How cyber bullies apply social engineering: deception scenarios and methods of influence

Main article: Social engineering

phishing attacks Even those who are professionally far from the sphere are already known about it. information security Their implementation is not without the use social engineering of - manipulation of people in order to gain unauthorized access to. information

Such attacks are the main mechanism for fraudulent financial transactions. They are very successful because they are based on the characteristics of people's decision-making. The secret is the properties of human psychology that attackers use.

A little bit of numbers

The Bank of Russia in a review of the main types of computer attacks in the credit and financial sector noted an increase in the number of fraudulent sites in the conditions of coronavirus. It is due to an increase in the use of remote services and services, as well as the loss of citizens' jobs and a decrease in their income. This increased the need for social benefits, aroused interest in credit products and other ways of improving the financial situation.

According to the Central Bank of the Russian Federation, attackers actively use the topic of coronavirus in order to create false bank sites and other phishing resources for embezzlement of citizens' funds. So, for the three spring months of 2020, when the isolation conditions were extremely strict, 2,200 fraudulent sites were identified, the creators of which exploited the theme of coronavirus for deception. The number of visitors to such resources approached 100 thousand people per day in June 2021.

In 2020, the Bank of Russia initiated the blocking of 7680 sites. Most of them - 6256 units - made up, as a year earlier, fraudulent sites that mimicked for sales sites for air and rail tickets, p2p translation services, and online exchanges. More than 1 thousand false bank sites and almost fifty sites of false insurance organizations were also blocked, and a double increase in the number of fraudulent resources was noted in these categories. During the specified period, FinCERT, the Center for Monitoring and Response to Computer Attacks in the Central Bank of the Russian Federation, requested telecom operators to block more than 26 thousand telephone numbers, which is 86% more than in the previous year.

Cheating Scenarios

Unfortunately, it is not difficult to implement a successful attack: it is enough to have little information about the client of a credit institution (for example, a name and phone number). Attackers purchase databases with personal customer data, then the victim receives a call in one of the pre-thought-out scenarios.

Attackers can be represented, for example, by employees of financial organizations, insurance companies, government agencies, interested buyers with Avito or Yula, or generally friends of relatives.

FinCERT analyzed the nature of phishing calls for 2020 to understand who the attackers most often appear to be.

It turned out that in most cases fraudsters are either represented by security officers of a certain financial company (about 57%), or report that they are calling from a credit institution serving a citizen's account (41% of cases), the Bank of Russia said in a review.

Since the end of 2020, a significant increase in fraud cases has also been noted, when calls were allegedly received from law enforcement officials.

Attackers also contacted potential victims through SMS and instant messengers when committing fraudulent actions on services such as Yula or Avito. According to FinCERT, in most cases (about 83%), fraudsters use correspondence with the victim on the pretext of buying or selling goods or services. 15% of all incidents are fraudulent SMS messages with information about blocking the card.

Here are some examples of the most common fraudulent scenarios from the Bank of Russia report, Kaspersky Lab data and other open sources:

1. The attacker, who introduced himself as an employee of the economic security of a financial institution, claims that he managed to track the operation carried out without the consent of the client. To stop the operation, the attacker asks the victim to report codes data maps from SMS messages and other information. This information is sufficient for fraudulent withdrawals from your card.
2. In another version, we are talking about an erroneous transfer of money to your account and a request to withdraw it to an ATM in order to then transfer it to a "secure account of a credit institution."
3. A fraudster called a bank employee calls customers awaiting credit approval, usually consumer, and suggests checking the card data to confirm the loan. During the conversation, he asks to name the card number and CVV, because "a card with this number was not found in the database." If the victim reveals the data, the money from the account disappears.
4. A pseudo employee of a financial institution reports compromising a mobile device or personal account in the system. And remote banking services under the pretext of a safe shift password , he asks to dictate the code necessary for entering from SMS.
5. A similar option with a request from an attacker to install an allegedly safe application on the phone, which will subsequently allow you to remotely connect to the victim's mobile phone and commit theft of funds.
6. An employee of a bank that has previously refused a loan unexpectedly informs by phone of a review of the decision. In addition, the caller offers to open a card, for which he insists on transferring a certain amount to a new account or even sending it by courier delivery.

