Social Engineering : Art of Human Hacking
By Prempal Singh
Social engineering sometimes called the science and art of hacking the human mind, it is becoming increasingly popular due to the increasing role of social networks, email, or other types of online communication in our lives. In the field of information security, the term commonly used to describe a number of techniques used by cyber criminals. The latter are aimed at luring of sensitive information from the victims or encourage victims to commit actions aimed at penetrating into the system to bypass security systems.
Even today, when the market a huge number of products are available for information security, a person still holds the keys to all doors. Whether it’s a combination of credentials (username and password), credit card number or data to access online bank, the weakest link in the security system – is not technology, but living people. Thus, if an attacker is applied to user’s manipulative psychological techniques, it is very important to know what methods are most common in this situation, and to understand how they work, to avoid trouble.
Social Engineering – the concept is not new, it appeared a long time ago. Social Engineers are living illustration of the fact that the criminals may become respected experts. For example, the same Frank Albany ale was one of the most famous and virtuosic scam: he knew how to create multiple personalities to forge checks and deceive people, pulling them out of the confidential information needed for operation of fraudulent schemes. If you watched the movie “Catch Me If You Can”, you have an idea of what a specialist social engineer if he has a clear goal.
You just keep in mind that to get you to the right information social engineer can use a variety of fraudulent schemes, not limited to the methods associated with the technology or computers so that users better be wary of suspicious activity, even if they appear to be normal. A classic technique, for example, is luring a password in a telephone call. It seems that no one in their right mind would tell a stranger your password, but the call “to work” at 9 am on Sunday, demanding to come to some methodology technical operations on your computer, some difference. When “your administrator” will offer just tell him the password to have it all done for you, you will not only give the password, but also thank him for taking care! Well, maybe not you personally, but about half of your colleagues do the guaranteed.
Most cyber criminals will not spend time on the implementation of technologically sophisticated hacking techniques if the necessary information can be obtained by using the skills in the field of social engineering. Moreover, there are many sites, which describes the principles of operation of such techniques and the reasons for their success. One of these sites is called SocialEngineer.org, and it offers a very useful basis for the theoretical study social engineering principles, complementing a large number of real-world examples.
We use it every day, influencing each other’s actions, though often do not notice it. But the language in terms of social engineering has several drawbacks since it is linked to our subjective perception of the facts, in which we can omit some of the histories, distort the meaning or make some generalizations. NLP, or neuro-linguistic programming, which was originally created for therapeutic purposes, is now considered “mutant” form of hypnosis used social engineering as a tool for the manipulation of victims and seek to influence them in order to induce them to perform actions that lead to the success of the attack. As a result of the tactics of the victim can provide your password to disclose confidential information, renounce any security measures, that is, it can do anything to remove the obstacles in the way of intruders.
While the relationship between psychology and hacking seems too tight, in fact, online attacks are based on the same principles that underlie the “off-line” fraud. Repayment of principle (“If I shew you a favor, you would be a favor to me”), the social principle of verification (do you assess their behavior as right, if there is the same behavior in the majority), worship of authority (a manifestation of a greater degree of confidence in the police officer, doctor, the technical support, someone more “high-grade”) – is universal for all ways of building communication in society and meet our basic social instincts. Social Engineering knows what buttons to push to get the desired response, creating the context (the canvas) to form a believable legend, which could create a sense of urgency. For experienced professionals in the field social engineering not be difficult to bypass rational thinking person, and they will need only a split second to gain an advantage and get the victim the necessary data.
However, in this article, we will increasingly turn our attention to the various techniques used by online scammers to illegally obtain information and profits from the victims, who “wanted the best.” As we have already mentioned, the principles used for fraudulent schemes on the Internet, similar to those used in real life, but on the Internet – is a huge machine of disseminating information, one phishing message can be sent to millions of recipients within very short time. That is, in such circumstances, this type of attack can become a win-win lottery even if only a small portion of the total number of potential victims will fall for the bait, it would still mean huge profits for an organization or a person standing behind the attack.
Today, one of the most common methods of obtaining confidential information is phishing (the term is derived from the word game password harvesting fishing – «password fishing”). Phishing can be characterized as a type of computer fraud, which uses social engineering principles in order to obtain confidential information from the victim. Cyber criminals usually carry out their activities with the help of e-mail, instant messaging or SMS, sending phishing messages, which directly ask users to provide information (by entering credentials in the field-fake site, downloading malware click on the link, etc.), so attackers get what they want with complete ignorance on the part of the victim.
We have watched the development of malware, which is largely used social engineering principles. Before the fact of infection by computer virus has been very clear: the user saw strange messages, icons, and images – in short, everything that has detected a part intruder. Today we are no longer surprised by examples of malware that has access to the victims of the system by applying the tricks specific to social engineering, and remains invisible to the user until the moment has completed its task. An endless game of cat and mouse between hackers and companies to create an information security confirms: education and information – a key defense mechanism necessary for users. They have to follow the news and new trends in the information security world and to know about the key tactics fraudsters.
Lots of interesting examples of hacking techniques based on social engineering, which, in turn, help the attackers to deliver malware victims. Among the most popular – fake Flash Player update, and other popular programs, sewn into a Word document executable files and more.
Most of the above described the attack methods are aimed at people in Latin America since the technological threats of this type are not well understood or disseminated in the region, and if also take into account that the majority of computers are working with outdated software, it gives cybercriminals a great opportunity to earn. Only recently some banks have increased information security measures for online banking users, but still, a lot of security issues contribute to the success of tactics social engineering. It is interesting that many of the features of the region in common with Russia, so cyber criminals CIS and Latin America very actively share experiences and learn from each other successful discoveries.
Other popular types of attacks that do not always fall into the category of computer fraud. The scheme, known as “virtual kidnapping,” uses social engineering practices as well as the means of communication serves the phone. Attackers usually call the victim and say that a family member was kidnapped and his release is required to pay the ransom immediately.
Criminals have created a sense of urgency and fear, the victim meets the requirements of the fraudster, not even making it really kidnapped someone from relatives. A similar scheme is popular with the attacks on the elderly and may be called a “virtual disease” – when the victim of the alleged call from the clinic, said that in a recent analysis, there are signs of a dangerous disease and the need to immediately undergo surgery for a life-saving, of course, paid. After payment, of course, one does not operate because of any disease and no.
In light of this, it is important to remember that any publicly available information is appearing on social networks ( “VKontakte», Instagram, Facebook, Twitter, Foursquare and so on), can also help criminals to put two and two together and figure out where you are or know some personal information. Directional target phishing attack – it is not so frequent, but if you are willing to provide valuable information, not even thinking about the alleged consequences, you only facilitates the task of fraudsters. Even Wish list on Amazon can be a good tool for hacking by using carefully selected arsenal of tricks Social Engineering.
As we have said, today the installation of integrated security solutions – it is a necessity, especially if you use the Internet (it is likely that the way it is). Furthermore, the introduction to the news and trends in the world of online threats and social engineering techniques can help you avoid this type of attack (both online and in real life). Remember that all the gadgets and protection are worth nothing technology if you do not know how to use them correctly, and not aware of what they are capable attackers. The technology used by criminals, develop, and you should not keep up, so a little paranoid in our time will not hurt.
“The police cannot protect users. People need to be more aware and to know more about such things as identity theft. You have to be a little smarter, a little smarter … There is nothing wrong with being a skeptic. We live in a time that if you have easily stolen, someone will take the opportunity “, – says Frenk Uilyam Albany ale.