Social engineering techniques. A textbook on social engineering. Typical influence algorithm in social hacking

Social engineering techniques The human brain is a large hard drive, a repository of a huge amount of information. And both the owner and any other person can use this information. As they say, a talker is a godsend for a spy. In order for you to further understand the meaning of the following, you should at least be familiar with the basics of psychology.
Social engineering allows us "use your brain" another person, using various methods, and obtain the necessary information from him.
Wiki says: “Social engineering is a method of controlling human actions without the use of technical means”

Social engineering- This is a kind of young science. There are many methods and techniques for manipulating human consciousness. Kevin Mitnick was right when he said that sometimes it is easier to cheat and get information than to hack access to it. Read the book “The Art of Deception” at your leisure, you will like it.
Exists reverse social engineering, which is aimed at obtaining data from the victim himself. With its help, the victim himself talks about his passwords and data.

There are no gestures, intonation, or facial expressions on the Internet. All communication is based on text messages. And your success in a given situation depends on how your messages influence the interlocutor. What techniques can be used to covertly manipulate a person’s consciousness?

Provoking
Strictly speaking, this is trolling. Infuriating a person, in most cases he treats information uncritically. In this state, you can impose or receive the necessary information.

Love
This is perhaps the most effective technique. In most cases, this is what I used)). In a state of love, a person perceives little, and this is exactly what the manipulator needs.

Indifference
The effect of the manipulator’s indifference to a certain topic is created, and the interlocutor, in turn, tries to convince him, thereby falling into a trap and revealing the information you need.

Rush
Situations often arise when the manipulator is supposedly in a hurry to get somewhere and constantly hints at it, but at the same time he purposefully promotes the information he needs.

Suspicion
The method of suspicion is somewhat similar to the method of indifference. In the first case, the victim proves the opposite; in the second, the victim tries to justify “his suspicion,” thereby not realizing that he is giving away all the information.

Irony
Similar to the technique of provocation. A manipulator makes a person angry by being ironic. He, in turn, in anger is not able to critically evaluate information. As a result, a hole is formed in the psychological barrier, which the manipulator takes advantage of.

Frankness
When the manipulator tells the interlocutor frank information, the interlocutor develops some kind of trusting relationship, which implies a weakening of the protective barrier. This creates a gap in psychological defense.

The techniques described above do not fully exhaust the full potential of social engineering. These techniques and methods can be talked about and talked about. After reading these techniques, you should realize that you don’t need to follow everyone’s lead. Learn to control yourself and your anger and then your defense will always be at the proper level.
Ours continues. Wait for new articles))

Social engineering — unauthorized access to confidential information through manipulation of a person’s consciousness. Social engineering methods are based on the peculiarities of psychology and are aimed at exploiting human weaknesses (naivety, inattention, curiosity, commercial interests). They are actively used by social hackers both on the Internet and outside it.

However, regarding digital technologies, web resources, computers, smartphones, the “brain fog” of network users occurs somewhat differently. Fraudsters place snares, traps and other tricks anywhere and anyhow, on social networks, on gamer portals, in email mailboxes and online services. Here are just some examples of social engineering methods:

As a holiday gift... a Trojan horse

Regardless of character, profession, financial solvency, every person looks forward to the holidays: New Year, May 1, March 8, Valentine's Day, etc., in order, of course, to celebrate them, relax, fill their spiritual aura with positivity and, at the same time, exchange congratulations with your friends and comrades.

At this moment, social hackers are especially active. On holidays and holidays, they send postcards to email service accounts: bright, colorful, with music and... a dangerous Trojan virus. The victim, not knowing anything about such deceit, being in the euphoria of fun or, simply, curiosity, clicks on the postcard. At the same instant, the malware infects the OS, and then waits for the right moment to steal registration data, a payment card number, or replace the online store’s web page in the browser with a fake one and steal money from the account.

Favorable discount and virus “loaded”

A great example of social engineering. The desire to “save” your hard-earned money is completely justified and understandable, but within reasonable limits and under certain circumstances. It's about "all that glitters is not gold."

Scammers under the guise of the largest brands, online stores and services, in appropriate design, offer to buy goods at an incredible discount and, in addition to the purchase, receive a gift... They make fake newsletters, create groups on social networks and thematic “threads” on forums.

