Social engineering and social hackers read online for free Maxim Kuznetsov | Flibusta
Maxim Kuznetsov Social Engineering and Social Hackers read online for free (completely) without registration U+2714 on a phone or computer.
Read Online Social Engineering and Social Hackers for Free
The first part discusses the main concepts of social engineering and social hacking. The first chapter, as usual, is the introduction of the issue under discussion, and the second chapter provides various examples of using social engineering methods.
Chapter 1. Social engineering is one of the main tools of hackers of the 21st century
Chapter 2. Examples of hacks using social engineering methods
Chapter 3. Examples of social programming
Chapter 4. Building social files
Chapter 5. Psychological aspects of the training of social hackers
Social engineering is one of the main tools of hackers of the 21st century
… In early February 2005, many information security experts in our country were waiting for the performance of K. Mitnik, a famous hacker who was supposed to tell about what danger social engineering is, and what methods are used by social engineers (which we will be called social hackers). Alas, the expectations were not very justified: Mitnik spoke only about the main provisions of social engineering. And he said a lot about the fact that the methods of social engineering are used by criminals around the world to obtain a variety of classified information. According to many participants in the meeting, it was interesting to listen, because the person was really very charming, but no special secrets were revealed.
Note
Kevin Mitnik is a famous hacker who was opposed by the best information protection experts from the FBI, and the US justice convicted in the 90s for penetrating many government and corporate secret bases. According to many experts, Mitnik did not have a significant technical base or greater knowledge in programming. But he possessed the art of communication on the phone in order to obtain the necessary information and what is now called social engineering.
The same can be said about his books – there are no special revelations there. We do not exclude at all that Mitnik knows all this perfectly, moreover, we are almost sure of this, only, unfortunately, he does not tell anything of what he really knows. Ни в своих выступлениях, ни в книгах.
Note
Что, наверное, в общем-то, и неудивительно, т. к. ФБР взялось тогда за него очень плотно, показав, кто в доме хозяин, и нервы ему подергали изрядно. Было и множество объяснений, и запрет на работу с ЭВМ в течение нескольких лет, и тюремное заключение. Не стоит удивляться тому, что после таких перипетий он стал весьма законопослушным человеком, и не будет не то какие-то секретные базы похищать, но даже и о не секретных вещах станет говорить с большой осторожностью.
As a result of such non -talks, social engineering seems to be a sort of shamanism for the elect, which is not so. Moreover, there is another important point. In many descriptions of attacks, whole paragraphs are missed, if not pages. This is what we are doing. If you take specifically the schemes of some of the most interesting attacks, and try to reproduce them according to the written, then most likely nothing will come of it. Because many schemes of K. Mitnik resemble about such a dialogue.
– Vasya, give a password, please!
– Yes! I feel sorry for me, or for a good person.
The analysis of this “attack” resembles approximately the following: “Vasya gave a social hacker, because from birth he did not know how to say“ no! ”To strangers. Therefore, the main method of counteracting social engineers is to learn to say no.” … Maybe this recommendation is suitable for America, but I'm afraid that not for Russia, where most are more likely not able to say yes, but “no” is very good for everyone. Indeed, there is a type of people who organically cannot refuse another person, but, firstly, there are few people, and everyone else needs to be brought to such a state. And not a word is said about how to let you bring down.
Note
We will talk about psychological typology and how to use this knowledge in social engineering in Appendix 2.
That's about this means when we say that Mitnik often misses entire paragraphs. It can be assumed that the first phrase could take place at the beginning, and the second – at the end of the conversation. But there was still a lot between them and the most interesting. Because in order for everything to be so simple, you need to immerse a person either into deep hypnosis, or inject him with a serum of truth. But even if it was, then you also need to write about it.
In life, as a rule, in a different way. And passwords say, and the bases are taken out, not because they can’t answer not just “no”, but because it happens “no” to answer, … I really don’t want to. And in order for a person who owns some serious information to answer no, you need to lead him to such a state. After following him, say, for a week. Suddenly what interesting is to be found? Maybe he himself “sent Cossacks” or in the evenings works for competitors, or maybe the matter is generally more serious: in the evenings he does not work for competitors, but goes to a brothel … for people with non -traditional sexual orientation, and, being approximately approximately approximate as a family man, really does not want someone to know about it. Having approximately such information, you can safely approach him and say:
-Vasya, well, tell me all the passwords that you know. And open access to my network so that I do not lose time in vain.
And in this case, very many Vasya will answer:
– Yes, please. And I will open the passwords and access. I feel sorry for the good person …
In the language of scouts, this is called recruitment. And if suddenly everything disappears somewhere in your organization, all the passwords are known to someone, think about whether anyone sat “on the tail” to one of your employees. Calculating the one who sat on, and those who sat down are usually not difficult. Smart Security Service employees, by the way, before trusting people, are usually very checked by the subject of, let’s say, the weaknesses of the candidate for the position. And they follow him, and all sorts of smart tests arrange in order to know what kind of person has come to work.
… This introduction is not written in order to criticize K. Mitnik – each of us has something to criticize – but in order to show that in social engineering it is not as simple as it is sometimes presented, and this issue needs to be seriously necessary And thoughtfully. Now, after this introduction, as they say, let's start.