Separately, it is worth noting that you should not follow the links in instant messengers, for example, in messages about various kinds of rallies, and especially distribute such links among friends. Entering payment and personal data in them, for example, for a delivery service or commission payment, can result in embezzlement of money.

In addition, as previously mentioned, fraudsters actively use the topic of coronavirus infection and its economic consequences when calling, in electronic messages. For example, they can talk about government support measures, offer ways to easily earn money, and the like.

The list of real fraud stories can be found and replenished on the website organized by the Central Bank of Russia: fincult.info/rake/ in the section "Rakes."

Fraud scenarios against employees of legal entities are more complicated. A few examples - further. So, the attack on Russian financial institutions in 2020 began with an electronic message with the topic "All-Russian study of the banking sector during the pandemic" on behalf of the fake payment system and the news agency. In the first letter, there were no harmful attachments, but it helped to arouse the interest of the victim and establish an associative relationship in her memory. The second message with a proposal to participate in a similar survey allegedly came from a correspondent of a major news agency. And only the third and subsequent messages already contained phishing links or malware.

Often, hackers catch employees of organizations on phishing pages for entering credentials that jump out when opening a document sent by an attacker. The purpose of the attackers in this case is illegitimate access to the user's mailbox. And the bait is various financial documents, "security checks," etc.

These impressive figures indicate the extent of fraud. They explain why, despite the active work of the Central Bank of the Russian Federation and the expert IB community, there is still a need to organize independent protection for citizens from attacks by cybercriminals.

An indicative example of a real attack discovered by Kaspersky Lab experts is associated with the method of double extortion. After stealing the children's personal data from a company that worked as a service provider with schools, the attackers sent letters to the victims of the leak by educational institutions threatening to publish information about the students if they did not put pressure (for example, file lawsuits) on the company already affected by the theft and did not oblige it to pay the ransom to the attackers.

However, assistance to attackers is unlikely to save from the publication of stolen data. Therefore, in such a situation, the victims of the attack need to solve the problem of further protection of children, taking into account the leak that has already occurred.

Phishing attacks often target new employees of companies, since they are not familiar with most colleagues and are emotionally more open to communicating with unknown addressees both by mail and by phone. Fraudsters invent a variety of reasons for starting a dialogue: from gifts in honor of hiring to communication "with the internal service of the IB" due to questions raised. As a rule, a submission letter comes first, followed by an engaging correspondence, and only the third or fourth letter contains a phishing attachment. Similarly, phone fraud schemes are being built.

Thus, fraud tends to be targeted and multistage and uses associative memory. In addition, they exploit various human feelings: excessive trust in a professional, fear of security services, hope of receiving one or another benefit or something else. Attackers take advantage of the fact that the victim does not understand some processes and is in frustration, which, together with the escalation of the situation and the need for a quick reaction, leads to error. Therefore, socially vulnerable segments of the population are most vulnerable to fraud. And therefore, during the height of the pandemic, when all citizens were in a certain information vacuum and at the same time in a stressful situation, fraud blossomed.

Methods of socio-psychological impact

In the theory of marketing and social psychology, psychological tools for influencing decision-making have long been known. Marketing tools are described in many works, including Robert B. Cialdini's book "Psychology of Influence." Influence: The Psychology of Persuasion) 1984 года. Similar approaches apply to fraudulent schemes.

In particular, people are inclined to respond to a favor, so at a subconscious level they are ready to assist in thanking for a gift or help. In marketing, the easiest way to increase loyalty is to offer a free sample product. Fraudsters use this technique to create a sense of trust by offering gifts or reporting approved loans.

The principle of commitment and consistency forces a person to adhere to an idea that he considers his own, even if the initial incentive or motivation does not come from himself. It is enough to lead a person to a certain thought as his own, and he will voluntarily defend it by turning off the mechanism of critical thinking.