Naive ordinary people, as they say, are “led” by this bright commercial poster: in a hurry they count in their heads how much is left from their salary, advance payment and click the link “buy”, “go to the site to buy”, etc. After which, in 99 out of 100 cases, instead of a profitable purchase, they receive a virus on their PC or send money to social hackers free of charge.

Gamer donation +300% to theft skills

In online games, and in multiplayer games in general, with rare exceptions, the strongest survive: those who have stronger armor, damage, stronger magic, more health, mana, etc.

And, of course, every gamer wants at all costs to get these treasured artifacts for his character, tank, plane, and who knows what else. In battles or on campaigns, with your own hands or for real money (donation function) in the game’s virtual store. To be the best, the first... to reach the last level of development.

Fraudsters know about these “gamer weaknesses” and in every possible way tempt players to acquire treasured artifacts and skills. Sometimes for money, sometimes for free, but this does not change the essence and purpose of the villainous scheme. Tempting offers on fake sites sound something like this: “download this application”, “install the patch”, “to get an item, go to the game”.

In exchange for the long-awaited bonus, the gamer’s account is stolen. If it is well-pumped, the thieves sell it or extract payment information from it (if any).

Malware + social engineering = explosive mixture of deceit

Caution icons!

Many users operate the mouse in the OS on “autopilot”: click here, here; discovered this, that, that. Rarely do any of them take a closer look at the type of files, their volume and properties. But in vain. Hackers disguise executable files of malware as ordinary Windows folders, pictures or trusted applications, that is, externally, visually, they cannot be distinguished. The user clicks on the folder, its contents, naturally, do not open, because it is not a folder at all, but a virus installer with the .exe extension. And the malware “quietly” penetrates the OS.

The sure “antidote” to such tricks is the Total Commander file manager. Unlike the integrated Windows Explorer, it displays all the details of the file: type, size, creation date. The greatest potential danger to the system are unknown files with the extensions: “.scr”, “.vbs”, “.bat”, “.exe”.

Fear fuels trust

1. The user opens a “horror story site” and is immediately told the most unpleasant news, or even news: “your PC is infected with a dangerous Trojan”, “10, 20... 30 viruses have been detected in your OS”, “spam is being sent from your computer” etc.
2. And they immediately offer (show “concern”) to install an antivirus and, therefore, solve the security problem voiced on the site. And most importantly, completely free.
3. If a visitor is overcome by fear for his PC, he follows the link and downloads... not an antivirus, but a false antivirus - a fake stuffed with viruses. Installs and launches - the consequences are appropriate.

• Firstly, a website cannot instantly scan a visitor’s PC and identify malware.
• Secondly, developers distribute their antiviruses, whether paid or free, through their own, that is, official, websites.
• And finally, thirdly, if there are doubts and fears about whether the OS is “clean” or not, it is better to check the system partition with what is available, that is, the installed antivirus.

Summing up

Psychology and hacking go hand in hand today - a tandem of exploiting human weaknesses and software vulnerabilities. While on the Internet, on holidays and weekdays, day or night, and no matter what your mood, you must be vigilant, suppress naivety, and drive away the impulses of commercial gain and something “free.” Because, as you know, only cheese is given out for nothing, and only in a mousetrap. Create only passwords, store them in places and stay with us, because, as we know, there is no such thing as too much security.

Methods of social engineering - this is exactly what will be discussed in this article, as well as everything related to the manipulation of people, phishing and theft of client databases and more. Andrey Serikov kindly provided us with information, the author of which he is, for which we thank him very much.

A. SERIKOV

A.B.BOROVSKY

INFORMATION TECHNOLOGIES OF SOCIAL HACKING

Introduction

The desire of mankind to achieve perfect fulfillment of assigned tasks served as the development of modern computer technology, and attempts to satisfy the conflicting demands of people led to the development of software products. These software products not only maintain the functionality of the hardware, but also manage it.

The development of knowledge about man and computer has led to the emergence of a fundamentally new type of system - “human-machine”, where a person can be positioned as a hardware operating under the control of a stable, functional, multi-tasking operating system called “psyche”.

The subject of the work is the consideration of social hacking as a branch of social programming, where a person is manipulated with the help of human weaknesses, prejudices and stereotypes in social engineering.

Social engineering and its methods

Methods of human manipulation have been known for a long time; they mainly came to social engineering from the arsenal of various intelligence services.

The first known case of competitive intelligence dates back to the 6th century BC and occurred in China, when the Chinese lost the secret of making silk, which was fraudulently stolen by Roman spies.