The computer system that the hacker is hacked does not exist on its own. It always contains one more component: man. Figuratively speaking, the computer system can be represented by the following simple scheme (Fig. 1.1).
According to many experts, the largest threat to information security, both large companies and ordinary users, in the next decades will be represented by increasingly improved methods of social engineering used to hack existing protective equipment. If only because the use of social engineering does not require significant financial investments and thorough knowledge of computer technology. So, for example, Rich Mogull, the head of the Gartner Corporation Information Security Department, says that “social engineering is a more serious threat than a regular hacking of networks. Studies show that some behavioral inclinations are inherent in people to be used for careful Manipulation. Many of the most malicious hacks of security systems occur and will occur thanks to social engineering, not electronic hacking. The next decade social engineering itself will itself pose the highest threat of information security. ” Rob Forsyt, the managing director of one of the regional divisions of the antivirus company Sophos, which gave an example On a new cynical form of fraud aimed at unemployed residents of Australia, is also jointly in solidarity with it. A potential victim receives a letter allegedly sent by Credit Suisse, which says About a free vacancy. The recipient is asked to go to the site, which is an almost exact copy of this Credit Suisse corporate site, but the fake version contains a form to fill out the application for employment. And to consider the application, the “bank” asked, let the symbolic ones, But the money that was required to transfer to such an account.When a lot of people transferred the money, the amount was no longer so symbolic. The fake site was made so expertly that it took the experts to make sure this is a fake. It is worth recognizing that attackers used a rather cunning combination of technology. Their goal is the most needy members of society, that is, those who are looking for work. These are just those people who can succumb to such a provocation, ”says Foresight. Enrique Salem, Symantec vice president, generally believes that traditional threats as viruses and spam are“ problems of yesterday ” Although companies must be defended from them. The problem of today Salem calls Fishing using social engineering methods.
Why do many researchers believe that social engineering will become one of the main tools of hackers of the 21st century? The answer is simple. Because the technical protection systems will improve more and more, and people will remain people with their weaknesses, prejudices, stereotypes, and will be the weakest link in the security chain. You can put the most advanced protection systems, and still vigilance cannot be lost for a minute, because in your security scheme there is one very unreliable link – a person. Set up human firewall, in other words Firewall (Firewall) is the most difficult and ungrateful business. You may not be approaching a well -tuned technique for months. The human firewall must be adjusted constantly. Here, more than ever, the main motto of all security experts sounds relevant: Security is a process, not a result. A very simple and common example. Let you be a director, and you have a very good employee who, in your opinion, will never sell anything to anyone and sell anyone. The next month you lowered his salary, say, for one reason or another. Even if these reasons are very objective. And the situation has changed dramatically: now his eyes and eyes are behind him, because he does not find his place for himself from resentment, he is ready to kill you, what can we say about some kind of intra-corporate secrets.
I also note that in order to engage in security, especially in terms of setting up human firewalls, you need to have a stable nervous and mental system. Why, you will understand from the next beautiful phrase of A. Einstein, which we, following Kevin Mitnik, cannot but repeat: You can be sure only in two things: the existence of the universe and human stupidity, and I am not entirely sure about the first.
The main scheme of influence in social engineering
All attacks of social hackers fit into one fairly simple scheme (Fig. 1.2).
Note
This scheme is called Sheinov scheme. In general, it is given in the book of the Belarusian psychologist and sociologist V.P.Sheinova, who has been the psychology of fraud for a long time. In a slightly modified form, this scheme is also suitable for social engineering.
So, at first, the purpose of influence on a particular object is always formulated.
Note
Under the “object” here, we will mean the victim, which is a focused on the socio -engineer attack.
Then information about the object is collected in order to detect the most convenient targets of exposure. After that, the stage, which psychologists call attraction. Attraction (from lat. Attraher – attract, attract) – this is the creation of the necessary conditions for the influence of a socioenger on the object. Forced the action necessary for a social hacker is usually achieved by the implementation of the previous stages, i.e., after an attraction is achieved, the victim herself makes the actions necessary for the socio -engineer. However, in some cases, this stage acquires independent significance, for example, when coercion to action is performed by introducing into a trance, psychological pressure, etc.
Following V.P. Sheinov, illustrate this scheme using the example of fishing. The target of exposure in this case is the need for fish for food. The bait is a worm, a piece of bread, spinning, etc. And the attraction is the creation of conditions necessary for successful fishing: choosing the right place of fishing, creating silence, choosing the right nozzle, fishing. Coercion to action is, for example, a jerk of a rod, thanks to which the worm or other nozzle twitches and the fish understands that food can leave and must act more actively. Well, with the result, everything is clear.
Another example: bribery of an employee. Here the target is the need of an employee of the enterprise in money. The fact that he needs them and that it is likely to “accept a proposal” is recognized at the stage of collecting information. An attraction can be, for example, the creation of such conditions under which the employee will very need for money.
Note
These conditions are often created intentionally. A banal example – the employee was driving by car and slightly crashed, after which the car must be repaired, and the jeep into which he crashed into the money to pay. The number of such road stands is now incredible, and it is not difficult to find performers.
Now briefly dwell on such a popular form of crimes as Theft of databases.
