Social Engineering - Christopher Hadnagy [13]
Scarcity is when people are told something they need or want has limited availability and to get it they must comply with a certain attitude or action. Many times the desired behavior is not even spoken, but the way it is conveyed is by showing people who are acting “properly” getting rewards.
The article talks about the use of food to win elections in South Africa. When a group or person does not support the “right” leader, foodstuffs become scarce and jobs people once had are given to others who are more supportive. When people see this in action, it doesn’t take long to get them in line. This is a very malicious and hurtful form of social engineering, but nonetheless, one to learn from. It is often the case that people want what is scarce and they will do anything if they are lead to believe that certain actions will cause them to lose out on those items. What makes certain cases even worse, as in the earlier example, is that a government took something necessary to life and made it “scarce” and available only to supporters—a malicious, but very effective, manipulation tactic.
The Dalai Lama and Social Engineering
The interesting article archived at www.social-engineer.org/wiki/archives/Spies/Spies-DalaiLama.html details an attack made on the Dalai Lama in 2009.
A Chinese hacker group wanted to access the servers and files on the network owned by the Dalai Lama. What methods were used in this successful attack?
The attackers convinced the office staff at the Dalai Lama’s office to download and open malicious software on their servers. This attack is interesting because it blends both technology hacking and social engineering.
The article states, “The software was attached to e-mails that purported to come from colleagues or contacts in the Tibetan movement, according to researcher Ross Anderson, professor of security engineering at the University of Cambridge Computer Laboratory, cited by the Washington Times Monday. The software stole passwords and other information, which in turn gave the hackers access to the office’s e-mail system and documents stored on computers there.”
Manipulation was used as well as common attack vectors such as phishing (the practice of sending out emails with enticing messages and links or files that must be opened to receive more information; often those links or files lead to malicious payloads) and exploitation. This attack can work and has worked against major corporations as well as governments. This example is just one in a large pool of examples where these vectors cause massive damage.
Employee Theft
The topic of employee theft could fill volumes, especially in light of the staggering statistic found at www.social-engineer.org/wiki/archives/DisgruntledEmployees/DisgruntledEmployees-EmployeeTheft.html that more than 60 percent of employees interviewed admitted to taking data of one sort or another from their employers.
Many times this data is sold to competitors (as happened in this story from a Morgan Stanley employee: www.social-engineer.org/wiki/archives/DisgruntledEmployees/DisgruntledEmployees-MorganStanley.html). Other times employee theft is in time or other resources; in some cases a disgruntled employee can cause major damage.
I once talked to a client about employee discharge policies, things like disabling key cards, disconnecting network accounts, and escorting discharged employees out of the building. The company felt that everyone was part of the “family” and that those policies wouldn’t apply.
Unfortunately, the time came to let go of “Jim,” one of the higher-ranking people in the company. The “firing” went well; it was amicable and Jim said he understood. The one thing the company did right was to handle the firing around closing time to avoid embarrassment and distraction. Hands were shook and then Jim asked the fateful question, “Can I take an hour to clean out my desk and take some personal pictures off my computer?