Social engineering is a science that is defined as a set of methods for manipulating human behavior, based on the use of the weaknesses of the human factor, without the use of technical means.

According to many experts, the greatest threat to information security is posed by social engineering methods, if only because the use of social hacking does not require significant financial investments and thorough knowledge of computer technology, and also because people have certain behavioral inclinations that can be used for careful manipulation.

And no matter how technical protection systems improve, people will remain people with their weaknesses, prejudices, stereotypes, with the help of which management takes place. Setting up a human “security program” is the most difficult task and does not always lead to guaranteed results, since this filter must be constantly adjusted. Here, the main motto of all security experts sounds more relevant than ever: “Security is a process, not a result.”

Areas of application of social engineering:

1. general destabilization of the organization’s work in order to reduce its influence and the possibility of subsequent complete destruction of the organization;
2. financial fraud in organizations;
3. phishing and other methods of stealing passwords in order to access personal banking data of individuals;
4. theft of client databases;
5. competitive intelligence;
6. general information about the organization, its strengths and weaknesses, with the aim of subsequently destroying this organization in one way or another (often used for raider attacks);
7. information about the most promising employees with the aim of further “enticing” them to your organization;

Social programming and social hacking

Social programming can be called an applied discipline that deals with targeted influence on a person or group of people in order to change or maintain their behavior in the desired direction. Thus, the social programmer sets himself a goal: mastering the art of managing people. The basic concept of social programming is that many people’s actions and their reactions to one or another external influence are in many cases predictable.

Social programming methods are attractive because either no one will ever know about them, or even if someone guesses about something, it is very difficult to bring such a figure to justice, and in some cases it is possible to “program” people’s behavior, and one person, and a large group. These opportunities fall into the category of social hacking precisely because in all of them people carry out someone else’s will, as if obeying a “program” written by a social hacker.

Social hacking as the ability to hack a person and program him to perform the desired actions comes from social programming - an applied discipline of social engineering, where specialists in this field - social hackers - use techniques of psychological influence and acting, borrowed from the arsenal of the intelligence services.

Social hacking is used in most cases when it comes to attacking a person who is part of a computer system. The computer system that is hacked does not exist in itself. It contains an important component - a person. And to get information, a social hacker needs to hack a person who works with a computer. In most cases, it is easier to do this than to hack into the victim's computer in an attempt to find out the password.

Typical influence algorithm in social hacking:

All attacks by social hackers fit into one fairly simple scheme:

1. the purpose of influencing a particular object is formulated;
2. information about the object is collected in order to detect the most convenient targets of influence;
3. Based on the collected information, a stage is implemented that psychologists call attraction. Attraction (from Latin Attrahere - to attract, attract) is the creation of the necessary conditions for influencing an object;
4. forcing a social hacker to take action;

Coercion is achieved by performing the previous stages, i.e., after the attraction is achieved, the victim himself takes the actions necessary for the social engineer.

Based on the information collected, social hackers quite accurately predict the psycho- and sociotype of the victim, identifying not only needs for food, sex, etc., but also the need for love, the need for money, the need for comfort, etc., etc.

And indeed, why try to penetrate this or that company, hack computers, ATMs, organize complex combinations, when you can do everything easier: make a person fall in love with you, who, of his own free will, will transfer money to the specified account or share the necessary money every time information?

Based on the fact that people’s actions are predictable and also subject to certain laws, social hackers and social programmers use both original multi-steps and simple positive and negative techniques based on the psychology of human consciousness, behavioral programs, vibrations of internal organs, logical thinking, imagination, memory, attention. These techniques include:

Wood generator - generates oscillations of the same frequency as the frequency of oscillations of internal organs, after which a resonance effect is observed, as a result of which people begin to feel severe discomfort and a state of panic;

impact on the geography of the crowd - for the peaceful disbandment of extremely dangerous aggressive, large groups of people;

high-frequency and low-frequency sounds - to provoke panic and its reverse effect, as well as other manipulations;

social imitation program - a person determines the correctness of actions by finding out what actions other people consider correct;

claquering program - (based on social imitation) organization of the necessary reaction from the audience;

formation of queues - (based on social imitation) a simple but effective advertising move;

mutual assistance program - a person seeks to repay kindness to those people who have done some kindness to him. The desire to fulfill this program often exceeds all reason;

Social hacking on the Internet

With the advent and development of the Internet - a virtual environment consisting of people and their interactions, the environment for manipulating a person to obtain the necessary information and perform the necessary actions has expanded. Nowadays, the Internet is a means of worldwide broadcasting, a medium for collaboration, communication and covers the entire globe. This is exactly what social engineers use to achieve their goals.