Note
The theft of databases is one of the main areas of the use of social engineering. We will also continue the conversation about theft of databases in Chapter 2.
What bases you will not find now: the MGTS databases, the central bank’s databases, the pension fund base, the BTI base, and the Ministry of Internal Affairs from the traffic police, and the registration bases … At the moment, experts are arguing about what kind of crimes to relate the clients of clients databases. On the one hand, this type of crimes, it seems,, according to many experts, refers to crimes in the field of it.Those who think so come from the simple position that the databases are stored on hard drives of servers, and, therefore, if they are stolen, then this is a crime in it. But on the other hand, this is not entirely true, because most thefts are committed using social engineering methods.
Who and in what way stealing a database? If in response to this question you will hear that hackers steal them, hacking corporate servers of state bodies and large companies – do not believe it. This is not true. Everything is much simpler and more prosaic. Ordinary people steal their ordinary people, in most cases, in most difficult devices, if one is not considered an ordinary Flash Drive drive connected to the USB port.
As we have already said, in approximately 80 cases out of 100, information is stolen not on the technical channel, but by social. Thus, it is not hackers who are sitting for night and hack servers, but, say, the offended system administrator quit. But not one, but along with all the databases and all the information about the enterprise. Or for a moderate fee, an employee of the company himself merges to the side information about the company. Or just a person came from the side, introduced himself as a best friend of the system administrator, and sat down to establish a “buggy” database, because the best friend is now sick. After his departure, this base really began to work better, but in another place. If you think that it is very trivial and passes only in small and very careless companies, then you think so in vain. Quite recently, this is how valuable information was stolen in one of the very large St. Petersburg companies working in the field of energy. And there are a lot of such examples. The fact that the main channel of information leakage is social, the task of protecting information is extremely strongly complicated. Because the probability of leakage on the technical channel, in principle, can be reduced to zero. You can make the network very protected that no attack from outside will break through it. You can generally make it that the internal network of the institution will not intersect with the external, as is done in Russian law enforcement agencies, for example, where internal networks do not have access to the Internet. Management rooms and all rooms in which important meetings are held should be equipped with information protection means. No one will write anything on the recorder – we put the suppression of voice recorders. On the radio channel and the channel of side effects of electromagnetic radiation, no one will listen to anything – they put the radio shum generator. The vibro -acoustic channel was also blocked, it is impossible to also gain information on window glass fluctuations, no one will hear anything through ventilation shafts. Telephone lines protected. … So, they did everything. And the information still made legs. How why? And people carried away. Without any complex technical manipulations.Once again, the very notorious and tearing factor, which seems to know about which everyone seems to have known, and about which everyone is trying to forget, living on the principle of until the thunder is awake …. Note: it is almost impossible to steal information from the networks of state bodies on the technical channel. But she, nevertheless, is abducted. And this is another evidence that, basically, information is stolen using people, not technical means. And sometimes they are abducted to funny simply. We conducted an audit of one large enterprise of the petrochemical industry for the organization of information protection in it. And they found out an interesting thing: any night cleaner could have access to the table of the Secretary General Director. And she had, apparently. Such a democracy reigned at this enterprise. And the papers on this table were so much scattered that they could make an idea of almost all the current activities of the enterprise and about the plans for its development for the next 5 years. We make a reservation once again that this is a really large enterprise, with a solid reputation and millionth turnover. In dollar terms, of course. And the information defense was set … However, it was not set in any way. Another interesting socio -engineering channel of information leakage is various exhibitions, presentations, etc. The representative of the company, which stands at the stand, out of the best motives, in order to like everyone, often gives out the most secret secrets of the company that he knows, and answers any questions. I have repeatedly told this to many of my acquaintances, and one of them jokingly suggested that I approach the representative of his company at the nearest exhibition and try to find out something like that. When I brought him a dictaphone record, he could be said, because one of the phrases sounded something like this: But recently, our director still went to Iran …. This method of extraction of information, by the way, is used by a considerable number of firms.
Note
More details about how information is discontinued at presentations – in Chapter 2.
… Unfortunately, many people are extremely careless, and do not want to take care of the safety of information. Moreover, often even in very large organizations, this non -desire extends from the most ordinary employees to the general director. And in this situation, one system administrator or head of the Security Service, whether they are even complete paranoids obsessed with the protection of information, will not save the situation. Because at the moment, alas, even those leaders who understand that the information must be protected do not always realize another thing: that information protection should be systemic, that is, it is carried out on all possible leakage channels. You can protect the computer network as much as you like, but if people receive a low salary and hate the enterprise on which they work, more bother than the Soviet people of the Nazi invaders, then you can not even spend money on this protection.Another example of non-systemicity can be often observed by waiting for a reception at the door of a director. There are very frequent cases when those who construct a security system do not take into account such a thing: directors have the ability to speak loudly, sometimes breaking into a cry. The doors to the office of the CEO are often so sound -permeable that we can listen to the meeting in the general office without straining, even if they speak in a whisper. Once I [1] came to Moscow to one close to the body to the director to consult with him on the subject, what awaits our industry further. And he just had an important unplanned meeting, and they asked me to wait. After sitting for 15 minutes at his office, I realized that I learned much more than what I wanted to know, and in principle you can leave. Remained only out of decency. The piquancy of the situation is that when the line reached me, the director almost did not answer my questions, saying that, they say, you know, very confidentially, I myself am not very in the know … and so on. Nevertheless, I thanked him very hotly and kindly.
