Social Engineering Principles

Social Engineering Principles

社会工程学原理

Social engineering works so well because we’re human. The principles of social engineering attacks are designed to focus on various aspects of human nature and take advantage of them. Although not every target succumbs【屈服】 to every attack, most of us are vulnerable to one or more of the following common social engineering principles.

社会工程之所以如此有效，是因为我们是人。社会工程学的攻击原则旨在关注人性的各个方面并加以利用。尽管并非每个目标都会屈服于每种攻击，但我们中的大多数人都容易受到以下一种或多种常见社交工程原则的攻击。

Authority权威

Authority is an effective technique because most people are likely to respond to authority with obedience. The trick is to convince the target that the attacker is someone with valid internal or external authority. Some attackers claim their authority verbally, and others assume authority by wearing a costume or uniform.

An example is an email sent using the spoofed email of the CEO in which workers are informed that they must visit a specific universal resource locator (URL)/universal resource indicator (URI) to fill out an important HR document. This method works when the victims blindly follow instructions that claim to be from a person of authority.

权威是一种有效的技巧，因为大多数人可能会对权威做出服从的反应。诀窍在于让目标相信攻击者是具有有效的内部或外部权威的人。有些攻击者口头上声称自己有权威，有些则通过穿着服装或制服来假扮权威。

例如，使用伪造的首席执行官电子邮件发送电子邮件，通知工人必须访问特定的通用资源定位器（URL）/通用资源指示器（URI），以填写重要的人力资源文件。当受害者盲目听从自称来自权威人士的指示时，这种方法就会奏效。

Intimidation恐吓

Intimidation can sometimes be seen as a derivative衍生物 of the authority principle. Intimidation uses authority, confidence, or even the threat of harm to motivate someone to follow orders or instructions. Often, intimidation is focused on exploiting uncertainty in a situation where a clear directive of operation or response isn’t defined.

An example is expanding on a previous CEO and HR document email to include a statement claiming that employees will face a penalty if they do not fill out the form promptly. The penalty could be a loss of casual Friday, exclusion from Taco Tuesday, a reduction inpay, or even termination.

恐吓有时可被视为权威原则的衍生。恐吓利用权威、信任甚至伤害威胁来促使他人服从命令或指示。通常情况下，恐吓的重点是在没有明确的行动或反应指令的情况下利用不确定性。

例如，在之前的一封 CEO 和人力资源文件电子邮件中加入一项声明，声称如果员工不及时填写表格，将面临惩罚。惩罚可能是失去周五的休闲时间、不能参加周二塔可（Taco Tuesday）活动、减少工资甚至解雇。

Consensus共识

Consensus or social proof is the act of taking advantage of a person’s natural tendency to mimic what others are doing or are perceived as having done in the past. For example, bartenders often seed their tip jar with money to make it seem as if previous patrons were appreciative of the service. As a social engineering principle, the attacker attempts to convince the victim that a particular action or response is necessary to be consistent with social norms or previous occurrences.

An example is an attacker claiming that a worker who is currently out of the office promised a large discount on a purchase and that the transaction must occur now with you as the salesperson.

共识或社会证明是一种利用人们模仿他人正在做的或被认为过去做过的事情的自然倾向的行为。例如，调酒师经常在小费罐里放上钱，让人觉得以前的顾客对他们的服务表示感谢。作为一种社会工程学原理，攻击者试图让受害者相信，为了与社会规范或以前发生的事情保持一致，有必要采取特定的行动或作出特定的反应。

例如，攻击者声称目前不在办公室的一名员工承诺在购物时提供大额折扣，因此现在必须由你作为销售人员进行交易。

Scarcity稀缺性

Scarcity is a technique used to convince someone that an object has a higher value based on the object’s scarcity. This could relate to the existence of only a few items produced or limited opportunities, or that the majority of stock are sold and only a few items remain.

An example is an attacker claiming that there are only two tickets left to your favorite team’s final game and it would be a shame if someone else enjoyed the game rather than you.If you don’t grab them now, the opportunity will be lost. This principle is often associated with the principle of urgency.

稀缺性是一种基于物品的稀缺性而使人相信该物品具有更高价值的技巧。这可能与只生产少量物品或机会有限有关，也可能与大部分存货已售出而只剩下少量物品有关。

例如，攻击者声称，你最喜欢的球队的最后一场比赛只剩下两张门票了，如果别人比你更喜欢这场比赛，那就太可惜了。这一原则通常与紧迫性原则相关联。

Familiarity熟悉

Familiarity or liking as a social engineering principle attempts to exploit a person’s native trust in that which is familiar. The attacker often tries to appear to have a common contact or relationship with the target, such as mutual friends or experiences, or uses a facade to take on the identity of another company or person. If the target believes a message is from a known entity, such as a friend or their bank, they’re much more likely to trust in the content and even act or respond.

An example is an attacker using a vishing attack while falsifying the caller ID as their doctor’s office.

熟悉或喜欢作为一种社会工程学原理，试图利用人们对熟悉事物的固有信任。攻击者通常会试图伪装成与目标有共同的联系或关系，如共同的朋友或经历，或使用假面来冒充其他公司或个人。如果目标相信信息来自已知实体，如朋友或银行，他们就更有可能相信信息内容，甚至采取行动或做出回应。

例如，攻击者使用网络钓鱼攻击，同时将来电显示伪造成他们的医生办公室。

Trust信任

Trust as a social engineering principle involves an attacker working to develop a relationship with a victim. This may take seconds or months, but eventually the attacker attempts to use the value of the relationship (the victim’s trust in the attacker) to convince the victim to reveal information or perform an action that violates company security.

An example is an attacker approaching you as you walk along the street, when they appear to pick up a $100 bill from the ground. The attacker says that since the two of you were close when the money was found, you two should split it. They ask if you have change to split the found money. Since the attacker had you hold the money while they went around to find the person who lost it, this might have built up trust in this stranger so that you are willing to take cash out of your wallet and give it to them. But you won’t realize until later that the $100 was counterfeit and you’ve been robbed.

信任作为一种社会工程学原理，涉及攻击者努力与受害者建立关系。这可能需要几秒钟或几个月的时间，但最终攻击者会试图利用这种关系的价值（受害者对攻击者的信任）来说服受害者透露信息或执行违反公司安全的操作。

举例来说，当你走在街上时，攻击者走近你，从地上捡起一张百元大钞。攻击者说，因为捡到钱时你们俩关系很好，所以你们俩应该平分。他们问你是否有零钱来分拾到的钱。由于袭击者让你在他们四处寻找丢钱的人时拿着钱，这可能会建立起你对这个陌生人的信任，从而愿意从钱包里拿出现金给他们。但直到后来你才意识到这 100 美元是假币，你被抢劫了。

Urgency紧迫性

Urgency often dovetails with scarcity, because the need to act quickly increases as scarcity indicates a greater risk of missing out. Urgency is often used as a method to get a quick response from a target before they have time to carefully consider or refuse compliance.

An example is an attacker using an invoice scam through business email compromise (BEC) to convince you to pay an invoice immediately because either an essential business service is about to be cut off or the company will be reported to a collection agency.

紧迫性往往与稀缺性相吻合，因为稀缺性表明错失机会的风险更大，因此迅速行动的必要性也随之增加。紧迫性通常被用作一种方法，在目标有时间仔细考虑或拒绝服从之前，让他们快速做出反应。

举例来说，攻击者通过商业电子邮件欺诈（BEC）来说服你立即支付发票，因为要么是重要的商业服务即将被切断，要么是公司将被报告给收款机构。

原文始发于微信公众号（网络安全等保测评）：Social Engineering Principles