Ways to manipulate a person via the Internet:

In the modern world, the owners of almost every company have already realized that the Internet is a very effective and convenient means for expanding their business and its main task is to increase the profits of the entire company. It is known that without information aimed at attracting attention to the desired object, generating or maintaining interest in it and promoting it on the market, advertising is used. Only, due to the fact that the advertising market has long been divided, most types of advertising for most entrepreneurs are wasted money. Internet advertising is not just one of the types of advertising in the media, it is something more, since with the help of Internet advertising people interested in cooperation come to the organization’s website.

Internet advertising, unlike advertising in the media, has many more opportunities and parameters for managing an advertising company. The most important indicator of Internet advertising is that Internet advertising fees are debited only when you switch interested user via an advertising link, which of course makes advertising on the Internet more effective and less costly than advertising in the media. Thus, having submitted advertising on television or in print media, they pay for it in full and simply wait for potential clients, but clients can respond to advertising or not - it all depends on the quality of production and presentation of advertising on television or newspapers, however, the advertising budget has already been spent in the case If the advertising did not work, it was wasted. Unlike such media advertising, Internet advertising has the ability to track audience response and manage Internet advertising before its budget is spent; moreover, Internet advertising can be suspended when demand for products has increased and resumed when demand begins to fall.

Another method of influence is the so-called “Killing of forums” where, with the help of social programming, they create anti-advertising for a particular project. In this case, the social programmer, with the help of obvious provocative actions, destroys the forum alone, using several pseudonyms ( nickname) to create an anti-leader group around itself, and attract regular visitors to the project who are dissatisfied with the behavior of the administration. At the end of such events, it becomes impossible to promote products or ideas on the forum. This is what the forum was originally developed for.

Methods of influencing a person via the Internet for the purpose of social engineering:

Phishing is a type of Internet fraud aimed at gaining access to confidential user data - logins and passwords. This operation is achieved through mass mailings of emails on behalf of popular brands, as well as personal messages within various services (Rambler), banks or within social networks (Facebook). The letter often contains a link to a website that is outwardly indistinguishable from the real one. After the user lands on a fake page, social engineers use various techniques to encourage the user to enter his login and password on the page, which he uses to access a specific site, which allows him to gain access to accounts and bank accounts.

A more dangerous type of fraud than phishing is the so-called pharming.

Pharming is a mechanism for covertly redirecting users to phishing sites. The social engineer distributes special malicious programs to users’ computers, which, once launched on the computer, redirect requests from the necessary sites to fake ones. Thus, the attack is highly secrecy, and user participation is minimized - it is enough to wait until the user decides to visit the sites of interest to the social engineer.

Conclusion

Social engineering is a science that emerged from sociology and claims to be the body of knowledge that guides, puts in order and optimizes the process of creating, modernizing and reproducing new (“artificial”) social realities. In a certain way, it “completes” sociological science, completes it at the phase of transforming scientific knowledge into models, projects and designs of social institutions, values, norms, algorithms of activity, relationships, behavior, etc.

Despite the fact that Social Engineering is a relatively young science, it causes great damage to the processes that occur in society.

The simplest methods of protection from the effects of this destructive science are:

Drawing people's attention to safety issues.

Users understanding the seriousness of the problem and accepting the system security policy.

Literature

1. R. Petersen Linux: The Complete Guide: trans. from English — 3rd ed. - K.: BHV Publishing Group, 2000. – 800 p.

2. From Grodnev Internet in your home. - M.: “RIPOL CLASSIC”, 2001. -480 p.

3. M. V. Kuznetsov Social engineering and social hacking. St. Petersburg: BHV-Petersburg, 2007. - 368 pp.: ill.

Part 1 (broken into parts due to the size of the article. As soon as I get 50 views, I post the second one).

Many true hackers who are constantly engaged in hacking always have a couple of SI tricks in stock, because where it is impossible to find a vulnerability in the code, it can often be found in the minds of the support service or the owner of an e-mail, ICQ or website...

