In the field of information security, the term “social engineering” is used to describe the science and art of psychological manipulation. According to statistics, 55% of losses related to information security breaches are caused by employees affected by social engineers.

After a short period of neglect, social engineering is becoming widespread in the field of educational activities. The author of the article determines the status of a social engineer , combining the positions of a sociologist and an engineer in it. As a sociologist, he focuses his professional activities on solving practical social problems. As an engineer, he uses engineering methods and designs in his practice. Within the framework of socio-engineering activities, such areas as socio-engineering studies (analysis, diagnostics and expertise), social engineering (design, programming and planning), organizational and technological activities, management consulting are highlighted 

Social engineering is used for:

  • collecting information about the target;
  • receiving confidential information;
  • direct access to the system;
  • retrieving data that is otherwise impossible to obtain

FEATURES OF ATTACKS ON THE HUMAN FACTOR

  • Do not require significant costs;
  • Do not require special knowledge;
  • Can last for a long time;
  • Difficult to track.

A person is often much more vulnerable than a system. That is why social engineering is aimed at obtaining information through a person, especially in cases where it is impossible to access the system (for example, a computer with important data is disconnected from the network).

General approach to attack

  • Collecting information about the victim (often through social networks);
  • Establishing trusting relationships;
  • Exploitation;
  • Hiding the traces of stay.

The general principle of all attacks is misleading the victim. For this, various tactics aimed at emotions, weaknesses, or other personality traits can be used:

  • Love
  • Sympathy and pity
  • Greed and desire for quick results
  • Fear of bosses
  • Inexperience
  • Laziness

POPULAR SOCIAL ENGINEERING TECHNIQUES

Phishing

Phishing attacks are the most popular form of social engineering fraud. The goal of phishing is to illegally obtain confidential user data (username and password). To attack users, attackers use e-mail, having previously collected from open sources a list of company employees and their email addresses. After collecting addresses, hackers proceed to preparing a letter with a payload.

The payload can usually be of two types:

  1. A fake corporate resource page that is used to steal passwords from corporate users.
  2. Malicious office document.

To create a fake page, attackers copy the HTML and JavaScript code of the original corporate resource and add changes that allow users to get the password and login.

In office files, as a rule, add malicious code that runs when you open it. To add code, use the standard Microsoft Office function – creating macros. The launched document downloads an executable file that infects the user’s work machine and provides hackers with remote access to steal information.

Trojan horse

This technique uses the qualities of a potential victim, such as curiosity and greed. The social engineer sends an e-mail with a free video or antivirus update as an attachment. The victim saves the attached files, which are actually Trojans. This technique will remain effective as long as users continue to mindlessly save or open any attachments.

In addition to attachments, attackers can use USB devices (drives and other peripherals).

In such an attack, as in the case of attachments, the attackers exploit the curiosity of the user who discovered the flash drive in the parking lot or received it as a gift at the event.

When you connect such a device, the computer will identify it as a keyboard. After that, the flash drive will send commands to the computer to install malicious software or steal confidential data. From the side it will seem to the user that someone is typing commands from the keyboard on the computer.

Examples of commands that can be used to attack users with USB devices can be found here – https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads .

Pretexting

Pretexting is an attack conducted according to a previously prepared scenario. Such attacks are aimed at developing a sense of trust of the victim to the attacker. Attacks are usually carried out by telephone. This method often does not require prior preparation and retrieval of data on the victim.

Tailgating

Tailgating or piggybacking implies unauthorized entry of an attacker with a legitimate user through a checkpoint. This method cannot be applied in companies where employees need to use passes to enter the enterprise.

Obviously, social engineering can cause tremendous damage to any organization. That is why it is necessary to take all possible measures to prevent attacks on the human factor.

How to recognize a phishing attack?

Almost every day there are new schemes of fraud. Most people can independently learn to recognize fraudulent messages by becoming familiar with some of their distinctive features. Most commonly, phishing emails contain:

1. concerns or threats, such as the closure of user bank accounts. 
2. promises of a huge cash prize with minimal or no effort. 
3. requests for donations on behalf of charitable organizations. 
4. grammatical, punctuation and spelling errors.

SOCIAL ENGINEERING: PROTECTION GUIDELINES

If you do not want to become another victim of social engineers, we recommend that you follow the following protection rules:

  • do not use the same password to access external and corporate resources;
  • do not open letters received from unreliable sources;
  • block the computer when you are not at work;
  • install antivirus;
  • Read the privacy policy of your company. All employees should be instructed on how to behave with visitors and what to do when an intrusion is detected;
  • discuss only the necessary information by telephone and in a private conversation;
  • It is necessary to delete all confidential documents from portable devices.

