Guerilla Psychology and Tactical Approaches to Social Engineering, Part I
In the first part of this article, we are going to discuss the psychology surrounding social engineering, and in particular, the four qualities that social engineers abuse and the manners in which they abuse them, the techniques that attackers use to manipulate their victims, the cycle of social engineering, and the qualities that social engineers possess.
2. The four most important human qualities that social engineers take advantage of and the manners in which they abuse these qualities
According to the SANS Institute, social engineers exploit one or a combination of four psychological traits of humans; those are carelessness, (feeling of security in their) comfort zone, desire to help, and fear.
The carelessness of humans can be exploited because humans often feel apathetic towards setting up proper defense mechanisms. Examples of attacks against our carelessness are dumpster diving which involves the collection of the trash from a particular target and sorting it for useful information such as thrown documents with signatures which are left there without being shredded.
The exploitation of human carelessness is usually only the first step towards a more complicated attack and is frequently part of the reconnaissance phase of the attack.
Other examples of this exploit is password theft which is possible because often in companies people have to renew their passwords on a regular basis and they have a strict standard regarding the password strength that at least involves some letters, special characters and numbers, and as employees struggle to remember their new password after each change – they write it on a piece of paper and hide it in arm’s length so they can conveniently grab the paper and write their password when they logon. This makes password theft easy, as the social engineer would have to search only the immediate surroundings of the office computer – such as under the chair, in the desk drawer, below the keyboard, computer screen or the machine itself, under a picture or a notebook or something like that. Thus, this approach involves both the victim being careless enough to leave the password out in the open and laziness (the person prefers not to make an attempt to memorize the password as he should have done).
The next human quality that social engineers exploit is the feeling of security in a person’s comfort zone, which in most cases includes the work environment. Humans feel secure at their workplace, to a greater or lesser extent, and they are more likely to be less perceptive of possible threats, scams and dangers that exploit this sense of security. Their guard will be down when a social engineer tries to take advantage of their work environment.
A common abuse of a person’s comfort zone is impersonating an insider. The most common impersonation is of the IT staff, as people in the company generally have less knowledge of how the IT systems are maintained and they are in a way ignorant in this area. Social engineers can also pretend to be janitors, repairmen, even firemen. If you see a person wearing a shirt that the IT staff wears, you will assume she/he is working there, as your guard will be down. This person that pretends to be from the IT staff can then easily ask to do some software updates on your computer and without you knowing provide remote access to herself/himself, or ask you for your password to check if it is secure enough, and a typical person would not feel the threat. She/he can also use name-dropping to establish credibility and the bait is all set. Similarly, the lady from the IT staff can first dress up as a maintenance guy and wait for you to come near the gate of the company and intercept you there with the mop and whole bunch of cleaning tools, asking you to hold the door for him which will secure her/him an easy way to the company where she/he can continue her scam by dressing up as part of the IT staff in the restroom. Or she/he can just rely on tailgating to enter the premises of your company.
Another way that humans’ comfort zone can be abused is by shoulder surfing. This involves both the exploitation of a person’s comfort zone and his carelessness, as people do not expect that someone will stand behind them, watching as they type on the keyboard their password and username, both because they feel secure when they are at their desk and in their workplace, and because of carelessness of what is happening outside their eyesight when they start focusing on their duties.
Another thing that social engineers can do is rely on actual theft of a laptop, badge, wallet, purse, smartphone, external hard drive, USB or other work-related machines, gadgets and entry passes. Since the sense of security remains even after work, when the person is out drinking with his colleagues at their favorite pub, restaurant or bar, his badge, wallet or purse can easily be stolen on Friday while the victim is a little bit intoxicated, which will further diminish his attentiveness, and if only his badge is stolen – he will probably only realize that on Monday, and this leaves a time window for the social engineer to penetrate the premises.
A different comfort zone threat is physical security. For instance, in the places for smoking, people will often leave the gate open so they can go out for a smoke without having to swipe their card every time they go out for a couple of minutes, which leaves a time window for penetration. This is especially true if the company employs a lot of workforce. Such companies can have more than one smoking area and some may completely lack access controls to facilitate the employees who smoke.
The next quality that could be exploited according to the SANS institute is the desire to help. There are two ways to do this: by piggybacking or by impersonation.
