The basic meaning of social engineering is: social engineering is about establishing theories and solving various social problems step by step through natural, social and institutional channels, with special emphasis on practical two-way planning and design experience. Is it hard to understand? I think so, too. Forget it, let's see how social engineering is explained in our field:
Social engineering is an attack. Attackers use the interactivity of interpersonal relationships to attack: Usually, if attackers can't directly obtain the required information through physical intrusion, they will defraud the required information through e-mail or telephone, and then use these materials to gain the authority of the host to achieve their own goals.
Skilled social engineering users are good at collecting information, and many seemingly useless information will be used by these people to infiltrate. Such as phone numbers, names. You can use the job ID number of the latter. For example, for example, a social engineering user wants to obtain some information from a credit card company, but there is no relevant certificate to legally obtain this information from this company. At this time, he can use social engineering to collect relevant information from the bank related to this credit card company to achieve his goal. For example, banks need to get information from credit card companies, what certificates or ID numbers they need, or the names of employees who often have business dealings with credit card companies, and so on. Nowadays, many companies use telephone service in some services for convenience and speed, which makes it easier for these attackers to take advantage of it. Credit card companies will give some sensitive information to attackers by providing relevant information obtained from banks.
Many social engineering attacks are very complicated, including careful planning and comprehensive application of considerable skills. But you can also find that some skilled social engineering attackers often only need simple methods to achieve their goals, and it is often effective to get the information they need directly by asking. For example, someone called the telephone company and said that because of the influence of a fire, the nearby telephone line terminals were destroyed, making the telephones of dozens of families nearby unusable. He is a telephone line repairman himself. Maybe he can help repair it first. However, maintenance must require some sensitive information that the telephone company will not let unrelated employees know. But who can refuse the selfless assistance of a kind telephone line maintainer and let the social engineering attacker get the telephone line information he needs?
Building trust is also a means of social engineering, and it is a very important means. Imagine that if you have established a fairly strong trust relationship with the living people in a company, it will be much easier to obtain some important and sensitive information. It is not easy to gain trust in a short time, but it is not impossible. If you can prove that you can be trusted, it will be easier to gain trust. For example, telephone companies engage in sales promotion, as long as the use contract is limited for a certain period of time, you can get the latest mobile phone for a penny. Note that the premise is that you must sign a mobile phone network use contract for a certain period of time. A person thinks, how can you buy this mobile phone for a penny without spending money to sign a telephone line use contract? So he called the branch of this telephone company, which we call a shop. His conversations with the staff were as follows:
Clerk: This is Branch A of the telephone company. How can I help you?
Dear friend: Hello, my name is dear friend. I have been to your store before, and I want to apply for a mobile phone service. You think the service introduced to me by the shop assistant named Li (I guessed, of course) is very good. I didn't make up my mind at that time, but now I have decided to apply for that service. Oh ~ ~ ~, the clerk's name is Li ~ ~ ~, I don't remember, you know?
Shop assistant: ~ ~ ~, there are two plums in our shop. Do you mean men or women?
Dear friend: Yes, it's a man. He said his name was Li. Sorry, I forgot his name. Can you tell me?
Shop assistant: Li XX.
Dear friend: Yes, let's call it Li XX. I'll go to your store right away to handle the opening formalities of related services. See you again.
Shop assistant: Goodbye.
Then this guy called another branch, branch B.
Dear friend: Hello, is this Division B?
Clerk: Yes, what can I do for you?
Dear friend: I'm Li XX from Branch A. I have a customer here who just signed a 10-cent mobile phone exchange contract with us, but later found that the model of that mobile phone in the store was out of stock. Do you have any more in your shop?
Clerk: Yes.
My dear friend: Good grades. I have signed a line use contract with him. I invite him to your place now, and you can sell him your mobile phone for a penny.
Clerk: OK, ask him to come.
Half an hour later, this guy showed up at branch B and bought a mobile phone with a penny.
Do you understand now? Deception is easy as long as you prove that you can be trusted.
To be continued ~ ~ ~
Up to now, you will ask, what does this have to do with computer intrusion? Hehe, it doesn't seem to matter, but I am talking about the principle of means. Now let's see how a skilled social engineering hacker installed a Trojan horse in the intranet:
Location 1: Office A, the phone is ringing.
Clerk: hello, I'm Xiao Wang, and this is office A.
Attacker: Hello, I'm Li xx from Network Technical Support. We are carrying out normal network maintenance. Is there something wrong with the network in your office?
Clerk: Well, not that I know of.
Attacker: Is there a problem with your own use?
Shop assistant: No.
Attacker: OK, what I want to say is that it is very important to inform us in time if there is a problem with the network. My task is to make sure that no office computer can stay online.
Clerk: Our network here is in good condition.
Attacker: What I said is possible. If anything happens, please call us at this number in time. The telephone number is 12345678.
Clerk: OK, I'll let you know in time if anything happens.
Attacker: One more thing. Can you tell me the port number of your computer connection?
Clerk: Port?
Attacker: At the back of your computer, the port number is marked where the network cable is plugged in.
Clerk: Yes, the number is 123.
Attacker: Please wait a moment, port 123 ~ ~ ~. Ok, thank you. Remember to let us know when something happens and when to call. Goodbye.
Location 2: The phone rang in the network management room of this company.
Network management: Hello, network management room.
Attacker: Hello, Xiao Wang in Office A of my room. We are solving a problem on the computer network. Can you temporarily stop the network connection of 123 port?
Gateway: ok, please wait a moment ~ ~ ~, ok, it has been temporarily stopped.
Attacker: Thank you.
An hour later, the attacker's phone rang.
Attacker: Hello, this is network support. I am Xiao Wang.
Clerk: hello, this is Xiao Li from office A. There is something wrong with our network, and our computer can't stay online.
Attacker: Well, I can help you solve it, but I have to solve the network problems in other offices first. Can you wait?
Clerk: How long will it take? I didn't learn to use the internet.
Attacker: I will do it as soon as possible. Just a moment, please.
In this way, the attacker called the network management room again and asked the network management to open the network connection of office A.
Half an hour later, the phone in office A rang.
Attacker: Li xx supported by our website.
Shop assistant a: hello, have you solved it?
Attacker: Yes, please try.
Shop assistant a: ~ ~ ~, yes, it's ready to use. Thank you very much.
Attacker: OK, but there is one problem. In order to prevent the network of office computers from being disconnected all the time, we designed a software. I will give you the address, please download and install this software. The website is. . . . . . .
Then, the attacker knew that the employee went to a webpage he had prepared and downloaded a small software.
Clerk A: I executed this software, but nothing happened.
Attacker: hmm ~ ~ ~, maybe we made a mistake when we wrote it. I'm telling you, stop pretending. You can install it after we rewrite it.
In this way, a Trojan horse program was installed on this computer.
In any case, intruders can easily install a Trojan horse on a computer in the network without any complicated computer access means, which is the power of social engineering.
In addition to the above methods, email is also a means. For example, you often receive some advertising spam and delete it without reading it. But people with ulterior motives are not that stupid. Suppose you receive an email like this:
Dear Xiao Wang:
Attached is a photo of the beautiful girl I promised to introduce to you. Have a look. I'll introduce you if you are interested.
Xiao Li
Under normal circumstances, this relatively private email will not make people have any doubts. At most, it is considered as an email sent to the wrong address. Coupled with people's curiosity, few people will not open it to see what kind of beautiful girl it is. Hehe, when you click on the photo, you have already confessed unconsciously.