… Returning to the databases containing confidential information, it should be noted that after the above, it is fully clear who steals them and how. Ordinary people steal them. Very often – the employees of the enterprises themselves. Recently, the customs officer was condemned in the rank of lieutenant colonel, who supplied the market with customs databases. In the neighboring region, they caught the hand of the head of the tax inspectorate department, who for a moderate fee merged the data to local criminal brothers. Etc.
Why are they steal and who needs it? Many need it. From Mlad to Great. It is necessary to both ordinary citizens and financial sharks. If you start with citizens, then without going into the deepest discussions about the features of the Russian mentality, we will only say that so far in the reference services of our “telecoms” there are noble and dissatisfied young ladies, then even the most law -abiding and honest person is much easier for their nerves to go and buy This base of the phone numbers of organizations in the pirate market for the call to the help service.
This for obvious reasons is necessary for all those who are engaged in competitive intelligence.
This is needed by criminals. For example, each self -respecting car hijacker has a traffic police base. Crime is also important to know if those whom he roofed is deprived of it. The households find victims with the help of databases.
This is necessary for financial giants practicing the practice of raider raids.
Note
Raider raids – This is such a practice in new Russian history, in which, roughly speaking, a large company cleans up those companies that are smaller with the help of the so -called raiders. Suppose a large company wanted to buy some other company that is smaller.To do this, she makes an order to the raiders – people who will build a plan for capturing the company and fulfill it. Details about raiders described in Chapter 2.
… You can continue for a long time. In general, the market is vast and there is a demand for products. And demand always gives rise to a proposal. This is one of the basic laws of the economy. If there is demand, it is necessary, sooner or later, expensive or cheap, but there will be a proposal. Whatever this demand is. Even if this demand is very blasphemous, for example, the demand for children's bodies. It’s hard to come up with worse demand. But still there is an offer. What can we say about some databases.
Note
Currently, the price of theft of one database of a large enterprise is about $ 2000.
Is it possible to stop theft of databases at all? At the state level, this can probably only tighten the punishment for this crime. I would like to look at the one who would dare to steal some base in Soviet times. True, “tightening”, this is not quite that term: the fact is that now the database can be stealing almost with impunity. Well, what is worth any employee of almost any structure to endure this very base? That's right – nothing costs. In the worst case, they will fire. But this is still necessary to manage to get caught. It got to the point that, according to the publication in Komsomolskaya Pravda dated 03.03.06, even the Moscow Center for Economic Security is injected with databases, which, judging by the name, should protect these same databases. Therefore, as always, of course, it is worthwhile to rely on the state, but you should not count on it. And some companies themselves, without waiting for the state, went in the other ways. For example, along the path of discrediting this market and those who work on it. Simply put, they merge the ordinary “dese”, acting on the principle that if the state cannot protect us, then you have to learn to play spy games themselves. And many learn well. I know the case when one company, having learned that it was ordered, prepared all the necessary information that the attacker stolen. When the customer realized what was the matter, he was said to be beside himself. And the price of the issue was high. The story is silent that it was with those who mined this information, but, according to rumors, after this incident, the number of people who wanted, including employees, has sharply reduced confidential information about the activities of this company.
By the way, although they say that there are no by -laws aimed at stopping theft of databases, it is often not at all in them. Yes, with by -laws, there is really a problem. But in most thefts, as we said earlier, the organizations themselves are to blame. By the way, in the courts there are practically no appeals from organizations that have stolen information. What is explained by one simple thing: no one wants to take out the CRU from the hut. Which, in general, is understandable, but, on the other hand, it greatly simplifies the case of attackers.The fact is that even if the company knows for sure that its employee abducted the information, and she wants to sue this employee, the likelihood that the company will win the case very small. Due to the same carelessness: a very minimum number of firms draws up contracts with employees properly, that is, so that it was stated that the employee is familiar with what is dealing with confidential information and what will happen if he will be for He will disclose this information.
The main differences in social engineering and social programming
In addition to social engineering, we will still use the term social programming, Which, although it seems at first glance similar to social engineering, is actually very different from it. In order to stop this confusion in terms, and this section is dedicated.
Social engineering You can determine as manipulating a person or a group of people in order to hack security systems and abduct important information. Social programming It can be used regardless of any hacking, and for anything, for example, to curb an aggressive crowd or ensure the victory of a candidate in the next elections, or vice versa, to denigrate the candidate and in order to make a peaceful crowd aggressive. It is important that there is already no talk about one or another computer in sight. Thus, we will use the term social engineering when it comes to an attack on a person who is part of the computer system, As shown in Fig. 1.1.
Note
Sometimes, in addition to the term social engineering, the term is also used Reverse social engineering. The bottom line is that with reverse social engineering, you do not force a person directly to anything, but create such conditions that he himself addresses you. For example, if you need to come to the organization under the guise of a telephone master, you can just come and start checking the phone. This is in this terminology – social engineering. And you can do otherwise. You create a situation in which in a particular organization you are known as a telephone master. After that, you wait for something to happen to the phones, or do something with them yourself, and calmly wait for you to call you and ask you to come. This is the reverse social engineering. Thus, not you come somewhere for no reason, but you are asked to come. Of course, the second case is much more preferable, because he removes all suspicions from you. Competent socio -engineering approaches are built that way, so we consider this term unnecessary, and we will not use it.
