting Another technique used by cybercriminals is called pretexting (an action worked out according to a pre-prepared scenario). In order to get hold of information, the criminal pretends to be a person known to you, who allegedly needs your information to perform an important task. Social engineers represent employees of banks, credit services, technical support, or your friend, family member — a person you trust by default. For greater reliability, they tell the potential victim any information about her: name, bank account number, the real problem with which she contacted this service earlier. A well—known example is black "call centers", when prisoners, disguised as employees of large banks, call citizens and trick them into transferring money. The most striking case occurred in Matrosskaya Tishina, where fraudsters fraudulently received 7 million rubles. Reverse Social Engineering The technique is aimed at ensuring that the victim himself turned to a social engineer and gave him the necessary information. This can be achieved in several ways: Implementation of special software Advertisement How to protect yourself? Remain skeptical and vigilant. Always pay attention to the sender of the emails and the address of the site where you are going to enter some personal data. If this is mail on the domain of a large organization, make sure that the domain is exactly like this and there are no typos in it. If in doubt, contact technical support or a representative of the organization through official channels. Go back |
13-02-2024, 11:33 |