EXAMPLE: The attacker wants to know the password from the personal account of the Internet bank from a person. He calls the victim by telephone and presents himself to a bank employee, asks for a password, referring to serious technical problems in the organization’s system. For greater persuasiveness, he names the fictitious (or previously known real) name of the employee, his position and powers (if required). To make the victim believe, the social hacker can fill his story with believable details, play on the victim’s feelings. After the attacker has received information, he also masterfully says goodbye to his “client”, and then uses the password to log in to his personal account and steal funds.

Reverse social engineering

Reverse social engineering and social hackers specializing in it, build their activities in three areas:

  • Situations are created that force people to seek help.
  • Problem solving services are advertised (this also includes the advance of help by real experts)
  • Provides “help” and impact

In the case of this type of social engineering, attackers initially study a person or a group of people who are expected to influence. Their preferences, interests, desires and needs are investigated, and the influence is exerted precisely through them with the help of programs and any other methods of electronic exposure. Moreover, programs must first work without failures, so as not to cause fear, and only then switch to malicious mode.

Examples of reverse social engineering are not uncommon, and here is one of them:

 Social hackers develop a program for a particular company based on its interests. The program has a delayed-action virus – after three weeks it is activated, and the system begins to falter. The manual calls on the developers to help fix the problem. Being ready for such a development of events, the attackers send their “specialist”, who, “solving the problem”, gets access to confidential information. The goal is achieved.

Unlike conventional social engineering, the reverse is more laborious, requires special knowledge and skills and is used to influence a wider audience. But the effect of it is amazing – the victim without resistance, i.e. Of his own free will, he reveals all the cards to hackers.

Thus, any kind of social engineering is almost always used with malicious intent. Of course, some people talk about its benefits, pointing out that it can solve social problems, maintain social activity and even adapt social institutions to changing conditions. But despite this, it is most successfully used for:

  • Deceiving people and obtaining confidential information
  • Manipulating and blackmailing people
  • Destabilizing the work of companies for their subsequent destruction
  • Database Theft
  • Financial fraud
  • Competitive intelligence

Naturally, this could not go unnoticed, and methods appeared to counteract social engineering.

Protection against social engineering

Today, large companies systematically conduct all sorts of tests for the resistance of social engineering. Almost never the actions of people who fell under the attack of social hackers are deliberate. But by that they are dangerous, because if it is relatively easy to defend oneself from an external threat, it is much more difficult to protect one from an internal one.

In order to increase security, the management of companies conducts specialized trainings, controls the level of knowledge of their employees, and also initiates internal sabotage, which allows to establish the degree of preparedness of people to attacks by social hackers, their reaction, honesty and honesty. So, they can send “infected” letters to E-Mail, make contact in Skype or social networks.

The very same protection against social engineering can be both anthropogenic and technical. In the first case, people’s attention is drawn to security issues, the essence of the seriousness of this problem is heard, and measures are taken to inculcate security policies, and methods and actions that increase the protection of information security are being studied and implemented. But all this has one drawback – all these methods are passive, and many people simply ignore the warnings.

As for technical protection, this includes means that impede access to information and its use. Considering that the most “popular” attacks of social hackers on the Internet are emails and messages, programmers create special software that filters all incoming data, and this applies to both private mailboxes and internal mail. Filters analyze the text of incoming and outgoing messages. But there is a difficulty – such software loads servers, which can slow down and knock down the system. In addition, it is impossible to foresee all variations of writing potentially dangerous messages. However, technology is improving.

And if we talk specifically about the means that impede the use of the data, they are divided into:

  • Blocking the use of information everywhere, except for the user’s workplace (authentication data is tied to electronic signatures and serial numbers of the PC components, physical and IP addresses)
  • Blocking the automatic use of information (here we all know the familiar Captcha, where the picture or its distorted part serves as a password)

Both of these methods block the possibility of automation and shift the balance between the value of information and the work of getting it in the direction of work. Therefore, even with all the data issued by unsuspecting users, social hackers face serious difficulties in their practical application.

And for any protection from social engineering, we advise any ordinary person to simply remain vigilant. When receiving an e-mail, be sure to carefully read the text and links, try to understand what is in the letter, from whom it came and why. Do not forget to use antivirus. If, however, unknown people are calling from an unfamiliar number, never give out your personal data, especially those concerning your finances.

Remember that everyone can master the art of controlling the actions of others, but these skills should be used for the benefit of people. Sometimes it is useful and convenient to direct a person and push him towards solutions that are beneficial to us. But it is much more important to be able to identify social hackers and deceivers so as not to become their victim; much more important and not being one of them. We wish you wisdom and useful life experience!