Social programming can be called science that studies the methods of targeted impact on a person or group of persons in order to change or retain their behavior in the right direction.Thus, in fact, a social programmer sets himself the goal of mastering the art of managing human. The main concept of social programming is that Many actions of people and their reactions to one or another external impact in many cases are predictable. The thing, generally speaking, is very interesting. But for the most part it is true. The general scheme of the methods of work of social programmers is presented in Fig. 1.3.
What the methods of social programming are beautiful for criminals, that either no one will ever know about them at all, as in the above example, or even if someone guesses about something, it is very difficult to bring to justice such a figure. Well, we don’t have the article “Bringing to a stroke” in the Criminal Code. And if it were – go, prove that everything was so, because the brought did everything purely voluntarily, being capable, no one introduced him into hypnosis, he did not irradiate any electromagnetic rays …
This is what we examined a rather classic and very simple scheme for the negative application of social programming. In different variations, this scheme acts since ancient times, if you recall history. In this case, the desired result is the physical elimination of the opponent. So, the goal is formulated. Further, psychophysical characteristics have been worked out, as a result of which a tendency to drink and the presence of chronic cardiovascular diseases were clarified. Then a measure of exposure is developed (excessive alcohol consumption), which, with proper use and gives the planned result. It is very important that human behavior is natural for himself. What is interesting. For this, the calculation of psychophysical characteristics is made. Because otherwise it would not be social programming. After all, when the killer maniac, for example, has already chosen a victim and is going to kill her, he also knows about the future behavior of the victim that she still does not know about herself (that she will not be in this world soon). But, you see, the victim’s behavior in this case can hardly be called natural: it is difficult to imagine that meetings with maniacs are its natural pastime. Thus, social programming is when you artificially model the situation for a particular person in which you know how this person will act based on the knowledge of the psychotype of this person. The same applies to a group of people.
Note
AT Chapter 3 We will consider several more examples of social programming, for example, we will analyze in what ways you can pacify an aggressive crowd, and also think about how the scandalously known recent “salt crisis” could be made using social programming methods.
Social programming is based on the following psychological concepts:
• Transact analysis (see chapter 6);
• sociology (science of people in groups) (see chapter 8);
• neurolinguistic programming (see chapter 7);
• Scenario programming (see chapter 6);
• psychological typology (see Appendix 2).
Social programming, unlike social engineering, has a more extensive area of application, because it works with all categories of people, regardless of which system they are. Social engineering always works only with a person who is part of the computer system, although the methods in both cases are used similar.
Another important difference is that social engineering is almost always a negative area of application, social programming, like any field of knowledge, has a positive and negative scope. One example of a negative field of application of social programming is just social engineering.
Therefore, when we talk about manipulating a person in the case when he is part of the computer system, or simply the bearer of the secret information that needs to be stolen, we will talk about social engineering, and in the case when we are talking about managing people in general , we will talk about social programming. Our book is about social engineering, but sometimes, so that it is better to understand the essence of many methods, we will raid social programming.
In conclusion of a conversation about social programming, we give a well -known example of how skillfully it is possible to manipulate people.
Once, one grandmaster received a letter by mail, in which an unknown person, introducing himself as a young beginner chess player, suggested playing a remote party in chess. Remote, because the moves were sent by mail. A very large amount of money was promised for the winnings for the winning, and if there is a draw, or, God forbid, the grandmaster will lose, then he pays the money. True, twice the smaller amount than the one he himself receives if the young chess player loses. The grandmaster, without hesitation, agreed. They made a bet and began to play. Already from the first moves, the famous grandmaster realized that it would not be possible to earn money “for free”, because the first moves were already issued in a young chess player a promising master. In the middle of the mast, the grandmaster lost peace and sleep, constantly calculating the next moves of the enemy, who turned out to be not just a promising master, but a very great master. In the end, after considerable time, the grandmaster barely managed to draw the party in a draw, after which he brought down a bunch of compliments on the young man and offered him not money, but his support, saying that he would make him the world champion with such talents. But the young chess player said that he did not need worldwide glory, and that he only asks to fulfill the conditions of the bet, that is.Send the money he won. That the grandmaster did, reluctantly. And where is the manipulation here, you ask? And the manipulation here is that not a young man played against the grandmaster, but … another great grandmaster, who received exactly the same letter from a young man and agreed to quickly earn extra money. On exactly the same conditions: a young man pays a large amount for a win, and a grandmaster pays a young man for a loss or a draw or a draw. As a result, two great chess players fought among themselves for about six months, and the young “talented chess player”, in modern language, worked as a postal relay, that is, he only sent their letters to each other. And then, as a result, draws, both grandmasters sent money … to this young man.
Examples of hacks using social engineering methods
In this chapter, we will talk a little about the history of social engineering, and then we will continue to conduct examples of how social engineers act.
