Social engineering and license hijacking: experts talked about trends in cyber fraud in 2021

[Carding Forum]

During a press briefing, experts spoke about the most popular cyber fraud schemes in Ukraine and presented an educational game on the topic of payment security

This year cyber fraudsters most often used the method of social engineering to commit illegal actions with payment cards of users. That is, they misled citizens by any means, so that they voluntarily disclose their personal data, their card details, bank codes and passwords of mobile operators, or make a transfer in favor of fraudsters. Believe it or not, 76% of users, faced with fraud, disclose the details of their cards themselves. And this despite the fact that 77% know that card details, bank codes and other financial information should not be disclosed to anyone.

Experts spoke about this during a press briefing on the problem of cyber fraud with payment instruments in Ukraine and the launch of the online game "Zdolay Shakhraia!" The event was attended by leading experts from the National Bank of Ukraine, the USAID Financial Sector Transformation Project, representatives of online services, etc.

As Olesya Danilchenko, Deputy Director of the Ukrainian Interbank Association of Members of EMA Payment Systems, said, in the second quarter of 2020, the number of cases of social engineering continues to grow - they account for 71% of cyber fraud. At the same time, the share of ATM fraud decreased - from 29% in the first quarter to 16% in the second, and the number of cases of fraud with POS terminals and RBS systems remains stable - 8% and 5%, respectively (versus 6% and 6% in the first quarter) ...

The average amount of a fraudulent transaction using social engineering methods is now UAH 3,300, while the average amount of a fraudulent transaction on the Internet is UAH 195.

Another current type of fraud today is theft of a subscriber's financial number. Pavel Daniman, Marketing Director of the Kyivstar mobile operator, spoke about this. He stressed the importance of not disclosing to anyone information about how you use your number (to enter banking, confirm payment transactions, etc.). One of the methods to prevent the theft of a financial number is to identify customers of mobile operators (in fact, this means becoming a contract subscriber).

Every day, 1-2% of Ukrainians encounter cybercriminals by phone, e-mail, in online stores, online lending services, on online platforms, etc. Therefore, it is very important to conduct explanatory work among citizens. To this end, the Ukrainian Interbank Association of EMA Payment Systems Members, within the framework of a grant provided by the USAID Financial Sector Transformation Project, has developed an educational game on payment security, Zdolay Shakhraia!, the purpose of which is to raise awareness among young people about effective ways to protect their own information and the rules for the safe use of payment instruments and services.

"Zdolay shahrai!" Is a simulation game where players find themselves in simulated situations of various types of payment fraud and receive information about the consequences of their decisions and advice on identifying fraud and effective remedies in each situation. By clicking on the card with the image of a fraudulent monster, the player goes through one payment fraud scheme and learns about its signs and methods of protection. The game now consists of 56 thematic parts that simulate various types of payment fraud: telephone, ATM and credit fraud, SIM card hijacking, fraudulent prize draws, surveys and online shopping, message board fraud, employment and online earnings. tourism and entertainment, phishing, malware, ransomware, gaming scams, etc.

The National Bank of Ukraine also joined the promotion and support of the game. In July of this year, the regulator launched a large-scale information campaign #ShakhraiGudbay. The aim of the campaign is to help Ukrainians learn the basic rules of payment security. "The game" Zdolay Shakhrai! " from the EMA Association became the highlight of the campaign, ”Lesya Voytitskaya, Head of the Public Relations and Financial Awareness Department of the NBU, said at a press conference. According to her, the National Bank expected a significant increase in payment fraud during the quarantine in Ukraine, since Ukrainians began to make payment transactions more often on the Internet. In the first half of the year, 27 banks (40% of all banks in Ukraine) announced suspicious transactions using payment cards in the amount of UAH 86.4 million. For comparison, a year earlier the same indicator was 72.

 

[Brother]

Explaining the basic principles of social engineering.​

Salute, almost all articles on social engineering describe some specific case from dubious practice. In this article I will try to focus the reader's attention on the math part: to tell how the brain works when making a decision, how to influence this decision and what technologies can automate the process, describing everything in accessible words, referring to scientific research ...

There will be no specific examples of using materials from the article (but I will think about it if I see any feedback). We will consider a spherical problem (question, action, not important), which has two possible solutions. This can be, for example, launching a file, disclosing information, making a belief in something, etc.

How is decision making formed?

