The Social Engineer's Playbook Page 2
Pretexting
This form of social engineering often involves the attacker confronting the target face to face. Attackers often pretend to be service repair people (IT support or telephone) and use props (disguises, fake work orders or uniforms). They develop fictitious stories about how systems are down and emergency access to the data center is needed. With the anonymity that the Internet provides, one would assume this form of social engineering represents a small percentage of attacks. However, the truth is, it’s one of the forms of social engineering that is growing by leaps and bounds.
According to the 2012 Verizon Data Breach Investigation Report, social engineering incidents involving physical tactics made up 37 percent of all social engineering attacks. This metric is second only to telephone social engineering incidents, while noting a marked increase in these attacks from 2011.
Social engineering takes on many faces. Attackers take advantage of human behaviors to obtain access or steal information. As we’ve seen, social engineers often appear unassuming or respectable authority figures and use fabricated stories and personalities.
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Decivers, by Kevin Mitnick
The Cuckoo’s Egg: Tracking A Spy, by Cliff Stoll
Liars & Outliers, by Bruce Schneier
Chapter 2:
Influencing Techniques
The true power of social engineering is manifested when those wielding the knowledge to manipulate people succeed in influencing others into compliance. Many tactics and theories discussed in this book may be considered unethical in certain situations. However, the tactics examined here should be used for ethical purposes only.
This chapter, we’ll examine several tactics used by social engineers to influence people through such strategies as: reciprocity, authority, scarcity and others.
The following topics will be covered in this chapter:
Reciprocity
Authority
Scarcity
Likability
Concession and Obligation
Social engineering has adapted over the years to include aspects of technology, as demonstrated in the previous chapter. But at its core, technology is merely an instrument leveraged toward getting people to do things they might not otherwise do. The fuel that makes a social engineering attack possible is one’s own ability to influence people. That’s the true power of social engineering – manipulating people to do your will.
In this section, we are going to examine a few tactics for influencing others. The foundation for the tactics to follow has been borrowed, in part, from the evidence-based research conducted by Robert B. Cialdini. Dr. Cialdini is a leading author in the subject of influence and persuasion. His book, Influence: The Psychology of Persuasion is recommended for a thorough study on the art and science of persuasion.
Reciprocity
Reciprocity in social psychology refers to an intrinsic expectation that a positive action should be rewarded with another positive action. In essence, this creates a “something for something” situation. For example, you feel obligated to thank someone who holds the door open for you. When used in the right context, reciprocity can be a very effective and influential, yet easy, social engineering tactic to execute. However reciprocity can render itself ineffective if the attacker acts as if they are owed a favor. Therefore, it is essential for the positive reaction to be given without strings attached and of decent value to the target.
One of the most fruitful ways of utilizing the reciprocity tactic is while trying to obtain physical access to a target location. This can be accomplished by hanging out in the smoker’s area and offering to light someone’s cigarette. It just may prompt someone to reciprocate the kind gesture by holding the door open for you. It’s also a very effective technique when trying to bypass a receptionist or guard desk.
Authority
From a young age, people are taught to respect parents, aunts, uncles, teachers, police and more. It is a principle that is instilled in all of us from early childhood and follows us through adulthood. Leveraging the authority tactic is effective when a social engineer is purporting to be a person of authority that holds power over the target, such as a CTO. Studies show that people are far more apt to follow instructions from a person with a position of authority, legitimate or otherwise. What’s more, the use of the authority tactic has even been found be to effective if the person of authority is not physically present.
Social engineers make heavy use of authority tactics by pretending to be executive management, vendors or business partners. The perceived notion of authority is all it takes for a target to forego their best judgment.
Before purporting to be an authority figure, be sure your client gives the okay. Also, please be aware of any legal implications of doing so, such as posing as a law enforcement officer.
Dr. Cialdini’s book mentions a few types of authority: legal, organizational and social. The legal type of authority is one typically used by government and law. While purporting to be a police officer during a social engineering test may be highly effective, it is also illegal. Therefore, this kind of activity is not advised and should be avoided at all costs.
As the name implies, organizational authority applies to someone at an organization that maintains some level of power, such as a C-level executive or a manager. Social engineers often leverage this type of authority to persuade less senior staff into compliance. It has been proven to be highly effective if the victim believes the attacker maintains some level of power over them.
Social authority is about perceived social status. The key word here is “perceived.” That is to say, individuals tend to react to situation of social authority based upon representations of authority versus material authority. This type of authority can be used to apply peer pressure to a target while playing upon the target’s desire to be liked. It also plays on the victims desire to comply with the social authority, or leader, such that obedience will likely benefit the victim in doing so.
Examples of social authority may be projected through one’s body language or one’s way of speaking, such as name-dropping of high-ranking individuals. Material things such as clothes and cars are also highly regarded social status indicators. Thus, they play a significant part in the establishment of social authority.
Scarcity
In social engineering, scarcity is used to create a situation or feelings of urgency necessitating the target to make a quick and rash decision. Of course, the scarcity situation itself is one that is fabricated by the social engineering and the choices provided are not in the best interest of the target. The desired outcome is one that forces the target to go against their instinct and comply with the social engineer’s request.
One highly effective scarcity scheme in a social engineering campaign is to combine it with the authority tactic. For example, an attacker could fabricate a scenario whereby an individual has telephoned the company help desk with an urgent request. He or she is trying to give an important presentation but has been locked out of his or her account. The individual needs the account unlocked and the password changed to “password” immediately. For added benefit, the social engineer could leverage the authority tactic by purporting to be the company’s COO whose presentation happens to be for the board of directors.
Combining influencing tactics, such as authority and scarcity, can strengthen any social engineering campaign for maximum results.
Likability
Who doesn’t enjoy being liked? For most of us, we enjoy the feeling and tend to subconsciously reciprocate by liking the person back. It’s part of human nature, really. As a result, this is a powerful tool that social engineers exploit often. But it should be noted, though, it is not an easy tactic to pull off.
There are a few key items to consider when using this tactic. First of all, positive reinforcement is useful. Simple, yet tactful, compliments are effective. Saying something like, “you’re beautiful!�
�� is far too much. Complimenting someone on their voice, shoes, watch or car is effective yet still in the safe zone. When you compliment target during his or her normal day, it may throw him or her off and create an awkward situation. To avoid that, always follow up a compliment with a simple question. This allows the target to accept the compliment, regroup/respond to you while avoiding any awkward silence. For example, “You have a pleasant accent. Where are you from?” Or, “That’s a great looking watch. May I ask where you bought it?”
It’s important to project a confident, upbeat demeanor. Doing so will positively impact any social engineering attempt. People like confident people and tend to find them socially attractive. Be careful not to project a cocky or arrogant attitude. Speak with an authoritative tone; yet be humble in your speech. Always wear a smile and dress nicely or wear situation-appropriate clothing. It is important to blend in with the surroundings. Speech should match the surroundings as well. For example, business style dialog is probably not appropriate for pool hall environments.
Naturally, the goal is to establish a rapport with the target. This can be accomplished through tactful compliments, a positive demeanor and a confident aura. People tend to like others who share the same thoughts and opinions, but people also like others who happen to look like them. No, it doesn’t mean you need to be their twin. What we are really talking about here is surface appearance. The style of dress should be situation appropriate and resemble, but not match, the target. Avoid standing out like a sore thumb. This sends an unwanted message that you’re different and instills an automatic sense of distrust or wariness in others.
We want the to get the target to open up via conversation. This is an effective way to break down barriers, especially if the target is in a call center somewhere. You can’t necessarily compliment them on their shoes. Depending upon the situation, it could be very difficult to get the target to engage in a conversation.
In my early years working on a help desk, I recall running on autopilot throughout the day. I devoted very little of myself to actual conversation. There is no limit to the number of things you can use to spark a conversation. In these situations, the real challenge is time. With a little creativity, topics as mundane as the weather can spark a conversation with any call center representative running on autopilot. Once they’re engaged, “Liking” strategies can begin.
Concession
Earlier in this chapter we discussed reciprocation and how it’s used to foster a quid pro quo situation. Concessions are somewhat similar but are a bit more direct and tricky to navigate. The root word of concession is concede. To concede is to acknowledge or make an admission of defeat. It also means to give away something, usually in a reluctant manner.
In the context of social engineering, a concession might involve a social engineer asking a victim for their social security number, expecting some resistance. The social engineer then lowers his expectation (cost) by saying the victim could instead visit a website and enter it him or herself. Because the social engineer conceded by lowering the “cost,” the victim feels compelled to oblige and meet halfway.
Concession tactics are a form of bargaining whether the victim knows it or not. Of course, if this is apparent it may not sit well with the victim. They may sense something fishy and clam up. As a result you may lose rapport and a position with which to negotiate.
To a social engineer, losing your credibility is detrimental. You may have only one chance at it and there’s no room to make a mistake. As I mentioned earlier, social engineering plans that involve concession strategies must be handled with tact. My advice is to use concession strategies sparingly and only when confidence is high.