On the history of social engineering
Very often, the “father of social engineering” is called the famous hacker K. Mitnik, which is not entirely true. Mitnik was one of the first to use the art of manipulating a person in relation to a computer system, hacking not “software”, but a person who works at the computer. And with his light hand, everything related to the theft of information through manipulating a person began to be called social engineering. We are in this book, following Mitnik, we also adhere to such terminology.
In fact, all the methods of manipulating a person have been known for a long time, and mainly these methods came to social engineering, for the most part, from the arsenal of various special services.
Historical note
The first known case of competitive intelligence belongs to the VI century BC, and occurred in China, when the Chinese lost the secret of the manufacture of silk, which the Roman spies stole fraudulently.
The main areas of application of social engineering
The authors of many articles on the topic of social engineering usually reduce its application to calls by phone in order to obtain any confidential information (usually passwords) by improving themselves for another person. However, areas of application of social engineering are much wider.
The main areas of application of social engineering are shown in Fig. 2.1.
Let us consider in more detail on the examples each of these areas.
… It was spring, there was love. The accountant of Middle's company Natasha was selflessly in love with the young man Ilya. Such a beautiful, so sweet, so charming. They accidentally met him in a night club, and there she found out that Ilya recently came to their city to get an education at the evening department of the financial faculty. Former locksmith, golden hands.So what, what is a locksmith, Natasha reasoned, he will soon learn and be a financier. Colleague, one might say. In general, a big wedding was started, and there was only love ahead and a lot of everything pleasant that was connected with it. And what about financial fraud, you ask? And despite the fact that real life interfered harshly in Natasha's plans, in which, in addition to love, there is also cruel deceit. And one day she found out that a considerable amount of money had been transferred from her computer to the account of a certain company. She remembered exactly that she had not done anything like that, and indeed the girl was diligent and without bad habits. In general, shock. Which was aggravated by the fact that her beloved Ilya suddenly disappeared somewhere. By the way, the fact that it was Ilya who pulled off this scam was not immediately guessed, because it could not have occurred to anyone that he could be so charming, so sweet, so sympathetic like that.
What happened? And there was a classic story. Charming Ilya fell in love with Natasha in order to take advantage of her official position. The story is very often happening, only the goals are different. In this case, the goal was to steal money.
Note
The target of influence in this case is Natasha's need for love. Attraction, of course, Ilya's amorous courtship for Natasha. In addition, the attraction here is also a show of the seriousness of their intentions (as we remember, a wedding was being prepared).
And so, having waited for a convenient moment when he was alone on a working day in Natasha's office, he transferred the money to where he wanted. She herself told him about how this is done, because he asked, motivating his questions by the fact that it was interesting for him for education (he, as we remember, studied at the Faculty of Finance, and indeed, everything related to legend , in this case very well done). During these conversations, Ilya found out where the diskettes with the EDS (Electronic Digital Signature) of the chief accountant and the director were. Was Natasha a fool? No, it wasn't. If only because in the few months that he was with Natasha, almost all the employees of the company fell in love with Ilya, including the director, who personally blessed their quick wedding and was ready to take Ilya to the staff of his company in the near future. And because, by and large, it is not to blame for the fact that money in many of our firms is transferred according to a simplified procedure. How should money be transferred? For example, you need to transfer some amount. The chief accountant comes, inserts a diskette with his EDS, then the director inserts his diskette. And only after that the money is transferred, since the presence of an EDS and a director and chief accountant is a necessary condition for transferring money. And if everything is done according to the rules, then such an attack, of course, is unthinkable. But… even the smallest company can make up to ten transfers per day. Now imagine that the director will run every time and insert his floppy disk.What if the company is small? Yes, he would rather close the company than engage in such self-torture. Therefore, it is not uncommon for both floppy disks with EDS to simply lie on the table of the accountant who transfers money. As it was in the case described.
What happened to Ilya? And there was nothing. Because after he did everything, he immediately left somewhere. Whether in another city, or in another country. The passport, of course, was fake, he generally had more of these passports than in the passport office.
Let us leave out the further development or possible development of this situation, since it is, in principle, not important for us. The money could be transferred and then cashed out, or they might not have time to cash it out, because the company's employees promptly rolled back the situation. The history of financial fraud knows examples of both scenarios. What is important for us is the very fact of access to the computer from which bank transfers were made, and the fact that this transfer was made, that is, the stage of work that is associated with social hacking was done, and done successfully. Talking about how you can cash out before the company (AND/OR the competent authorities, if they were informed about the incident) starts to take measures, how you can do it so that you have time to cash out, etc., goes beyond scope of this book.
To be honest, there are no universal recommendations that allow you to protect yourself from this type of attack. This story, up to small variations, has happened more than once and will probably happen more than once. Many authors in similar cases say that you need to be more careful, you need to clearly follow the instructions and such things will simply be impossible. Of course, we fully agree with these words, but, alas, these are just words. Words that have nothing to do with real life. And if the matter is taken seriously, and serious people who know how such things are done, it can be guaranteed that 90 percent of the population will fall for this bait. And many more than once. Therefore, we will not stoop to platitudes and honestly say: there are no guaranteed methods of protection. Now imagine for a second that you fell in love not with the girl Natasha, but with the director. And imagine the consequences. Moreover, it is not very difficult to do all this: the psychotype of a person is determined, on the basis of which it turns out which girls (or boys) he (she) likes – and after a while the victim finds that one and only love that she has dreamed of all her life. The favorite method of scammers of all times and peoples. And a very effective method, because it is an attack based on the physiological needs of a person. We are talking about physiological needs here more broadly than is customary, and we understand by these needs not only, say, the need for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc., etc. . P.And so, when the target is one of these needs, the matter is bad. In the sense that it is very difficult. And smart social engineers as targets choose just such needs. The attack we examined – just from this category, when the need for love was chosen as a target.