To date, there is no definite answer, but the ongoing research tells us that the striatum is actually responsible for making the decision. It is a special part of the brain located in the inner core of the brain. In addition to deciding the striatum as of apuskaet certain behaviors (to achieve a result).

At the same time, despite its division into three parts, they all take part in decision-making at different time intervals. Those. the parts interact with each other, and do not act independently. At this moment, what is usually called situation analysis takes place. The individual analyzes what decision should be made based on two factors: life experience (rational half) and emotions (desires, instincts).

Experience or desire? Formation of priorities when making decisions

The process of analysis should not be regarded as a confrontation between the rational and the emotions. And although in some cases outwardly it seems that this is exactly what is happening (for example, the purchase of expensive electronics by a person who clearly cannot afford it, but he wants to raise his status in the eyes of other people). Rather, this process can be seen as generating a certain amount of pros and cons on both sides. And here it is necessary to dwell in detail on why these "pros" and "cons" may arise. Surely many of you know about Maslow's pyramid of needs.

Starting from this pyramid, you can see that in some cases, the decision is determined by the needs of the person. For example, trying to convince a person to pay a huge amount for a cheap product does not make sense if the person has a penny for his soul.

On the other hand, Maslow's pyramid would be an ideal model of human behavior if he made decisions based only on his needs. But, the fact remains that a person does not always (almost never) make a decision consciously. Instincts and emotions play a significant role. So, for example, the same person can take a loan from the bank, just to get your product (the instinct of dominance over other individuals). Or he may just give you money, if there is a strong emotion that compels him to do it. For example, pity.

Unfortunately, as a rule, it will not work to influence the rational part (if this is not a lie or on a bunch of influence on something else). The most interesting ways of interaction involve pressure either on emotions or on the animal essence of a person.

There is one interesting study, the essence of which is that an individual experiences pleasure not only at the moment of receiving a reward, but also on the way to achieving it. And here it is appropriate to recall the various stories of brainwashing on the topic of financial pyramids, abandonment of acquired property in favor of one's spirituality, etc. Let's take a closer look at this situation (brainwashing by some sectarian).

The person was convinced that he needed it, affecting, as a rule, emotions. They told how bad everything is now, in his current situation, "opened his eyes." Such flushing gains special weight if it is backed up by some pseudo-facts, or by the statements of authoritative people (scientists, thinkers, etc.). The fact is that a person is a social being, and for society, the presence of a leader, whose words are heeded, is a normal phenomenon. These connections formed in our minds a long time ago and helped to survive: the leader took responsibility, distributed resources between society for more productive work.

Accordingly, the opinion of the leader was listened to. The mechanism is much the same as how digital certificates work - everything is based on trust. And now a person listens to all this, the “trust” of the noodles begins to exceed his own experience, the pressure on emotions is exerted (his self-esteem has dropped, because everything he did turns out to be “wrong”), and his opinion changes. Despite the seemingly logical thing: by giving away material values, he actually exposes himself to additional danger. Why is this happening?

Against the background of emotional pressure, new goals are instilled in a person (everything is bad for him now, but everything can be changed). And at this moment, the brain begins to stimulate the body to achieve these goals. A special hormone is produced: dopamine, which is precisely responsible for the so-called "motivation". A certain indicator of what efforts a person can make to achieve goals (in this case, imposed ones). As a result, it turns out, contrary to logic, a person finds himself on the street for some higher purpose, and at the same time he is only glad of his “freedom from the material”, despite the direct harm to his body ( physiological needs according to Maslow's pyramid).

Influence on the decision from the outside

Now let's talk about what conclusions can be drawn from the history above. First of all, influencing the rational part of the brain almost always makes no sense. For example, if you are trying to convince a person to invest in your cryptocurrency, you will hardly be able to convince him with numbers alone. First, the human brain will always prefer the “here and now” reward to some dubious prospects. In this case, “here and now” is his capital. And it is doubtful because the level of trust in you is not high enough for a person.

But, it is enough to give an example of successful investments, talk about what these are promising technologies, and that in general the future belongs to cryptocurrencies, a person immediately begins to draw in his head a colorful picture of potential profit (after all, there have already been successful examples), supplementing it with various emotions. In this case, the feeling of expectation will only further stimulate the person.

