This is part three of the social engineering series.
Whether you’re an aspiring SE, ethical hacker, business owner, or just an individual who’s fascinated by this topic (like me), then you might want to read this article.
I hope that by writing about different SE techniques will help raise awareness and prevent attacks.
1. Building Trust
Social engineers aren’t successful because people lack common sense. But we as humans, are all vulnerable to being deceived because we can misplace our trust if manipulated in certain ways.
The social engineer expects suspicion and resistance. And he/she is prepared to turn distrust into trust.
It’s like playing a chess game when you anticipate the opponent’s moves.
The more you make a situation seem like business as usual, the more you remove suspicion. When people don’t have a reason to be suspicious, it’s easy for the social engineer to gain their trust.
Anne works at the video rental store. A customer called to say he had a very good experience, and he wanted to send the manager a letter about it.
He asked for the manager’s name and mailing address.
As he was about to hang up he had another idea, “I might want to write your company headquarters, too. What’s your store number?
She also gave that information.
He thanked Anne, said how helpful she was and hang up the phone.
The Second call…
“Thanks for calling the video rental store. This is Gina, how can I help you?”
“Hi Gina, I’m Tommy Allison, manager at Forest Park, Store 863. We have a customer who wants to rent Rocky 5 but we’re all out of copies. Can you check on what you’ve got?”
Now Tommy calls three or four times over the next two weeks with small requests. He also starts talking with Gina about other topics.
He is gradually building trust. And when the time comes for the actual attack, Gina will let her guard down and give Tommy the information he needs. After all, why wouldn’t she help a manager of another store?
Playing on Kindness
Some people are very kind, they genuinely want to help. But a social engineer can play on their kindness and use various deception tactics.
Let’s consider the Ben Franklin Effect. It’s a psychological phenomenon that explains why people wind up liking you more when they do you a favor.
The name of the effect comes from a story on his biography which describes how he dealt with a rival. To recruit him to his side, Franklin asked if he could borrow a rare book from his library.
The gentleman accepted. Franklin returned the book one week later with a thank you note.
The next time they saw each other, the man was friendly to him and Franklin said they become friends.
A study was done in 1969, in which they invited students to take part in a Q&A competition. The winners could win money.
- One-third of “winners” were approached by the researcher asking them to return the money because he has been using his own funds and was running short.
- 1/3 were approached by the secretary to return the money because it was from the psychology department and funds were low.
- 1/3 were not approached.
Afterward, they were surveyed to see how much they liked the researcher.
The second group liked him the least, the first group the most.
So, a personal request increases liking.
You probably heard about the Milgram experiment and its results. A man in a lab coat at Yale University convinced a stranger to harm another person.
He had no real authority to force a person to follow orders… just perceived authority.
Authority is so powerful that it overrides decision centers in the brain and shuts off our sense of responsibility.
In businesses, they expect employees to perform tasks set by the management. If the employee believes the SE is part of the management, then he will conform to any reasonable request. It might provide sensitive information and wouldn’t raise any alarms.
You can also impersonate a security guard. Of course, it would need more than a fake uniform to use authority to great effect.
You can ask to see an employee’s badge supposedly to make a security check. The chances of an employee challenging and questioning a security guard are very slim.
Remember that authority should be part of every aspect of impersonation. A good suit or a particular uniform can be more than enough for the looking part. But the sounding part is a little more challenging.
A trick in creating the illusion of authority is to ask questions. In conversations, we perceive the one asking questions to have more power.
3. Reverse engineering
It’s a complicated technique that involves a great deal of planning and careful timing.
The social engineer provides help which aids the attack.
The target is asking for something from SE when it’s usually the other way around.
For example, the SE impersonates someone from the IT department asking, “Are you experiencing any computer issue?” Most likely someone will have a problem. And the SE could help them solve it.
He/she could ask for the user’s credentials to log in remotely. Or it could ask them to visit a particular website to test connectivity, which is malicious.
A more complex strategy is, to sabotage and assist. The SE causes an issue, then presents himself as someone who can solve it.
Another attack could be: Introduce, Sabotage and Assist. You introduce yourself as a new member of IT, give your phone number explaining they could call any time if they have a problem.
You’re not asking for any information and this won’t raise any alarms. When the problem occurs, the target will call the SE asking for assistance.
4. Targeting an individual
If you want to perform a targeted attack on an individual rather on groups, then consider:
- Education history
- Recent holidays
- close friends
- Family members
- What bank they use
- What car they drive
Here are some scenarios that are used as a basis for attacks.
If your target went to a particular school, then you can send an email like:
We’re organizing an XYZ high school reunion party for the class of 1990 and hope you can join us.
We’ve set up an account on http://www.fakeschoolreunion.com where you can rsvp.
Also, we’ve uploaded pictures of everyone back then.
Sorry if you find them embarrassing.
Hope to hear from you soon.
Another email might be by simply including a malicious PDF file based on where they regularly shop.
XY is offering 50% off all products! Print off the attached voucher and bring it along with you to the store.
5. Pick up lines
As we have seen in many cases, a social engineer can hijack accounts, steal identities, or infiltrate into corporate offices. They use pick up lines to encourage communication with their targets.
Here are the most common ones:
I’m stuck in X place and I lost my wallet. Can you wire some money?
The SE probably hacked a friend’s Facebook account and sends the message pretending to be him. He might say that has no money due to lost wallet, or robbery.
You should be very careful and make sure you’re talking to your friend or family member. You can ask him to send you a picture of that place or ask a specific question only your friend would know the answer.