It has long been known that in large cities of Russia there are entire agencies that contain seducers of various kinds for the most different, including sophisticated, taste. The purpose of their existence is to make a profit through the divorce of the rich male. Indeed, why build a rather complex combination, as in the just given example, when it is easier to make it easier: fall in love with the unconsciousness of a rich person who, of his own free will, will transfer money to your account. There is no need to hire a hackers horde, turn financial scams, balancing on the verge of law – everything can be done that a person himself will give the money and give it voluntarily. The work scheme is such. At the first stage, the agency’s employees find out everything that is possible about the “client”: what kind of food does it prefer, what books, what girls, what cars, what kind of music are, in general, everything is. Here they act on the principle that information cannot be superfluous. This is done in order to choose the only and unique for him in accordance with the tastes of the victim, from which he simply cannot be physiologically refused. Indeed, what a man will abandon a woman who is not only his taste and beauty unwritten, but also a passionate fan of football (like himself, naturally), and even suffers for the same team. And, about horror, when he once brought her by car, she stated with some coquetry with regret and with some coquetry:
“Volodya, if not for one thing, but I could say that you are a man of my dreams.”
– What but? – Slightly alert, but, giving the tone playfulness, the banker Volodya asks.
– You don't like the classics …
– Why? Why did you decide so, ”he asked, and already without any playfulness in his voice, he asked.
-And you always twist some popping in the car, but I have never turned on the classics, but I can’t stand the poppies.
– What did you not say before, because I also love the classics, I was just afraid to admit it, I thought that you would not consider me modern.
“What the hell, modernity, all these“ Musi-Pushi, trawl, kiss me, until we were torn, ”she sang with malice,“ I don’t want to live from this current classics. ” Is it Beethoven's business … All these trawls were compared to him …
My favorite composer, he thought, and asked aloud:
– What do you like Beethoven most of all?
“Sonata pre-Minor, probably,” she answered, thinking for a moment.
“My beloved sonata,” he thinks, “oh, horror … No, there can be no such coincidences.For the first time I met a beautiful and modern girl, about whom I am already almost crazy, and who, in addition, likes the classics, and, moreover, even in the classics our tastes coincided. And yet, why do I think so? Didn't I deserve that the Lord sent me that one and only? Didn't I help children enough, transferred money to orphanage No. 5? Maybe this is the reward for good deeds that smart authors talk about in smart books, over which my friends only chuckle cynically. Maybe everything in FIG? Maybe take a risk? Well, what about the wife … She had never had anything in common with her before, and now, having gone crazy from my money, she has ceased to be interested in everything at all, she just sits at home, she is all flabby … Ugh, it’s unpleasant to look at. Moreover, the security service reports that she seems to be with someone on the side, with some young programmer who likes women in juice. Hell, he likes women. Looks like there is nothing to live on, so he lures my money from my fool. Or maybe this one, which is nearby, is also because of the money? Let's ask her now…
– Marin, I apologize for the indiscreet question, but what do you do?
– Volodya, I am the director of a modeling agency. Volodya, if you suspect that I deliberately got into your car in order to seduce you, then this is easily solved. Stop the car, please. Here, if not difficult.
– Yes, what are you, Marina! I'm just out of curiosity…
My God, she seems to be reading my mind, he thought. Idiot. You, Volodya, no longer need to be in charge of a bank, but go to Kashchenko to voluntarily surrender so that you can be cured of your suspicion there. I can't just drop her off. I'll never see you again. No, you can't miss such happiness, he continued to think, changing lanes to the extreme right. But what about the children? asked a stern inner voice. – What will you say to the children when you destroy the family?. The children have already grown up and are quite independent, he replied to an inner voice, the money that I give them is not enough for the children to run after all the skirts, and they should not be offended by me, I also have the right to love, and after all, I have done quite a lot for them. Children study at prestigious universities, vacation abroad three times a year, I sponsor their love affairs, finally. And the children, by the way, never asked how dad was doing.
“Marin,” he finally decided, “do you mind if we sit in some cozy restaurant today?”
– Volodya, to be honest, against it.
– No, I'm not averse to spending an evening with you, for the first time I met a man who combines wealth with love for the sonata in C minor. And I talked a lot with people who are much richer than me, and something from all of them left some kind of useless impression. And you are some other … And I want, to be honest, to be with you at least for a little bit, but longer, I won’t even lie.But I just don't like restaurants …
“Marin, to be honest, I hate them too!” Then come to my second apartment, in which I sometimes like to be alone with myself. BUT? Now I'll call, bring food, wine, sit in the evening …
-No, let's get it in a haste for myself. I really like to cook, but, alas, now it is not often possible to do it myself, but here is such a case.