From theory to practice
You’ve already read what social engineering is in one of the previous issues of your favorite magazine, so we can safely say that the hardware has been successfully mastered. Now I propose to take a practice ride.

Social engineers are very pleasant people to talk to: cultured, friendly, with a great sense of humor. They have an incredibly flexible mind, innovative thinking and a lot of ideas on how to more effectively achieve their goals. It was to them that I turned for help in preparing the material. Our consultants will be: GoodGod - the creator of one of the most popular Russian-language projects about social engineering socialware.ru; Ayumi (spylabs.org); Ivan is another master of hacking human brains who wished to remain incognito.

Go!

ICQ number hijacking (without primary e-mail)
To hijack ICQ you will need:

• a list of domains with e-mails registered on them (how to get them - read in the December issue of ][ for 2009, video “Mass hijacking of domains” from GoodGod);
• ICQ number from which the initial attack will occur;
• ICQ number issued for an SEO specialist (with relevant data and details in the info).

So, there is a “weapon”, let’s move on to the attack. Catch the victim's attention: for example, a situation like you have confused her with someone else will do. After this, you can apologize and start a casual conversation, gradually building trust. Let it take some time for her (the victim) to get used to you. Next, the conversation turns to the topic of making money - you tell them what you earn on the Internet (don’t say how exactly yet, so as not to scare off your interlocutor). After some time, tell them that a friend who promotes websites has offered you a job: you don’t need to do anything special, but about 200 rubles come in every day. If the victim herself does not take the initiative, then take the first step and offer to meet a friend.

If you don’t want to get acquainted right away, stop this conversation for a while, because if you press too hard, the effect may be the opposite; Better come back to this a little later under a different pretext.

By the way, if the victim is naturally shy, you will not force him to make contact with a stranger, so you will have to engage in “pimping” so that the acquaintance does take place. And so, the client turns to a SEO friend (that is, to you). Show healthy distrust at the beginning by asking questions like “Where did you hear about the project? From Sasha? Ahh, Sasha... Yes, I remember. Ok, now I’ll tell you the essence of the work.” Next, tell us about the ICQ Search project, website promotion, describe payment options (200 rubles per day or 1400 per week - let him choose the option that is convenient for him). Constantly focus the “client’s” attention on realistic details, so you will distract him from unnecessary thoughts. The more intense the attack and the more new information, the less time he has to think about what is happening. Finally, describe the earning scheme: let him select a site from the list prepared at the beginning, look through whois for the email to which the site is linked (let him do it himself) and enter it in the “E-mail” field in his ICQ profile. Be sure to explain that if the same e-mail is indicated in the ICQ and domain data, then the more often ICQ is searched for in the search, the higher the site’s ranking in the search engine. As soon as the victim has completed the binding, you restore the password to the specified e-mail, and the UIN is yours!

If the password does not arrive by e-mail, it means that the number already has a primary mail, and the hijacking needs to be organized in a different way.

Mail hacking
Find out the answer to the secret question
Questions on mail servers are usually quite similar:

• Mother's Maiden Name;
• Favorite dish;
• Pet name;
• Passport ID;
• Personal question (name of first teacher; index; favorite movie; favorite performer).

For questions such as “Favorite dish” or “Dog’s name”, you can choose the answer yourself if you have good intuition. If intuition is not your main strong point, or the question requires more specific knowledge, then you will have to work hard. First, we collect as much information as possible about the owner of the box. An ICQ number or VKontakte page is highly desirable. Then we add the victim to the contact list, get acquainted under any pretext (here all the information collected will be useful to us) and begin an “attack” to find out the answer we need to the secret question. At this stage, the main thing is not to rush, everything should be consistent and natural, so that the victim does not have any suspicions.

What schemes work? Mother's maiden name - start a topic about the family tree or what a funny last name your mother had before marriage. Favorite dish - everything is clear here. Animal name - talk about pets: past, present and future, since the code word can be the name of the first hamster donated. It will be more difficult with the passport number. Here you can be tempted to buy an inexpensive, scarce product, for example, which is delivered with payment upon delivery, but to place an order you need your passport details and identification code. You can find out the name of the first teacher from the victim's classmates, or talk to her directly about her favorite teachers; It’s easier to get the index by downloading the city’s database, and you can simply find out from the victim in which area he lives. The main thing here is ingenuity, imagination and patience.

