Social Engineering - Christopher Hadnagy [141]
These darker manipulation techniques are used successfully by social engineers and professional auditors. Manipulating a person to feel completely helpless causes him or her to feel that giving in to the attacker makes sense.
That really is where manipulation differs in a social engineering practice from other forms of influence. With negative manipulation the social engineer leaves and doesn’t care how the target feels later on. Even if a target realizes he has been hacked, it doesn’t matter because the damage is done and the company or person is already infiltrated.
Other aspects of social engineering manipulation are just as powerful but not so dark.
Using Positive Manipulation
Positive manipulation has the same goals in mind as negative manipulation—in the end the target is in alignment with your thoughts and desires. The differences are in how you get there. But in positive manipulation, the target doesn’t need therapy when you are done.
Over my years of research, I have compiled some tips about how parents interact with their children to get them to comply with the parents’ wishes. A few of its points on positive manipulation are useful for social engineers. The following sections cover some of these positive techniques.
Disconnect Your Emotion from Their Behavior
Keeping your emotions separate from your target’s behavior is important. As soon as you let your emotions get involved the target is manipulating you. You can feel emotion, of course, but be in control of what you feel and how you display what you are feeling.
You do not want to be the one out of control. You also want to control the negative emotions as much as possible so you can remain in control at all times.
Disconnecting your emotions can also put people at ease. This doesn’t mean being devoid of emotion; that is not comforting to people. But if someone is really upset, showing the proper level of concern is good, but if your display of emotion is too much you can offset the target and ruin the gig.
Keep your emotions in alignment with the pretext you are trying to achieve. If you do not allow your emotions to get involved you can remain in control at all times. A good social engineer is able to do this despite the actions or attitudes displayed by the target. If the target is upset, mad, belligerent, rude, or if any other negative emotion is displayed, a good social engineer remains calm, cool, and collected.
Look for the Positive to Mention
Whenever you can, find something to make a joke about or compliment, but without being creepy. You don’t want to walk up to the security guard and say, “So two nuns walk into a bar….” This method probably won’t go over too well. At the same time you can’t walk into the front office and say to the girl behind the counter, “Wow, you’re pretty.”
Finding something positive to mention puts everyone at ease, but it must be balanced, controlled, and in good taste. Using the example of approaching a security guard, after introducing yourself, complimenting the picture of her children by saying something like, “Wow, she is really cute; how old, four or five? I have a little girl at home, too,” can go a long way toward opening the door.
Assume, Assume, Assume
You have probably heard what they say about people who assume, but in this case, assume it all. Assume that the target will act the way you want, assume he will answer the way you want, and assume he will grant you all your requests.
Assume with the questions you ask and the statements you make.
“When I come back from the server room…”
This statement assumes you belong there and you are already granted access. In the security guard situation mentioned earlier, after the compliment maybe offer a follow-up: “When