We already discussed the first method when we said about the person dressing up as a maintenance guy and carrying tools for cleaning, then intercepting you as you enter and asking you to hold the door for him. You would probably not ask him for his badge or entry pass but will simply let him go, and this is because of your desire to help, just as you would have liked it if somebody did the same for you. It does not have to be cleaning tools and a maintenance guy, the social engineer can be dressed up as a delivery guy and carry a big box and he can even utilize name-dropping and mention that the delivery is for the CEO of the firm or some hotshot in the company.
Another way to exploit the desire to help is to impersonate an insider, which we discussed as well. The impersonation usually happens after some other technique has taken place, such as dumpster diving or other reconnaissance methods.
Human fear is the most exploited human quality, as it can be seen from myriad techniques of phishing, vishing, pretexting and other scams which usually create a sense of immediacy to act in the victim by claiming that the user password may have been hijacked, or that there are suspicious activities in his bank account or something similar. Fear can be exploited by providing a short time frame in which the victim has to perform something, by relying on authority (for example, impersonating a CEO or some important manager in the company) or by placing the victim into an uncomfortable position.
3. The cycle of a social engineering attack
Social engineers have three phases when performing an attack: first they gather enough information about the targets, then they strive to develop some kind of relationship with the target. This relationship could be based on trust, fear, respect, reciprocation for some favor, or another basis, and then they try to exploit the built relationship with the target, and if the target executes a particular task for the perpetrator due to his exploitation – the cycle ends or repeats itself with a new victim to further penetrate the targeted company.
4. What qualities the social engineer must possess to manipulate his victims?
To successfully manipulate the victim, the social engineer has to have the ability to hide his malicious intentions, know the weaknesses of the targets in order to choose wisely the technique he is going to carry out on him, and he must be cruel enough not to have second thoughts on harming the victim in the stage of relationship-development.
5. Techniques social engineers use to manipulate the victims
Those are many but we will mention the most widely used ones. The first is lying; to combat it you have to be aware that not all people are honest and frank. People think like that of people because they judge others depending on their inner qualities, so if they don’t have the habit of lying they probably wouldn’t expect others to lie either. They must also be aware that people with certain types of personalities (such as psychopaths) are proficient in lying and they do not have any remorse or restraints to lying.
Another technique is saying the truth but omitting certain parts of it. This is a good technique for persons who are not used to lying and cannot keep track of all the lies they have told before.
Also, the social engineer may keep denying any allegations that you put forward to him should you suspect there is something fishy, until you eventually believe that your suspicions are incorrect.
The next technique is giving a reason for some inquiry. If the attacker gives a rationalization and uses the magic word “because” it is much more likely for you to give it to him even if the reason is plain stupid. There was a study involving rationalization. It took place in a library and in the line to use the copy machine in particular. There were many people in the line and a person came and asked to cut in line. In the first group, the person who wanted to cut in line asked the others “Excuse me, I have five pages. May I use the Xerox machine because I’m in a rush,” and 94% of the participants allowed him to copy his pages before them. In a different group the person asked “Excuse me. I have five pages. May I use the Xerox machine,” and only 60% allowed him to cut in line. In the last group, the person asked “Excuse me, I have five pages. May I use the Xerox machine because I need to make copies,” and 93% people allowed him to cut in line. This clearly shows that the use of “because” is sufficient enough for people to think that he has a valid reason to cut in line and they do not even process the reason itself.
Another two common techniques social engineers use is evasion and diversion; they evade questions such as ‘can you show me your credentials’ by responding either by changing the topic or telling something vague and irrelevant as an answer to divert the attention of the question. They can also simulate innocence, confusion, or anger to trick the victim into doing what they want or try to establish guilt in the target so he can feel the need to exonerate himself by doing exactly what the attacker wants.
Those are all techniques discovered by George K. Simon in his book “In Sheep’s Clothing: Understanding and Dealing with Manipulative People.”
Secpoint gives as the top 10 social engineering tactics: alcohol, sex, NLP, social networks, vishing, whaling, phishing, techie talk, piggybacking and reverse social engineering. We have discussed vishing, whaling and phishing in previous articles, so they should not be mentioned any further.
Alcohol makes the victim more susceptible to telling things he is not supposed to say, even things for which he has signed a confidentiality agreement. Combine that with a nice bar with some really amazing music and surroundings and a little bit of flirtation, implicit promise of sex and nice company, and many persons would spill their secrets. Actually, in 2009 Thomas Ryan used numerous social networks and made many friends in the NSA, Military Intelligence Groups and Global 500 companies under a false identity (Robin Sage). “Her” online friends gave out confidential information to her in order for her to review it such as papers and presentations and some even gave her access to their bank accounts and emails. Thus, social networking is another vector of attack commonly exploited by social engineers by making fake profiles and exploiting the common human need to socialize and interact with others.
