Social Engineering

It is often called still "hacking" of the person. For achievement of the desirable purpose, the swindler works generally not with computers, and directly with the victim.

How it works?

Using behavior templates known to psychologists long ago, the attacking party can imperceptibly entice, for example, at the victim crucial information or induce to do the precipitate decision.

As methods of social engineering are very effective, and attempt cost minimum, swindlers apply it everywhere.

For a start I will give a simple example. Many mail services often has function of recovery of the password on a confidential question. Often the answer to a question is personal information on the user. By itself, it is not possible to guess at first sight the similar answer. But, using communicative skills, the swindler can start correspondence in social network during which he somehow will compromise information necessary for it, for example.

The attacks of the similar plan in most cases are carefully planned in advance. It does not look so: "Hi, my name is Sasha. Let's be on friendly terms. Ah yes, nearly forgot, tell me the number of a card and cvv" - on it will be led nobody.

I already mentioned that in behavior of each person it is full of templates. If the victim is sure, for example, that it speaks with the employee of the bank, then a request to report these cards already begins to seem not such fantastic.

I will provide the real scheme of breaking, using the equipment of social engineering. There is a website of bank on which the form is located like "leave the number and we with you will communicate". In the code realizing its work, hackers found a mistake, but is more serious than nothing, than to intercept the entered phone number, it is impossible to make. But bigger it is also not necessary! The hacker, having called the victim, can easily give itself for the employee of bank. Here one more regularity in behavior works: the person willingly will believe in something if it corresponds his expectation. Ordered a ringing from bank - receive! The initial reason for which the person ordered a ringing is not really important. With very high probability the victim will report these cards if the swindler competently brings it to it. Moreover, in certain cases attacking even it is possible to convince called to turn off, for example, protection in the Internet bank.

The social engineering contains a heap of receptions and tricks. Here one of them: if to a request to make something to add the reason, then probability to the end the probability that will refuse to you strongly falls. And the reason, does not play a large role: the fact of its existence is important.

The experiment was made. The purpose - was to use the copy machine without turn. If the look request "Sounded just I have only 5 pages. I can use the copy machine?", it was crowned with success in 60% of cases. But if I had a request with motivation like "There are only 5 pages. I can use the copy machine because I hurry?", the probability of success increased up to 94%. It seems logical, the person explained that he hurries. But the most interesting that if I had a request "There are only 5 pages. I can use the copy machine therefore I should print out 5 pages?", it was successful in the same 94% of cases though it is impossible to call the reason to pass forward weighty. This experiment shows that in behavior of each person there are regularities which are often not obvious. The social engineering considers ways of practical application of knowledge of similar regularities.

The fact that the person easily and without checks will believe that it seems to him logical is used at a phishing. Mass spam sending is not effective any more, but if the hacker looks for individual approach, then the situation sharply changes. I will give an example of one of breakings: the swindler on a wall of the victim found information in social network that the victim often uses Amazon for shopping. The hacker made the letter on behalf of the representative of Amazon in which it is said that one of parcels returned in connection with change of the customs legislation, and it is necessary, having followed the link to confirm repeated departure. After a link was opened, by means of an exploit on the computer of the victim the virus was loaded. At the same time the victim cannot guess that it just came across a phishing, the password or other personal data did not ask to enter it. Everything looked very plausibly.

Dating sites are the favourite place for application of methods of methods of social engineering. Swindlers create well issued pages with attractive photos which will be to the taste to the potential victim. Entering dialogue with the pecked user, the attacking party familiar with communication methods on the similar websites, masterful will support dialogue on behalf of the fictional person. Ways of development can be absolutely different here. One of the simplest: the offer to phone on skype, but to the reservation that there is no webcam. The request comes to an end transferring money for purchase of the camera quite often success. By itself, after receiving money correspondence breaks. The similar method is extremely simple in realization and is very effective, but often hackers mark more on bags. In that case the swindler, having established good relations with the victim in network, can suggest to meet personally; the similar offer can arrive the first and from the victim. Only the ill luck, love of all life lives in other city, and there is no money for the air ticket. In that case often it turns out to ask the victim to transfer money for purchase of the ticket. Besides these, there is still a great lot of other methods.

Let's sum up the small result. Social engineering are very powerful tool. It is often applied for fraud and are very effective in combinations with other methods. Its main features: small costs of realization, low threshold of an entrance, high efficiency