Obligation
According to Wikipedia, obligation is defined as a course of action that someone is required to take as a result of a legal or social requirement. In the social engineering context, we generally refer to a situation where an attacker gives a target something of value. In turn, the target feels (socially) obligated to return the favor. It could be a kind gesture, information or a physical item of value to the target.
When using the obligation tactic, it must be carried out with a genuine demeanor. If the target thinks you expect something in return, he or she may resist. It’s important for the target to feel as if they are rewarding you by their own free will.
An example of an obligation tactic might be as simple as holding the door open for the target. It may start with a tasteful compliment. Either way, the obligation must be worth something to the target in order for them to reciprocate. Personally, I’ve found the best techniques begin with a compliment and lead into some level of personal conversation. By personal, I mean some topic the target feels a certain affinity toward. This might be sports, family, music, etc. The list goes on. Discovering what the target has an affinity toward is typically discovered during the information-gathering phase. Information gathering will be discussed in later chapters of this book.
Influence: The Psychology of Persuasion, by Robert B. Cialdini
What Every Body Is Saying: An Ex-FBI Agent’s Guide to Speed-Reading People, by Joe Navarro
The Art of Deception: Controlling the Human Element of Security, by Kevin Mitnick
Chapter 3:
Elicitation
Government intelligence agencies as well as business intelligence collectors use elicitation tactics. Their only role is to covertly obtain non-public information from their targets. Many of the tactics and theories discussed in this book may be considered unethical in certain situations. For that reason, the tactics examined here should be used for ethical purposes only.
In this chapter, we’ll examine several tactics used by social engineers to extract valuable information using strategies like: flattery, bracketing and artificial ignorance. Effective elicitation should be completely transparent to the victim and they may never know they were once a target.
The following topics will be covered in this chapter:
Flattery
False statements
Artificial ignorance
The sounding board
Bracketing and more…
According to the definition by the FBI, elicitation is a technique used to discreetly gather information. That is to say, elicitation is the strategic use of casual conversation to extract information from targets without giving them the feeling that they are being interrogated. Elicitation attacks can be simple or involve complex cover stories, planning and even co-conspirators. What is most important is that the elicitation attempt by the social engineer appears genuine to the target. Otherwise, the target may grow suspicious and become non-responsive.
Elicitation may seem stealthy and spy-like, but the truth is many of us have used it multiple times over during our lives. For example, have you ever tried to plan a surprise birthday party and needed to know their schedule without letting them on to your plans? Have you ever tried to ask what your spouse wants for an anniversary gift without tipping them off?
Many intelligence agencies, law enforcement officers and military personnel use elicitation tactics during interviews and interrogations.
There are many techniques to elicit information from a target. Social engineers have found it be useful to combine these techniques with other types of social engineering. The following is a brief list of just a few of those elicitation techniques.
Flattery
The use of flattery goes a long way in sweet-talking a target into giving up additional information. Statements such as, “You seem like a top-notch guy. I’ll bet you were the brains behind that project” is sometimes all that is needed to kick start valuable elicitation. Flattery seems like an obvious tactic, but it is proven to be very effective when done skillfully.
Bragging is something that is frowned up in the West. People are often proud of their achievements, but find little opportunity to share them due to the stigma. When we compliment a person, it generally opens the door for bragging. For example, after we compliment a target they
will likely feel compelled to elaborate on his or her involvement on a project. Even if he or she is downplaying the compliment, the target is talking about the subject and possibly giving up information. A good social engineer should exploit that opportunity by digging deeper.
An important note to mention is that exaggerated flattery about a target’s accomplishments rarely backfires. Because of the stigma attached to bragging, this usually compels the target to normalize their accomplishments to the attacker. This is good because it gets the target to open up. A chatty target can be a gold mine of information to a social engineer.
On the other hand, exaggerated flattery when referring to a target’s clothes or persona, for example, can be disastrous. This approach must be handled with tact. Sexual harassment or borderline sexual harassment statements should never be a part of a social engineering plan. Therefore, it should be avoided at all costs. Instead, compliments should be directed away from personal features and appearance and toward more material things. For example, shoes, watches, briefcases, glasses, purses, automobiles, etc.
False Statements
This tactic involves stating a deliberate false statement in the hopes that the target will correct you with the accurate information. A useful statement might be, “I heard they have seventeen cameras, twelve guards and a fingerprint scanners in their lobby. They say that place is like Fort Knox! Nobody can get in.”