Social Engineering - Christopher Hadnagy [112]
In a paper entitled “The ‘Social Engineering’ of the Internet Fraud” Jonathan J. Rusch of the U.S. Department of Justice writes, “People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present” (www.isoc.org/inet99/proceedings/3g/3g_2.htm).
This ploy is used in other ways, by not acting as if you are the CFO, but instead sent or authorized by the CFO. The authority the name and title wields may be enough to grant that power to the attacker in the eyes of the target.
Rusch cites an experiment performed by Robert B. Cialdini and recorded in his book Influence (1993), which showed 95 percent of nurses within 22 stations from three different hospitals were willing to administer patients a dangerous dose of medication based upon a phone call from a researcher purporting to be a physician the nurses had never met.
This experiment clearly shows that based upon orders and the perceived notion of authority, people might take certain actions despite their better judgment. This type of authority can and is often used to exploit companies into giving away valuable data.
Social Authority
Social authority refers to the “natural-born leaders” of any social group. A social group could consist of co-workers, college friends, or any other gathering of people.
In Influence, Cialdini writes, “When reacting to authority in an automatic fashion there is a tendency to often do so in response to the mere symbols of authority rather than to its substance.”
For social authority to occur, an extraordinary amount of time or structure may not be needed to define an authoritative figure. In any setting, a quick flash of social proof, where people are influenced by a group of people taking the same action, may help provide a person social authority.
Social authority can be used to an advantage in social engineering by asking or pressuring the target for information. If the target refuses and is therefore not liked by the leader of the group, the target may fall out of favor with the entire group. Complying with the leader’s social authority is perceived to be advantageous.
Social authority is successfully used when either directly stated or implied that a previous person or group reacted the way that the attacker is asking. “Yesterday the CFO sent me down to take care of this problem and Joe let me through and he checked all my credentials, did he put them on file?” A simple statement like that utilizes a few forms of authority.
If you comply with authorities mindlessly, you may respond to symbols of authority rather than to reality. Three authority symbols are particularly effective in Western countries—you may reward people with any one of these (and no other evidence of authority) for their compliance:
Titles
Clothes
Automobiles
In an interview I conducted with Dr. Ellen Langer, Harvard psychologist and researcher of persuasion and influence (www.social-engineer.org/episode-007-using-persuasion-on-the-mindless-masses), she talked extensively about mindlessness. She stated that people often do much of their work in a state where there is not much thought; in other words, they are in autopilot. In those positions, the abuse of the authority role is very dangerous. Perceived authority can make someone on autopilot react without limits.
Using the right clothes, body language, and even having a fake business card printed has worked for many social engineers in presenting an authority stance and keeping their targets in autopilot.
Other forms of authority may come into play for a social engineer than the ones outlined here, but these are the most commonly used. Authority is a powerful force when