There is one small but important nuance. Sometimes, when asked “Favorite dish,” the answer may be, for example, a phone number, that is, a complete discrepancy between the question and the answer. Here you will have to start a conversation about ridiculous combinations and the meaninglessness of security questions, and then start all over again, preferably under a different account.

Contacting Customer Support
This method is more labor-intensive and scary, but is needed if the victim does not want to “inject”, or if the box is “dead,” that is, the owner has not visited it for a long time. To do this, go to the support page of the desired email service and write a letter asking to recover your stolen password. Most likely, you will be asked for your first name, last name (or the data that was specified during registration), date of birth, and the approximate date of registration of the box (at least a year). Therefore, try to find out as much information as possible about the victim and her box. Search engines, social networks and blogs will help you with this.

Phishing
One of the most effective ways to obtain a password without the owner even knowing about it. The victim is offered a link to follow and enter his username and password. This data is sent to a report file, database (if the theft is massive) or email. The main trick is to force the victim to click on this link. The form can be anything:

• A message “from the administration” (read: from a mail service with a spoofed address) about spam from this mailbox. Example: “Dear user, (username)! Your account has received complaints about spam, and therefore the administration has the right to temporarily suspend or block its operation. It is quite possible that attackers gained access to it. To confirm your account ownership, re-authorize using this link (hyperlink to fake). If there is no confirmation within 5 days, the mail account will be blocked. Sincerely, support service (name of mail service)." Playing on the fear of losing the box.
• Knowing about the victim's hobbies, you can take interest. For example, a letter with a topic of interest, in which only part of the information is covered, the rest is covered by clicking on the link. The link leads to a pseudo-login page, and you can read the rest of the information only after logging in.

Example: “Only August 15-17, 2010 in (the city of the victim) there is a practical training on 100% effective building of intergender relationships! For the first time, the surefire secrets of sexuality and attractiveness will be revealed, some of which you can see here (hyperlink). The rest is in training. And don't forget that a theory is just a theory. You can learn everything through practice. The training is conducted by the author Egor Asin (hyperlink). For those who register before August 10, the first lesson is free. To register, fill out this form (hyperlink).”

Farming
It also happens that the victim is smart enough (or indifferent) not to click on the links. In this case, you will have to resort to Trojans/joiners/scripts to manipulate the HOSTS file, or hack the DNS or DHCP server of its provider. At the same time, when the user goes to the site to check the e-mail, a redirection occurs to exactly the same one, only a phishing one. Suspecting nothing, the user enters his data and, using an internal authorization script, gets into his “native” email, and the login and password are sent to your email. The beauty is that the victim doesn’t even know what happened.

In recent years, cybercriminals using social engineering techniques have adopted more advanced methods that make it more likely to gain access to the necessary information, using the modern psychology of enterprise employees, and people in general. The first step in countering this type of trick is to understand the attackers' tactics themselves. Let's look at eight main approaches to social engineering.

Introduction

In the 90s, the concept of “social engineering” was coined by Kevin Mitnick, an iconic figure in the field of information security, a former serious hacker. However, attackers used such methods long before the term itself appeared. Experts are convinced that the tactics of modern cybercriminals are tied to the pursuit of two goals: stealing passwords and installing malware.

Attackers try to use social engineering using telephone, email and the Internet. Let's get acquainted with the main methods that help criminals obtain the confidential information they need.

Tactic 1. The theory of ten handshakes

The main goal of an attacker using a phone for social engineering is to convince his victim of one of two things:

1. The victim receives a call from a company employee;
2. A representative of an authorized body (for example, a law enforcement officer or an auditor) calls.

If a criminal sets himself the task of collecting data about a certain employee, he can first contact his colleagues, trying in every possible way to extract the data he needs.

Remember the old theory of six handshakes? Well, security experts say that there can only be ten “handshakes” between a cybercriminal and his victim. Experts believe that in modern conditions you always need to have a little paranoia, since you don’t know what this or that employee wants from you.

Attackers usually target a secretary (or someone holding a similar position) to collect information about people higher up the hierarchy. Experts note that a friendly tone greatly helps scammers. Slowly but surely, criminals are picking up the key to you, which soon leads to you sharing information that you would never have revealed before.

Tactic 2. Learning corporate language

As you know, each industry has its own specific formulations. The task of an attacker trying to obtain the necessary information is to study the features of such a language in order to more skillfully use social engineering techniques.

