Social Engineering - Christopher Hadnagy [140]
Do think this tactic would work? Most likely the salesperson would download and execute that file with little to no thought. You have caused him to reevaluate the policy he has been taught.
Making the Target Feel Powerless
Making the target feel vulnerable or powerless is another very dark, but effective, tactic. It is often used in social engineering when the pretext is an angry executive or someone who should have power over the target. Angry by the lack of response or the inability of the target to give quick answers, the attacker berates or threatens the target, causing him to doubt his position and feel a loss of power.
Another more subtle way this is used is to undermine the belief system using social incentives. In one audit, I was stopped by a custodian while doing scans of the internal network. When she did the right thing for stopping me, I reacted with something like, “Did you know that each year this company deals with a constant battle against network breaches? I am trying to secure you, and you are trying to stop me from doing my job!”
My overpowering demeanor caused her to feel powerless and she backed down.
Giving a target the impression he has no time to think or there is serious urgency can also make him feel powerless. He cannot take the time to think about how to handle a problem and therefore must make a decision in a way he knows he shouldn’t.
This tactic was used after the recent earthquakes in Haiti. A website was launched that claimed to have information on loved ones who might have been lost. Because their claim was that no one was able to provide information on their loved ones but this group who set up the site, they could demand certain criteria be met to obtain this information. Many people, feeling hopeless and powerless, entered too much information and clicked things they knew they shouldn’t and in the end were damaged by it. The BBC issued a story about this and lists some tips to stay protected: http://news.bbc.co.uk/2/hi/business/8469885.stm.
Dishing Out Nonphysical Punishment
Closely linked to making the target feel powerless is making them feel guilt, humiliation, anxiety, or loss of privilege. These feelings can be so strong that a target might possibly do anything to “regain favor.”
Guilt over not giving what was expected can cause humiliation and doubt, which can cause the target to react the way the attacker wants.
I don’t suggest using humiliation in most social engineering settings, but I have seen it used on a target in a team effort to open the door, and on another social engineering team member to soften the face of the target, making them more pliable to suggestion.
The first attacker approached the target in a public setting trying to get information; he was playing the role of someone important.
In the middle of the conversation an underling, who happened to be female (and on the team), came up and asked a question that angered the first attacker. He reacted by saying, “You have to be the dumbest person I have ever met.” In a fit of anger he walked away. The female attacker looked dejected and hurt and was quickly comforted by the target, who fed into her act. The target’s empathy allowed him to be manipulated to give out way more information than he wanted.
Intimidating a Target
Intimidation is not a tactic that you might think of using in a traditional sense in social engineering. You are not going to tie up your target and go all “Jack Bauer” on him, but you can use intimidation in subtle ways.
Suggesting that failure to comply can lead to being laid off or other adverse consequences can intimidate the target to react a certain way. Governments often use this tactic to manipulate society to believe that the economic system is collapsing. This way they can control the emotions of those they govern.
You can use it in a social engineering audit even by having an intimidating appearance. Looking busy, upset, and on a mission can intimidate many. Talking with very authoritative expressions can also intimidate people.
In business, sending