2. Tech
  3. No smoke war

No smoke war

xiaoxiao2021-03-05  28

No smoke war

Social engineering

Author: Xiao Jin

First, please wolf into the room

Miss Li is a secretary of a large company, and she has stored many important business information on the computer, so it belongs to the company 's focus protection, and the security department has set up a layer of safety protection. It can be said that her computer is Crane from the outside is an impossible thing. In order to facilitate modification and killing viruses, the security department can directly set up the computer's computer through the network service terminal. Perhaps the greed is convenient, the maintenance staff and Miss Li are carried out through QQ.

On this day, Miss Li just opened QQ, and received the maintainer's news: "Xiao Li, I forgot to log in to the password, tell me, have an urgent security setting to do!" Because the maintainer is very familiar, Miss Li put the password in the past. (figure 1)

One night, the company's main competitor mastered the company's business, and grabbed the big customers in some important business, with a competitive means below the company, and made the company suffered losses. After investigation, I know that the company's business information was taken by the other party, the company's protocol sued the opponent, and also launched an internal investigation. Miss Li naturally became the sky. The final focus is set on that QQ message. The maintainer has repeatedly claimed that he has not sent the news, but the record on the computer is clearly shown ... With the police's intervention and the confession of the suspect, a typical "social engineering" fraud case is shown. water surface.

Social Engineering, a technique such as spoofing, harmful hazards, such as deception, harm, such as deception, injury, etc. by psychological traps such as deception, harm, such as deception, harm, curiosity, trust, and greed, have become rapidly increased in recent years Even abuse trends. So, what is social engineering? It doesn't be equivalent to the general fraud, and social engineering is particularly complex, even if it is the most popular person who is the most wary of the most serious, it will be damaged by Gao Ming's social engineering means.

Miss Li is from the trust of the maintainer, so it is deceived by the other person. Because the maintainer that appeared on QQ is not the company's maintenance man, but the opponent took the maintenance staff's QQ, and then use a small trust relationship, it will easily obtain the login password, the company's business data is naturally Into the other party. Can this calculate the invasive case? The other party did not use any technical means to scan the company's computer, vulnerability penetration, password is also the company's employees, and therefore there is an interesting contradiction: the other party logs in to the victim machine and steals it with the unauthorized situation. The information of economic value is already invading, then this person belongs to invaders; but the password of the other party's login is not based on illegal means, but the victim tells, then this person can also be called a legal login? In the end, the police can be resistant to: The defendant is: the defendant defrauded the login password of the victim company through the deception, and logs in to the victim machine to steal business information without authorization. Although the case does not involve technical means, but the defendant utilization Social engineering means to theft have evident that it is unmatly invading, which also involves fraud ...

The company finally recovered losses through legal means, but "social engineering" is terrible, it is already in everyone's heart ...

Second, the same dummy password

Now turn the focus to that maintainer. Since the security department is a good distance, the management is not convenient, so the company allows them to manage the machine directly through the network, unless they have to solve the fault by physical channels, otherwise they generally don't have to personally passed.

The connection between Miss Li passed QQ. The problem is in QQ.

As a security personnel, he naturally knows the importance of the password, so his password is set very complicated, and the exhaustion is almost impossible. As for the invasion, it is more impossible to happen. He also protects the important computer, you can't protect it, what qualifications protect others? However, Baixi still has a sparse, he didn't think of the opponent's retrieval password function easily got his password, then contact Miss Li ... (Figure 2) When he entered the prompt answer, the next conscious input The name of the most important person in his heart. But the opponent also knows the name of the person in his heart, which is the so-called "knowing each other" in the business. So the nightmare started ...

Nowadays, many network tools, forums, etc., forum, etc., all provide "Retrieving Password" function, and most of this feature determine whether or not to give a password based on the issue of confirming the user's answer and the original preset, This has left a psychological safety hazard. Most people will enter their own names, the name of the relatives and relatives, some of the character, special date, document number, etc., and these data as long as theft and After the user has a special intention, it can be easily obtained, so, no matter how complex password, it is equal to no settings.

However, the prompt answer should not set it too complicated. The author has changed the QQ prompt answer, sweat that even remembered it.

Third, the observatory of the e-age is waiting for the rabbit

High school students usually like QQ chat, and the beautiful QQ show and some special services make him love not to release, but all this must be equal to the gold plan, although the Pony like QQ, but also knows the calculation, he will not put money. It is used in this virtual, but you want your own QQ career to be brilliant, so he puts his eyes in some ways to obtain Q coins. On this day, a friend sent a URL to the Pony, and said that this website provides Q coins through a certain number of clicks. How can such a good opportunity? According to the website's prompt, he entered the QQ number and password to complete the registration, and then sent the URL to the friends on QQ. However, I waited for a long time, my own Q coins were still not moving. The next day, Xiao Ma thought when I got to QQ, I found that I can't log in. The QQ password was changed. (image 3)

This is one of the recent QQ fraud cases. Even Tencent has had to clarify: "There are currently many websites who are pretending to our company, playing Q coins or giving the QQ number flag, requiring users to enter QQ in dialog box Number and password. Website address is more than QQ words, click to enter the page with imitation QQ doll image, the page is clearly required to enter the QQ number, password, verification code dialog box. Currently, this website is mostly defrauded by the user click rate, but It is possible to develop a means of hacking in the future. "

Since QQ is deeply rooted in China, more and more people play QQ ideas. If you use Trojan to take QQ password is just an early means, then you will now wait for the user to send the door to the door to be temporary. In fact, there are many days before this method, if you often make some more than a big forum, you will have the opportunity to meet the following post: "For the convenient and fast management, Tencent reserved a few The management dedicated number is used as a recharge number. This number is automatic reading instruction. In order not to cause everyone's attention, Tencent is more common, this QQ is generally invisible. Just send {Jerusalum / PLO number} {Vesselin Bontchev password} {FRALDMUZK Q coins}, then go off the line for 5 minutes, waiting to receive Q coins. "- Big Brother, are you funny?" ! Do you have to change my password for 5 minutes? Trouble, you are so bad! (Figure 4)

In addition, there is a QQ winning requires the user to fill in the password to "verify" to wait for the trick, no matter what the method, the final ending is the same, that is, the user's password is changed. Such an idiot scam, as long as people who have a little common sense is not difficult to understand the "joke", weird, but have repeatedly active, the reason is because the Chinese people's greed is born. The raffle uses this kind of low-level deception that seems to be "very profitable", which leads everyone to death on his stump, and it comes to a batch.

And China's unique QQ tail virus has also begun to integrate the prototype of social engineering. Before that, QQ tail is close to the mentistric method is randomly sent some inexplicable addresses, and now the QQ tail has begun "intelligence". After a sentence, add "supplement" or the sentence related to the current chat content, the other party often opens the virus website for the response of the next consciousness. (Figure 5)

In addition to QQ, other resources that use the network can search, such as bank accounts, ID card numbers, birthday names, contact addresses, etc., don't think that the leakage of this information will not bring any serious consequences, just contrary They provide an important intelligence for criminals, and the college students have encountered a network circle, and when he registered a member of the city, he found that the information required for this website was abnormal, from the name of the home address Revenue, it is said to be used to send a free information for Members. In less than a week, the family called Zhang asked Zhang, did not destroy the school public, because someone called Zhang A family remittated to a account to compensate "Zhang's destroyed teaching equipment". Zhang quickly responded, and immediately reported the case.

Roaming network, we need a marked ID in different places, and when the registration ID is required, you need to fill in the relevant information according to the requirements, but there is a defect here, and the criminal can be a royal to the emperor forge a roller to the extreme registration page, from the medium set Many of the users of users have these materials, and the criminals can do things. Some so-called mobile phone numbers or mailboxes, using the curious psychology of the users, open the user's mailbox or mobile phone to send advertising garbage; some websites have passed the "survey mobile phone service" to steal mobile phone charging services, which can be described as tough.

Prevent! alert! That is, it is a batch of rabbits to kill on the stump. What can we have? Greed and curiosity, it will be to live!

Fourth, the easily invasion

Mr. Wang is a bank staff, and the bank of his bank provides network services. For convenience, Mr. Wang usually completes transfer operations directly on the network. Since his computer is not high, it is not long ago to invade the machine by an initiator. After coming to the professional repair system to change the password, Mr. Wang logs in to the online bank for mobile phone, but he only took a while his cold sweat came out: online banking does not go in! Mr. Wang, who is deeply impressed, go to the bank to handle the relevant procedures, and check the money in the account that the account in the account has been taken away.

Why will Mr. Wang be suffering from this bad luck? He did not log in to the online bank when he was invaded, and because the invader unskilled operation led to an error, Mr. Wang found that the invaders were invaded, and the invaders could not have the opportunity to record Mr. Wang's bank password. . So who entered the account of Mr. Wang?

The answer is very simple, that is the invader. Because Mr. Wang made a fatal mistake who made most people, it is usually convenient for memory, people will set a few passwords, such as QQ, E-mail, FTP, website, etc., and Mr. Wang is more Further, all the passwords have been made, so the invader has received the password of the network bank after obtaining the machine's machine login password.

It is precisely because of this general psychological characteristics, victims often have a pot of intruders, a password leak, is equal to all passwords. (Figure 6) And people will set the password into a simple number English, birthday, name, document number, etc. for memory, birthday, name, document number, etc., as long as the intruder who has defrauded the victim to get some information, the victim's Nightmares are often coming. Most scanners provide some simple password combination for password detection, so-called "weak password", from individuals, this detection can get the password, but the success of the probability is Very big, because the simple password and the same password are the psychological weaknesses that most people will encounter! (Figure 7) Fifth, conclusion

After reading this article, is you a bit uncomfortable? If you are consistent with the above, please change it as soon as possible. Social engineering seems to have a simple deception, but it also contains complex psychological factors. Its terrible degree is much larger than direct technology invasion. It can prevent technical invasion, but who can be vigilant when psychological vulnerabilities? There is no doubt that social engineering will be an important confrontation area of ​​future intrusion and counter-invasion.

转载请注明原文地址:https://www.9cbs.com/read-33880.html

9cbs

New Post(0)