“I agree if you, of course, want this yourself.” And what will you cook, if not a secret?
– Secret. You will see. I will hide my favorite dish. We checked our tastes, as they say.
I hate such surprises, now it will cook something that you can’t, and you will have to overpower yourself, it would be better to invite my cook so that she will cook that I am … …
“Marinochka, what kind of dish is this,” he shouted, without thinking to his thoughts, when Marina entered the living room with a freshly prepared “crown dish”.
– Volodya, there is no need to scream like that. This is just salmon in caviar sauce.
– Where … How did you know?
– What is my favorite dish?
– Yes?! To be honest, I didn't even suspect. Volodya, as it turns out, we have a lot in common … And this, notice, and my favorite dish, I was taught to cook my dad, he served as an officer in the Pacific Fleet, and sometimes pamper us with this delicacy on holidays.
… That's something like that, everything happens with some variations. I will not continue to talk about how Volodya and Marina's relations developed. We will only say that then Volodya voluntarily transferred huge amounts to Marina’s account so that she would not deny herself anything, abandoned his family, and even persuaded Marina to leave her modeling agency so that she was as often as possible with him. His happiness would be very overshadowed, he learn that forty percent from the amounts he had listed, Marina translated the agency’s holder, “Shakhina”, as they called her among themselves. And that car that Volodya gave her, she also had to sell, after a break with him, or find forty percent of her value in monetary equivalent to give them to the Shakhina. Volodya did not know that his meeting with Marina was adjusted according to all the reconnaissance rules. That the problem in her car was simulated, and the fact that he was at that moment was near her was also adjusted. He did not know that there are a lot of options for such random meetings. He did not know that he would soon cease to be a managing bank, since the data that Marina collected on him has already been transferred to the Shakhina, which for a decent amount sold them to those people who slept and saw that Vladimir Anatolyevich ceased to be rich The manager of the bank, and would become a poor janitor. Well, and, of course, he did not suspect that after he crashed in his affairs, he would become a very irritable person, which Marina would use to leave him. Now a very wealthy woman, since the money that she “pumped” from, now unfortunate, Volodya, will be enough for her for a very long time of a comfortable existence, even minus the percent that was given to the Shakhina.
A small comment on the topic Random meetings
Social hackers are docks in the organization of random meetings. A number of techniques are borrowed by them mainly from the arsenal of special services, but many of their own ingenuity can not be refused to many. Of course, behind the seducers that we are currently talking about, there are many fighters of the invisible front, who put all these performances. Because the Operation “Random Meeting” is an important stage in this whole game and plan it taking into account the recommendations of psychologists, which, based on the data of the first stage, accurately predict the psycho- and the sociotype of the victim and predict the client’s behavior in a particular situation. After all, one “client” can “sail” immediately after the first meeting, and a more stubborn, and a suspicious income is needed to another, more persistent, – he needs to meet with him several times, you should not talk about him during the first conversation at all. So, it is necessary that the girl, whom the victim accidentally brings, accidentally forgot her cell phone in his car, for example. Preferably, the same model as he prefers. Well, to have a reason to meet. And the third, say, generally does not put anyone in his cars. So, you need to turn his leg at the gate of his house or fainted. And they fall and fall well, because all this is rehearsed more than once. And the fourth alien fainting, even performed by very beautiful girls, is of little exciting, because a person is very cruel and prefers a “bitch”, and not smears, in fainting of spanning into business and not in matter. This is arranged by a car set in which the girl’s car crashes into his steep car. Of course, he sits in the car, waiting for his guard to deal with the “violating the rules of the road”, and suddenly hears the laryngeal female voice: “Hey, you are bodygags, Kysh away. Say how much I should, take the money, and take the money, and take the money, and take it Fuck, do not bother me to enjoy my hard female share. And tell your idol at the wheel, tell me to clean your car cool away as soon as the woman sees at the wheel. The cruel person is listening to Pyotr Semenovich, the owner of several large gas stations in the center of the capital and one small oil engineer, this low guttural voice and subconsciously understands that this voice belongs to the bitch of his dreams. And he decides to look at her with his own eyes. And after that he disappeared. Because, as he looked, he already consciously realized that this is exactly the girl who dreamed at nights. And for the fifth, except for the money, which was stirred even on hand -to -hand combat and a sense of self -significance, a performance is arranged in which the girl of his dreams and somewhat cool in appearance and untidy marshmallows participate. These marshmallows stick to that beautiful girl, and oh, God, they even tear her dress on her. Naturally, in the visibility zone of the client.And he decides to rush into a fight and help the girl, and only rushes and only teeth from under his fists of the trained fly out, and hooligans fly away in different directions from his blows (because they are instructed on the topic that the further and more beautifully they fly away, the higher Honorar for the performance ). The girl, of course, thanks him through tears, and he, of course, brings her (well, where will she go in a torn dress herself), and, of course, all the way sings heds to him on the topic “how courageous he is, and how he is he Dexterously over those reptiles that almost … .
1 Hereinafter, when the narrative is conducted from the first person, this means that either the testified examples from the collection of one of the authors, or the personal experience of one of the authors is presented. – Approx. aut.