CSO defines several techniques that social engineers use for trust-building. Those include the rationalization we have already discussed, projecting confidence, an example of which can be entering a company’s building by piggybacking, tailgating or another method and acting as if you belong there – the exact method to do this depends on the particular situation, but it may involve greeting people, acting calm and friendly and walking through the building as if you know exactly where you are going without looking around all the time at hallways, doors or windows.
Another trick that they rely on is reciprocation, which involves giving a gift or doing some kind of favor to the victim to which he will feel obliged to respond. The issue to be aware of here is that this would most likely not work if you give someone a DVD of some movie or music band they like (which could be looked up on the Internet) and then immediately ask for something – this would most likely lead to the prospective victim to think that you are bribing him and he will not react friendly towards such behavior, in most cases. You have to let some time pass and not too much as well because the sense of reciprocation can expire if the prospective victim stops feeling indebted.
The last method they talk about is using humor. Social engineers could have some jokes prepared to make you laugh and make you at ease with them during the relationship-building phase, as most people enjoy the company of people with a good sense of humor.
It can be concluded from our discussion that alcohol, sex, flirts, NLP, social networks and many other means are regularly used to lure victims. Attackers take advantage of the desire to help, fear, carelessness, and feelings of security in one’s own comfort zone, and they tend to be able to hide their intentions, be aware of the vulnerabilities of the target and have the ability to be cruel towards others. Social engineers exploit in myriad ways these four main qualities that the regular person possesses, and the regular person needs to be aware of the main ones, because otherwise he could easily fell prey to identity theft and bank fraud cases.
To visit the online exercises and test your understanding of Part I of this article, please complete the form below:
- Verizon RISK Team, 2012 Data Breach Investigations Report, Accessed 6/6/2014. Available at: http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf.
- EMC Academic Alliance, ‘Social Engineering and Cyber Attacks’. Accessed 7/6/2014. Available at: http://www.slideshare.net/emcacademics/11467-test9
- SANS Institute, ‘Global Information Assurance Certification Paper. Psychological Based Social Engineering’. Available at: http://www.giac.org/paper/gsec/3547/psychological-based-social-engineering/105780. Accessed 9/6/2014.
- Wikipedia, ‘Psychological manipulation’. Available at: http://en.wikipedia.org/wiki/Psychological_manipulation. Accessed 10/6/2014.
- John G. O’Leary, ‘Psychology of Social Engineering: Training to Defend’. Available at: http://csrc.nist.gov/organizations/fissea/2006-conference/Tuesday300pm-OLeary.pdf. Accessed 8/6/2014.
Susanne Quiel, “Social Engineering in the Context of Cialdini’s Psychology of Persuasion and Personality Traits’. Available at: http://doku.b.tu-harburg.de/volltexte/2013/1221/pdf/Social_Engineering_in_the_Context_of_Cialdinis_Psychology_of_Persuasion_and_Personality_Traits.pdf Accessed 11/6/2014.
- Stephany Nunneley, “Sony using ‘social engineering psychology with data analytics’ to fight security breaches”. Available at: http://www.vg247.com/2012/03/13/sony-using-social-engineering-psychology-with-data-analytics-and-user-education-to-fight-security-breaches/. Accessed 10/6/2014.
- Nick Mediati, ‘Reports: 77 Million PlayStation Network Accounts Compromised’. Available at: http://www.pcworld.com/article/226352/sony_77_million_playstation_network_accounts_hacked.html. Accessed 11/6/2014.
- Mosin Hasan, Nilesh Prajapati and Safvan Vohara, ‘Case Study on Social Engineering Techniques for Persuasion’. Available at: http://airccse.org/journal/graphhoc/papers/0610jgraph2.pdf. Accessed 9/11/2014.
- SECPOINT, ‘Top 10 Social Engineering Tactics’. Available at: http://www.secpoint.com/Top-10-Social-Engineering-Tactics.html. Accessed 11/6/2014.
- Clark Case, ‘The Top 7 Psychological Triggers Behind Social Engineering. Available at: http://www.merchantlink.com/blog/top-7-psychological-triggers-behind-social-engineering. Accessed 10/6/2014.
- Joan Goodchild, ‘Mind Games: How Social Engineers Win Your Confidence’. Available at: http://www.csoonline.com/article/2124219/security-awareness/mind-games–how-social-engineers-win-your-confidence.html. Accessed 05/06/2014.