Modern security systems can protect data from almost anything except human error. You can erect an impregnable software wall in front of a potential hacker, but all the work will be in vain if a naive user tells an intruder the passwords himself. “Hacking a person is much easier than computer because computers follow instructions and people succumb to emotions,” says Kevin Mitnick, one of the world’s most famous hackers.
Social engineering, or hacking into human consciousness, is one of the most popular hacker tools of our time. You will be surprised, but the most insidious methods of social engineering practically do not require special technical knowledge from an attacker. Here are some techniques that will be relevant as long as there is human stupidity. That is forever.
This is one of the textbook examples of how a hacker can get a password to access the corporate system. It is especially relevant for large companies, where many employees often do not know each other. A hacker can only contact one of the employees by phone or email and pretend to be a stupid novice. Of course, much depends on luck. It is necessary not to make a mistake from the very beginning and choose as a living “vulnerability” a trusting and angry person, ready to help an inexperienced “colleague”.
By carefully asking the employee and complaining that “nothing works”, the hacker lures him/her out of the password to access the system. And then it’s a technical matter.
Big and evil boss.
A reception played in the mass of spy films, but has not lost its relevance. You must have seen in some movie the hero calls, for example, a checkpoint, pretends to be an evil general and demands from the timid duty officers to report something immediately or to miss someone.
The example is quite exaggerated, but even in 2016 with the help of such a trick hackers manage to rob banks. The brightest example – in January, the attackers stole 70 million euros from a large Belgian bank. The hacker sent an angry letter to one of the managers of the financial department, where he introduced himself as one of the important clients of the bank. The “client” was angry and asked which devil the bank was delaying an incredibly important transaction. The employee was scared and transferred the money without going into the verification of the documents sent, forged with photoshop.
By the way, this method fits perfectly with a “stupid beginner”. The same “big and evil general” can call his subordinates and demand an explanation why something is not working for him. The main thing in this case is charisma and persuasion. Anger, foolishness and self-righteousness must look natural enough and be intense enough so that the victim could not gather his thoughts and just did not have time to doubt what was happening.
Despite the increased computer literacy, if you want, you can still easily find people who dream of having a “do all right” button on their keyboard. This is the same mournful mind that never “pressed anything, everything broke down”. Such people are a real find. So the hacker just needs to call them and say something like “I’m N of tech support, I was told that you have a computer problem”. The victim is guaranteed to find “computer problems”, whether it is a disappeared line in Microsoft Word or “Classmates” blocked by the administrator. In the course of solving such “problems” the user will believe almost every word of the hacker and will be happy to dictate anything to him/her, including the login, password and passport data of his/her own grandmother.
Did you order a pizza?
If you work in a large office, look around you. Look at your colleagues’ computers. Surely you will find a sticky sticker on some monitor that has all the passwords you need to login. Thus, a careful and keen hacker only needs to find a way to get into the office. There may be many ways to do this. For example, it is no secret that sometimes “stray salesmen” walk around office buildings, offering local residents a variety of cosmetics, books or other goods. There is no guarantee that one of these sellers, entering the room, will not start looking at someone’s monitor paper with passwords.
It should be noted that in the case of large corporations, this method will not work, because they usually do not let outsiders into their territory. But if your company rents an office in the place of the House of Troubles, there is no guarantee that the courier boy, who half an hour ago wrong door, the same evening will not try to crack your database.