Further, there are several interesting tricks, again based on the social component of consciousness:

• When rendering any service to a person, he is more willing to make contact, a sense of duty arises (it will not be pronounced, of course, but the attitude towards you will shift upwards from zero).
• Asking for help (albeit a little one) contributes to this. A person unconsciously puts himself above the one to whom he provided assistance (after all, he was asked). In addition, the need for recognition is satisfied, self-esteem grows. This phenomenon is called the Benjamin Franklin Effect.
• Spot processing takes longer than base traversal. Those. the reader should understand that getting what he wants from a particular person is not a quick task. This is especially familiar to those who have dealt with industrial espionage. On the other hand, if the reader takes the quantity, then the% of exhaust is small, but it will be significantly faster obtained. However, each of the methods has a right to exist.
• Learn to listen. This is especially true when communicating with one person. Often, unwillingness / inability to understand the interlocutor is the main mistake. In the case of working with a large group of people, it is necessary to understand its needs, interests, etc. (common signs by which people were united into a group). After all, all are people in one way or another, with a basic set of physiological needs.
• Do not try to put pressure on the rational part and emotions if a minus has returned for some attempt on both sides. Let me explain. A person wants to launch a certain model of behavior in another person. At the same time, if logic and emotions are against this, then it is better to immediately retreat and try in a different way, the chance to aggravate the situation is rapidly increasing.
• Go beyond the expected behavior. When interacting with any object with which there was an experience of interaction earlier, the expected behavior pattern is formed in the brain. Going beyond this template puts the rational part into a stupor, it becomes easier to influence emotions. But everything is good in moderation, because any living creature always treats everything new with caution (the instinct of self-preservation is triggered).
• Collect as much information as possible about the person before taking any action. Here you should pay special attention to the fact that it is necessary to act (whether directly or not) only when there is confidence that it will not be possible to collect more information, and it is all analyzed and structured.

The use of technical means when influencing the decision

The most important tool that can be used, despite the banality, is your own intellect. Despite attempts to describe a model of human behavior in various situations, a closer solution has not yet been created than, in fact, the human brain. Most of the computer models are directed to some narrow area with stereotyped behavior. But the brain is able to abstract itself from something specific, and in terms of the speed of interpretation and assimilation of new information, there is no faster means.

As for purely technical means, these are, of course, search engines and social networks. This has already been mentioned many times in various materials. People share information about themselves for various purposes (self-identification in society, commercial interests, etc.). All this can be used as a minimum for collecting information, as a maximum for manipulation. Also:

• Don't forget to look at the file metadata. They can contain a lot of interesting information.
• Some pages may not be accessible, but the web archive usually remembers everything;
• Finally, use parsers. Almost any amount of information can be obtained and analyzed thanks to any programming language and a wrapper for curl for this language. Also, do not forget that any social service provides its own API for convenience;
• Compromising a person's mobile device is almost a 100% option for gaining access to all private information.
• Follow research and discoveries. Psychology is good, but it only reveals a pattern, and does not explain a phenomenon.

There is also a must read book on partly on this topic “Think Slowly ... Decide Fast” D. Kahneman this man for 40 years has been engaged in the analysis of the way of thinking and behavioral psychology of people - a tremendous work.

After all, there are 2 main approaches in this area, this is when, from a physiological point of view, the problem is studied (which parts of the cortex are activated at one time or another, etc.) and from an abstract one - how the brain reacts to such and such a phenomenon (by the way, the analogy with testing by the black box method and code analysis).

This book covers the second point.

The author describes at what moments our brain “gives up slack” and we make wrong or irrational decisions (not necessarily by giving in to emotions) and all these examples can only be remembered as a fact and used for any purpose (not to be fooled or thoroughly think over inferences, well, or use it against others).

It's like when our brain perceives an optical illusion not the same as in reality, even if the secret is revealed to us that it is just an illusion, we will still see what we see

Let me give you an example:

The book describes the so-called anchoring effect, when we unconsciously include recently received data in our analysis, inferences and conclusions.

For example, if we go up to a person and ask how long it will take me to get to such and such a street, then we will hear a relatively accurate answer, let it be 40 minutes (provided that he knows this and no one has recently approached him), if we if we ask “can I reach this street in 10 minutes?”, then in response we will be given a figure that is quite close to ours and much less accurate in reality (like “you will reach this street in 20-30 minutes”).

After reading the book, I myself began to pay attention to such things in real life, often even on purpose, when I communicated with someone I used some non-everyday word or term, which then slipped into the speech of my interlocutor (he seemed not to deliberately adopt my lexicon, that is, the information that I gave him for when I expressed my thoughts).

This is just one of dozens of points that are described in the book and that can be used in social engineering when trying to influence a particular person.