Click this link
As in the examples above, the social engineer encourages the target to click a link. They might pose as your friend, work colleague, or even a company in which you’re a client.
They include logos and variation links to a website such as facebookk.com, paypall.com, etc.
A month ago, Simona Halep’s Instagram was hacked.
The attackers posted several messages such as:
“Hey, can anybody help me? I’m stuck in Switzerland and my bank account is not working here. I need 500$, I am willing to pay 1,500$ by the weekend”.
6. The Hurt Locker
A lot of theft happens in people’s lockers in the gym. They put a wallet in the locker and start working out. A social engineer might break the lock and take the wallet.
The wallet is missing but he/she might think it’s in the car. As they are walking out, the SE who stole the wallet is there and ring their phone.
He might say, “This is YOUR Bank and we have reason to believe someone is trying to cash out your account. Has your card been stolen recently”?
The person is in a panic mode and is trying to find a solution.
He says, “Hey, we are here to help you. But to shut access to the account I’m going to need to verify your Social Security number.”
And then, he will say, “Ok, we can shut down the card too. What is your PIN?”
It might sound obvious in retrospect but when you are in panic mode, you might not give it a second thought.
Our brains have a special wiring system that allows us to adapt quickly to new information. It recognizes familiar or known concepts and begins to search for and prepare for similar concepts.
For example, if they showed you the word wheel before being exposed to a small group of words containing the word tire in it.
Emotional priming can work in similar ways. When you feel energetic and motivated, you are far more likely to make positive decisions. One the other hand, when you feel despair, your actions will seek information to confirm your feelings.
Imagine yourself in a pet store looking at cute puppies. After you get out and see a lost dog in the street, you are far more likely to help him than if you haven’t visited the pet store.
But, If you encounter the same dog after you get out of the hospital because a dog attacked your child, what are the chances you’ll stop and help?
In 1998, psychologists Ap Dijksterhuis and Ad van Knippenberg from the University of Nijmegen asked half a group of volunteers to carry out a simple mental exercise.
It involved imagining the mind-set of a typical professor. The other half imagined a football hooligan.
They all had to answer general-related questions.
The participants primed with professors performed much better than those primed with hooligans.
The results show that we can influence someone in positive or negative ways.
As a social engineer, you are familiar with pretexting. The study of priming will increase your chances of success.
Let’s say your pretext revolves playing the role of a janitor. The stereotype is that a janitor doesn’t have too much information about a specific topic.
Obviously this is not the case with all janitors but it’s all about perception.
Take a piece of paper and write everything it comes to your mind related to janitor’s behavior and appearance. Then allow that list flow into your pretext.
Two-factor authentication is a very safe way to protect your access on particular websites.
It adds a second step to logging into an account, which makes it hard for unauthorized users to break in.
But, it’s not unhackable.
I really loved this metaphor in a StackExchange answer:
“Social Engineering is like water, it will find the point of least resistance and work its way in.”
Here, the weak point is the user.
How can a social engineer bypass 2FA?
First, he might know the username and password. Then he sends a warning message to the user.
It might be something like, “Your account has been accessed by a suspicious IP address if it isn’t you please reply with the verification code sent to your phone number.”
If the user responds to the fake message, then the SE could bypass 2FA.
Second, the hacker has no data. He doesn’t know your username, password, nor a phone number.
Here, he will create a fake website with a domain slightly changed like in the examples above.
Then he emails persuading you to respond and steal your 2FA generated credential.
The amygdala is a collection of nuclei deep within the temporal lobe.
Research shows that the amygdala processes input from all senses.
In addition, emotional processing by the amygdala can occur subconsciously and can be affected by sensory input.
Now let’s say you’re having a bad day at the office. Your work is piling up. Because of budget costs, some of your team has been let go. You have meetings scheduled for today. Your coworker sends an email saying that your last report has incorrect data. You click reply and type an angry email.
Later you read that email and realize you made a huge mistake.
You were experiencing amygdala hijacking. It happens when your brain reacts to psychological stress as if its physical danger.
And it triggers a fight-or-flight response. Adrenaline and blood pressure rises. We lose the ability to communicate effectively and autopilot is in charge.
When a social engineer triggers a strong emotional response to the target, it can reduce a person’s ability to think logically.
Scammers know this. Therefore, they use natural disasters, dying children, sickness, to take their money.
Social engineers are no different. They use sadness, fear, and other emotional triggers to steal information or persuade targets to do something for them.
Christopher Hadnagy tells a story about an SE engagement in his excellent book, Unmasking the Social Engineer.
He had to load malicious software onto the company’s computer network using a USB key. They wanted to test the corporate policy which forbids employees from inserting foreign devices into any company machine.
He was wearing a business suit and was holding a folder with a few “resumes”. As soon as he parks the car, he spills coffee all over the folder.
He enters the building with a sadness display in his face.
He walks at the front desk and the secretary asks, “Oh, no, honey. What happened?”
Chris quickly scanned her desk pictures and saw a small child with a cat.
“I’ve been out of work for a while, and I finally got an interview here today. I was driving here all nervous, and a cat ran out in front of me.
I love cats, and I didn’t want to hit it, so I swerved, and my coffee fell out of its holder onto my seat and drenched my resumes.
Fortunately, I missed the cat, but I killed my resumes.”
“Oh, that’s terrible. What can I do to help?”
“I have my resume on this USB key. Could you print me just one copy, please?”
And that was it. The job was done.
Social Engineering Penetration Testing by Gavin Watson, Andrew Mason and Richard Ackroyd
The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick & William Simon
The Ellipsis Manual: Analysis and engineering of human behavior by Chase Hughes
We recommend reading: