Ethical Hacking 简明教程

Ethical Hacking - Social Engineering

让我们通过一些示例来了解社会工程攻击的概念。

Let us try to understand the concept of Social Engineering attacks through some examples.

Example 1

你一定注意到过公司将旧文件当作垃圾丢弃在垃圾桶中。这些文件可能包含一些敏感信息,例如姓名、电话号码、帐号、社保号码、地址等。许多公司的传真机仍使用复写纸,一旦卷纸用完,其复写纸就会被丢弃在垃圾桶中,可能会包含敏感数据的痕迹。虽然听起来不太可能,但攻击者可以轻易地从公司的垃圾箱中获取信息,方法是翻找垃圾。

You must have noticed old company documents being thrown into dustbins as garbage. These documents might contain sensitive information such as Names, Phone Numbers, Account Numbers, Social Security Numbers, Addresses, etc. Many companies still use carbon paper in their fax machines and once the roll is over, its carbon goes into dustbin which may have traces of sensitive data. Although it sounds improbable, but attackers can easily retrieve information from the company dumpsters by pilfering through the garbage.

Example 2

一个攻击者可能会和一个公司职员交朋友,并在一段时间内与其建立良好的关系。这种关系可以通过社交网络、聊天室在线建立,也可以在咖啡馆、操场上或通过任何其他方式进行线下建立。攻击者会取得公司职员的信任,并最终在不留任何线索的情况下获取所需的敏感信息。

An attacker may befriend a company personnel and establish good relationship with him over a period of time. This relationship can be established online through social networks, chatting rooms, or offline at a coffee table, in a playground, or through any other means. The attacker takes the office personnel in confidence and finally digs out the required sensitive information without giving a clue.

Example 3

一个社会工程师可能会通过伪造身份识别卡或者通过说服员工相信他在公司的职位来冒充一个员工或合法用户或 VIP。这样的攻击者可以获得对受限区域的物理访问权限,从而为攻击提供更多机会。

A social engineer may pretend to be an employee or a valid user or an VIP by faking an identification card or simply by convincing employees of his position in the company. Such an attacker can gain physical access to restricted areas, thus providing further opportunities for attacks.

Example 4

在大多数情况下,攻击者可能会在你周围,而且在你输入用户 ID 和密码、帐户 PIN 等敏感信息时会执行 shoulder surfing

It happens in most of the cases that an attacker might be around you and can do shoulder surfing while you are typing sensitive information like user ID and password, account PIN, etc.

Phishing Attack

网络钓鱼攻击是一种基于计算机的社会工程,攻击者会制作一封看起来合法的电子邮件。此类电子邮件看起来和感觉与从原始网站接收的电子邮件一样,但它们可能包含指向虚假网站的链接。如果你不够聪明,那么你就会输入你的用户 ID 和密码并尝试登录,这样将会导致失败,而那时,攻击者已经得到了你的 ID 和密码来攻击你的原始帐户。

A phishing attack is a computer-based social engineering, where an attacker crafts an email that appears legitimate. Such emails have the same look and feel as those received from the original site, but they might contain links to fake websites. If you are not smart enough, then you will type your user ID and password and will try to login which will result in failure and by that time, the attacker will have your ID and password to attack your original account.

Quick Fix

  1. You should enforce a good security policy in your organization and conduct required trainings to make all the employees aware of the possible Social Engineering attacks and their consequences.

  2. Document shredding should be a mandatory activity in your company.

  3. Make double sure that any links that you receive in your email is coming from authentic sources and that they point to correct websites. Otherwise you might end up as a victim of Phishing.

  4. Be professional and never share your ID and password with anybody else in any case.