Social engineering of Information Security [2]: counterfeit identity in attack techniques

InPrevious postWe introduced "Information Collection". Today we will talk about "fake identities.
To avoid misunderstanding, it is necessary to clarify in advance that "Information Collection", "fake identity", and "exert influence" are not isolated, but organically combined. When attackers do bad things, they always use these three methods to achieve the ultimate goal. I am only limited to time and space, so I just unload three parts and introduce them separately.

★Why fake?
Fake identities are simply "packaging ". Attackers are not stupid. Of course they will not easily expose their real identities. Naturally, they need to find a vest to disguise themselves. In general, attackers can select targeted vests based on their targets. After the vest is selected, some details should be slightly whitewashed to make people feel more realistic.
All in all, packaging should lay a solid foundation for the subsequent "impact.

★What is the packaging effect?
According to the principle, most people are emotional. The packaging effect is to make full use of and explore the weakness of human perception.
◇ Win trust
Do you still remember the "No sensitive information" mentioned in the previous post? Attackers can use this information to prove that they are people in the organization and then gain trust (see the example following the text ). Obtaining trust is a prerequisite. Only by gaining trust can attackers continue to make persistent efforts to gain goodwill, gain sympathy, and establish authority.
◇ Be fond of others
It is obvious that there is no harm in winning favor. If the other party feels good, attackers can make further requests. For example, many insurance salesmen are good at taking advantage of various means to get a favor.
◇ Win sympathy
Most people are more or less compassionate, and some attackers deliberately show weakness, so that the other party can have some sympathy, and then put forward some requirements by taking the opportunity. From this perspective, many beggars also use social engineering skills.
◇ Establish authority
Many people will have a light trust and blind obedience to authoritative figures. Therefore, establishing authority also helps attackers "exert influence" in the future ".

　★How to pack?
◇ Select an identity
To achieve the above effect, you must first select a specific identity. The choice of identity is very exquisite, you need to consider a wide range of factors. Because I didn't teach you how to conduct social engineering attacks, I can only talk about it briefly.
Attackers can establish a sense of identity. For example, if the other party is a secretary, the attacker will lie that he is the secretary of another department (his or her position is recognized ). The following post will detail your identity.
To establish authority, you can pretend to be a higher-level person in the company (or a person related to the leadership, such as a secretary of a leader ). This offer is quite effective for well-developed companies.
If you want to gain sympathy, you can refer to the examples given later in this article.
◇ Appearance whitewashing
In addition to identity selection, some appearance details are also very important. Most attackers communicate over the phone, and those with slightly magnetic voices (only male) or tender feelings (only female) are dominant.
Most attackers will not appear rashly (the real-world risk is high ). In special circumstances, if you need to visit the other party's institution, experienced attackers will choose proper clothes to match fake identities. In this case, the appearance of attackers is also a key factor. Those who look at each other, show their talents, and face Yushu, at the first glance, will give the other party a good feeling and relax their vigilance.
By the way, run the question. Didn't I emphasize the importance of talent in my literacy post at the beginning of this series? The so-called social engineering talent is not only clever, but also the voice and appearance cannot be too bad (especially the voice ). As the saying goes: It's not your fault to have a bad voice, but it's your fault to run out of a social engineering project!

★One instance
I have fooled a lot of theories before. In order to deepen my impressions, let's take a look at a simple example (inspired by the art of deception by Kevin Mitnick). In this example, the main purpose of an attacker is to further "collect information ". In this process, attackers use the "fake identity" method.
◇ Main Characters
A social engineering attacker, Xiao Hei for short.
A company's customer service staff, referred to as Xiao Bai.
◇ Background
Tom wants to explore the bank account of a customer (Zhang San) of the company. Xiao Hei first collected some preliminary information (via Google) and learned the following information:
1. The company has a commercial customer data system containing the customer's bank account.
2. BCIS for short
3. The customer service personnel of the company have the permission to query BCIS.
After the preparation, Tom called the customer service department of the company.

　◇ Dialogue process
Tom: Hi, who?
Tom: I am from the customer data department. My computer has a damn virus and I cannot start it. However, a secretary of the president's office asked me to check the information of a customer. I heard that your customer service department can also log on to BCIS. Please check it for me. Thank you!
Tom: Oh. What information do you Want to query?
Tom: I need a customer's bank account.
Tom: What is the customer ID?
Tom: the customer ID is in my computer, but my computer cannot be opened. Please perform fuzzy search based on your name. This customer is called Zhang San ".
Tom: Wait a moment. Let me check it.
......
Tom: I found it. Take a note. His bank account is 1415926535.
Tom: Okay, I noted it down. You have helped me a lot! Thank you very much!
Tom: You're welcome.

　◇ Case Analysis
First, attackers found out through information collection that the "Commercial Customer Data System" is called BCIS. In addition, attackers also learned that the customer service department has the permission to query BCIS. When Xiao Hei says these two messages, he will believe that he is a company employee.
Then, Xiao Hei lied about his computer poisoning to show weakness and gain the sympathy of Xiao Bai.
With the above two items, the success of Xiao Hei is very good. If you want to assist in some specific voices and tones and express anxiety in your speech, you will be able to achieve that.

This is the topic about "fake identities. Next post in this series, let's talk about the "influence" topic.