All the specifics lie in the study of the corporate language, its terms and features. If a cybercriminal speaks a familiar, familiar and understandable language for his purposes, he will more easily gain trust and be able to quickly obtain the information he needs.

Tactic 3: Borrow music to hold on calls during calls

To carry out a successful attack, scammers need three components: time, persistence and patience. Often cyberattacks using social engineering are carried out slowly and methodically - collecting not only data on the right people, but also so-called “social signals”. This is done in order to gain trust and fool the target. For example, attackers can convince the person they are communicating with that they are colleagues.

One of the features of this approach is the recording of music that the company uses during calls, while the caller is waiting for an answer. The criminal first waits for such music, then records it, and then uses it to his advantage.

Thus, when there is a direct dialogue with the victim, the attackers at some point say: “Wait a minute, there’s a call on the other line.” Then the victim hears familiar music and is left in no doubt that the caller represents a certain company. In essence, this is just a clever psychological trick.

Tactic 4. Spoofing (substitution) of a telephone number

Criminals often use phone number spoofing, which helps them spoof the caller's number. For example, an attacker may be sitting in his apartment and calling a person of interest, but the caller ID will display a company-owned number, creating the illusion that the scammer is calling using a corporate number.

Of course, unsuspecting employees will in most cases give away sensitive information, including passwords, to the caller if the caller ID belongs to their company. This approach also helps criminals avoid tracking because if you call back to this number, you will be redirected to the company's internal line.

Tactic 5: Using the news against you

Whatever the current news headlines, attackers use this information as bait for spam, phishing and other fraudulent activities. It is not for nothing that experts have recently noted an increase in the number of spam emails, the topics of which relate to presidential campaigns and economic crises.

An example would be a phishing attack on a bank. The email says something like this:

“Another bank [name of bank] is acquiring your bank [name of bank]. Click this link to make sure your bank information is updated until the deal closes."

Naturally, this is an attempt to obtain information with which scammers can log into your account, steal your money, or sell your information to a third party.

Tactic 6: Leverage Trust in Social Platforms

It's no secret that Facebook, Myspace and LinkedIn are extremely popular social networking sites. According to expert research, people tend to trust such platforms. A recent spear-phishing incident targeting LinkedIn users supports this theory.

Thus, many users will trust an email if it claims to be from Facebook. A common tactic is to claim that the social network is undergoing maintenance and that you need to “click here” to update the information. This is why experts recommend that enterprise employees enter web addresses manually to avoid phishing links.

It's also worth keeping in mind that in very rare cases, sites will prompt users to change their password or update their account.

Tactic 7. Typesquatting

This malicious technique is notable for the fact that attackers use human error, namely errors when entering a URL into the address bar. Thus, by making a mistake of just one letter, the user can end up on a website created specifically for this purpose by attackers.

Cybercriminals carefully prepare the ground for typosquatting, therefore, their site will be exactly like the legitimate one you originally wanted to visit. Thus, if you misspell your web address, you end up on a copy of a legitimate site, the purpose of which is either to sell something, or steal data, or distribute malware.

Tactic 8. Using FUD to influence the stock market

FUD is a tactic of psychological manipulation used in marketing and propaganda in general, which consists of presenting information about something (in particular, a product or organization) in such a way as to sow uncertainty and doubt in the audience about its qualities and thus cause fear of it.

According to the latest research from Avert, the security and vulnerabilities of products and even entire companies can affect the stock market. For example, researchers have studied the impact of events such as Microsoft Patch Tuesday on the company's stock, finding a noticeable fluctuation every month after information about vulnerabilities is published.

You can also remember how in 2008, attackers spread false information about the health of Steve Jobs, which led to a sharp drop in Apple shares. This is the most typical example of FUD being used for malicious purposes.

In addition, it is worth noting the use of email to implement the “pump-and-dump” technique (a scheme for manipulating the exchange rate on the stock market or cryptocurrency market with a subsequent collapse). In this case, attackers can send out emails describing the amazing potential of the stocks they bought up in advance.

Thus, many will try to buy up these shares as soon as possible, and they will increase in price.

conclusions

Cybercriminals are often extremely creative in their use of social engineering. Having become familiar with their methods, we can conclude that various psychological tricks greatly help attackers achieve their goals. Based on this, you should pay attention to any little thing that could unwittingly reveal a scammer, check and double-check information about people contacting you, especially if confidential information is discussed.