[Anti-spoofing art]: attacker art (2)
There are a wide range of ways for social engineering attackers to attack. In the previous article, we talked about how attackers can use seemingly harmless information to gain the trust of the target. This article introduces another way for attackers to gain the trust: provide help or seek help from the target. This article involves two chapters of the original book:
-"Let me help you"
-"Can you help me ?"
1. help social workers
Everyone has this experience. when we are in trouble due to a problem, we will be very grateful if anyone who understands this knowledge or skill is willing to help us. Social engineering engineers also understand this and are proficient in this kind of psychology. The key here is that the social engineering engineer makes you feel that you have encountered a problem, but the reality is that the problem may not exist. What's more strange is that the problem may have been intentionally created by the social engineering engineer. Then, the social engineering engineer asks you to be grateful after he solves the problem for you, and finally uses your gratitude to extract some information, or you need to help him a little, however, this small amount of work is enough to make your organization big. Believe it? Let's look at a case:
Background: Bob was hired by a company and asked him to obtain the product design secret file of a company. Instead of directly using technology, Bob carefully planned a social engineering attack.
-1. Bob spent $39.95 on a mobile phone at a convenience store;
-2. bob called Tom, the bookkeeper of the Office at the right-side Shipyard (our target), and pretended that he was in the service center of the company, whenever Tom encounters a network problem, he will call Bob's mobile phone. Bob also learns that the network interface of Tom in the office is 6-47;
-3. Bob waited for two days to avoid too much behavior, and then called the company's network operation center to temporarily disconnect the network connection of 6-47 in the name of the office;
-4. Tom quickly called and asked Bob to repair the network. Bob began to pretend to be embarrassed, but he was willing to help Tom solve the problem first;
-5. Bob calls the company's network operations center again and requests that the communications between port 6 and port 47 be restored;
-6. Bob calls Tom to confirm network restoration and persuade Tom to download a functional detection software from the WEB to prevent future network disconnection. This is actually a Trojan horse;
-7. Now Bob can remotely access the internal network of the shipyard and find the confidential file within the day;
-8. Bob threw away his new cell phone and deducted the battery;
In fact, this is "reverse social engineering", because our engineers allow the target to contact themselves rather than take the initiative to attack. Of course, the premise is to pave the way and create "problems ", then "Stand Up ". Of course, reverse social engineering can also identify the target to be aware of the attack, so as to treat the target as a person, involving the attacker to obtain attack information as much as possible, however, the objective of our case here is obviously not so intelligent.
2. Social workers who pretend to ask for help
In addition to providing help, sometimes social engineering engineers will do the opposite and pretend they need help from others to manipulate the situation. Most of us will sympathize with people in distress. Facts have repeatedly proved that this method can allow social engineering engineers to take advantage of it.
In the following case, the social engineering engineer S attempted to obtain a WAN access interface of the target company, that is, a usable user name/password, so he took the following Attack:
-1. S is targeting a multinational company in Silicon Valley. He chooses to launch an attack from a remote site because the security measures of the Branch are generally looser than those of the Headquarters;
-2. S calls the Chicago office and calls Jack (S does not know any information about Jack );
-3. The operator asks for more precise information about Jack. S asks the other party how many of them are called Jack and asks the other party to read them and select either of them;
-4. S. Ask Jack's department and ask the operator to connect Jack;
-5s falsely claimed that he was a working department and transferred his salary to his credit account according to Jack's requirements;
-6. Jack, of course, denies that he has submitted this request and is worried about salary;
-In, Jack was asked to provide the employee ID for verification. Jack gave the employee ID to Jack without consideration;
-8. S. Get the Jack employee ID and reply to the employee's error;
-9. Soon, S called a system administrator of the company and lied that he was Jack. He wanted to stay in a hotel on a business trip and asked for a temporary account to facilitate work;
-10. The system administrator verifies Jack's employee ID and department;
-11. The system administrator has activated a temporary account for S: jbjack | changeme;
-12. S obtained the company's Wan access interface;
The company's security here is similar to "candy-style security", which means that even though the firewall and other devices are used to strictly protect the system, once intruders bypass the firewall, therefore, the internal system is exposed and insecure. Similarly, there is "underground bar-style security", which places security on the concealment of information, that is, people do not know where to find the information, do not know the entry password, but these are not problems for social engineering engineers.
Iii. Fraud Prevention
How can a company or organization ensure that its employees can defend against similar social engineering attacks? First, for example, if you constantly educate and train your employees, you should have a basic security training for all employees, and then develop different training courses based on the specific job type, persons who are exposed to sensitive information or highly trusted at work need to receive additional specialized training. Second, we must ensure the security of sensitive information, such as passwords, which cannot be disclosed to others. Finally, considering the source of the attack, that is, the identity authentication of the other party, in the case of high confidentiality, only requests submitted face to face or based on strong identity authentication can be approved, in addition, one or more employees are created in each department. All employees who send information to external departments must be handled by them and further security training is conducted for these employees, so that they are aware of the special verification procedures they must follow.