Social Engineering - Christopher Hadnagy [130]
Manipulation is considered by many to be a very dark topic, a topic that creates a sense of fear because of the way it is often portrayed.
Taking a look at a few definitions found on the Internet may help to explain:
“exerting shrewd or devious influence especially for one’s own advantage”
“influence or control shrewdly or deviously”
“control (others or oneself) or influence skillfully, usually to one’s advantage”
You can clearly see why many social engineers drool over this topic. Can you imagine being able to use your skills to control or influence someone to your advantage?
From something as dark as brainwashing to the subtle hints of a salesperson, manipulation tactics are something every social engineer should study and perfect. The aim of manipulation is to overcome the critical thinking and free will of their target. When the target loses his ability to make a decision based on informed processes, they can be fed the ideas, values, attitudes, or reasonings of the one manipulating them.
Manipulation is used in six ways that hold true whether the topic is brainwashing or something less insidious. I will quickly go through each one before we get into this very deep section.
Increasing the suggestibility of your target. At its most extreme, sleep or food deprivation increases a target’s suggestibility. On the lighter side, subtle hints that build in intensity over time to make your target more suggestible.
Gaining control over the target’s environment. This technique can involve everything from controlling the type and quantity of information to which a target has access to much subtler things like gaining access to a target’s social media websites. In a social engineering context, having access to social media allows you to view your target’s communications as well as exert control over the information he receives.
Creating doubt. Destabilizing and undermining your target’s belief system can go a long way toward manipulating your target to take an action you want. From a social engineering viewpoint, this must be done subtly. You can’t just barge in and start degrading your target; instead, questioning the rules they follow, their job, or their beliefs can affect the target’s ability to make rational decisions.
Creating a sense of powerlessness. This truly malicious technique is used in wartime interrogations to make a target feel a lack of confidence in their convictions. A social engineer can utilize this tactic by taking away the target’s agency by presenting the “facts” you received from someone with authority, thus creating a powerless feeling.
Creating strong emotional responses in the target. Strong emotional responses include everything from doubt to guilt to humiliation and more. If the feelings are intense enough, they can cause the target to alter their whole belief system. A social engineer must be careful not to create damaging negative emotions, but using tactics that create an emotional response based on fear of loss or punishment can prove beneficial to your SE goal.
Heavy intimidation. Fear of physical pain or other dire circumstances can be used to make a target crack under pressure. Again, most social engineers will not go this route unless they are using corporate espionage as a tactic, but in normal social engineering, this tactic utilizes perceived authority to build strong fear and feelings of potential loss.
Most times, however, manipulation is not so extreme. On its very basic level, imagine you’re in a crowded room and someone calls out your name. What is your reaction? Usually it is to turn around or respond with a “Yes?” You have been manipulated, but not necessarily in a bad way.
On a psychological level, being manipulated is even more profound. Notice what happens to make that preceding interaction happen: Your brain hears your name, and you automatically formulate an answer (“Yes?”). The connection between that answer and your vocal response is very short. Even if you made no vocal response or if the name-calling is not targeted to you personally, if a question