Let's be frank: social engineering - about the methods of hacking and those very hacker attacks against which the security departments of the largest companies are trying to build a powerful defense. It's not just about computer security: using social networks or a phone, hacker can get any data.
The methods of "classic" hacking change after security systems, but no matter how powerful a system you build, there will always remain a weak link - the human brain.
To illustrate the attack of a "social engineer" it is possible by the example of the classical scheme of fraud.
The victim is called by an attacker. Introducing himself as a bank employee, he says that it is necessary to check the level of security in Internet banking, and asks for the login and password, and then the SMS code that came to the victim right after she called the password and login. The attacker thanks and disconnects. After a while, the victim goes into the Internet bank or attempts to withdraw money from the card and discovers that they have disappeared. They raise their hands in the bank, they tell the police about fraud.
All you need is a fraudster to find out your details and get access to the accounts - specify the bank in which you hold the card and play on trust. Everyone who uses or does not use the Internet bank gets caught in this trap.
Catching on live bait
If in the case described above potential victims will be saved by the wide publicity of the fraud scheme, then with the methods used to penetrate to the organizations' databases, it is much more difficult to fight. No matter how carefully you protect your data, all employees can let you down. And not only employees - leaders become victims too.
The hacker does not have to take any action. It's enough to place traps and wait for the victim. A typical example is false technical support.
Looking at the reception in the office of a large firm and waiting for the employee to leave, the hacker pastes a sticker with the number of technical support that allegedly cooperates with the company. A sticker can even be on the employee's computer. No one will pay attention to the new sticker if there are a lot of them, and nobody will suspect the deception, especially if several people are working at the computer.
When the computer has problems, the employee will dial the number of fake technical support from the sticker and call. The hacker will find out the necessary information. Of course, an ordinary employee is unlikely to give access to the accounts of the company, but the attacker will receive his piece of data, which means he will be able to move on to the next stage.
All that a hacker needs is a few seconds to put a sticker.
Simple IP Spoofing of the site or page address - and the hacker gets at his disposal the victim's login and password. Creating phishing sites is not easy, but very simple: just copy the design and "pull" it to any suitable CMS. It remains to extend the link. Users rarely look at the address of the page and do not pay attention to the substitution of one or two letters. Once they are on a phishing site, they quietly enter their data.
Phishing techniques are used both for corporate network intrusion, and for hacking accounts in social networks. "Why hack into an account if access to it is simply restored?" - ordinary users will ask. And they will be wrong. Having received access, the scammer will start to write to friends of the user and ask for money "in debt".
How to fight with social engineering?
Methods of social engineering should be known not only to computer security specialists. About the most common methods, methods that can be used by hackers, you need to tell users of sites and employees of the company to conduct trainings. This is the only way to protect data from theft.
In addition, you can use other methods. In the companies can work:
- a clear separation of levels of access to information;
- communicating through messengers with video chat;
- transfer of important data only within the corporate network or portal;
- the maximum removal of computers, employees engaged in important work, from visitors.
Alas, neither technically, nor by rules, nor by permanent trainings, it will not be possible to protect data from attacks by means of social engineering. Hack can be any, the most secure system (and not only computer), the question is only in time and price.
Attention! Our company does not recommend illegal activities and calls for compliance with established laws.