Fraudsters can take advantage of this feature of people's behavior, called social evidence, that is, the desire to belong to or correspond to a certain social group, to repeat behind society.

At the same time, a person tends to trust those whom he considers attractive or charismatic. For example, he can succumb to the persuasion of an attacker if he has a pleasant and confident voice.

Scarcity and fear of loss is perhaps one of the most used tools of fraudsters to create a sense of time constraints, which blunts the criticality of perception.

The social and psychological mechanisms thanks to which fraudsters influence us have long been studied and described, "comments Anastasia Vlasova-Yagodina, director of the Intellectual Property Protection Research Institute, in particular, in such basic works as Solomon E. Ash's Opinion of Others and Social Pressure, Stanley Milgram's Biheviarist Study of Submission, Propaganda Era: Mechanisms of persuasion everyday use and abuse "by E. Aronson and E.R. Pratkanis," Psychology of Lies "by P. Eckman, in Harold Garfinkil's studies on ethnometodology, and a number of studies described in David Myers's book" Social Psychology. "

Among the main mechanisms, Anastasia continues, the following can be distinguished:

• Using strong emotions. Intelligent decision-making is blocked by stress. For example, if mothers say that her son was in an accident and asks for urgent help, how not to help?
• Excessive self-confidence. Many people think that they are smarter than others, and they will not fall for tricks. In reality, even intelligence officials may not recognize the lie.
• Trust in authority. The call of the investigator or intelligence officer sets up for blind obedience. The American psychologist Stanley Milgram in 1963 studied this mechanism in the known experiment when by order of the unfamiliar experimenter in a white dressing gown the people were ready to beat with current of innocent people.
• Reciprocity. The person is allegedly doing something good (for example, they take care of his safety), and he feels the need to thank the benefactor. Arguing with him and questioning his authority is inconvenient, since this contradicts the ancient instincts of cooperation, so critical evaluation of relationships is turned off.
• Social pressure. Fraudsters often act as a group to create a numerical advantage that convinces them that they are right simply because most cannot be mistaken. So, in the experiments of Solomon Asch in 1951, a person agreed that the same segments are actually different exclusively under pressure from the front majority.
• Generalized statements and self-thinking. An ordinary user receives a letter from a hacker who writes that he hacked his computer, watched him through a webcam and thus collected serious incriminating material that can become public if his requirements are not met. The recipient of the letter is given the opportunity to independently think about what incriminating material the hacker has and be afraid of his assumptions.
• Disorientation. Intensive flow of information leads to defocusing and loss of vigilance.
• Create a time deficit. A person is told about the need to act quickly, otherwise the chance will be missed so that he does not have time to analyze the situation and make the right decision. This method almost always cooperates with any of the others listed above.

Counteraction

Ways of influencing social engineering are available for anyone to understand. Their effectiveness lies not so much in some deep mysterious techniques, but in unexpected use. When you encounter them, you often simply lack the time and attention to make the right decision and reaction. And the attackers are striving for this, "said Anastasia Vlasova-Yagodina.

She believes that extensive recommendations on various techniques for opposing social engineering may be of little use, because if there is a situational need, there is no way to turn to them, choose and apply them.

According to her, there is one universal and the most useful advice: you need to stop and think, preferably literally interrupting the conversation and any contact with a suspicious person.

In any dubious situation, when someone called, someone wrote, someone demands something - it's better to take a pause, ask to call back, distract in any way and think. This will make it clear that in front of you is the real situation or the scenario being played. Or, if this is still not clear, take measures to verify - find the necessary information on the Internet, call a more aware friend, contact relatives, - advises Anastasia Vlasova-Yagodina.

For employees of organizations, a mechanism for raising their awareness through training using simulation of phishing attacks works effectively. It allows you to identify those who are most susceptible to social engineering attacks and conduct their training on controlled phishing attacks created in the image and likeness of real fraudulent scenarios.

Author: Anna Mikhailova.