Social Engineering - Christopher Hadnagy [162]
Eric’s pretexts were solid and he did a masterful job at holding them together, especially when he had to act as a DMV agent and field real calls from police. In many circumstances he could have easily fallen out of character but he seemed to hold it together quite well.
Many of the techniques used for the psychological aspects of social engineering, such as eye cues and microexpressions, were not used in this attack because it happened mostly over the phone. Eric did have to utilize certain aspects of the framework, though, such as rapport building, NLP (neurolinguistic programming), and modes of thinking.
Eric seemed to be a natural at building rapport. He was personable and easygoing, he seemed to not be afraid of the “what ifs,” and was able to be and act confident in his abilities. He posed his voice and his conversation in a way that gave the person on the other end of the phone all the reason to trust him and no reason to not believe him.
Eric used impressive interrogation and interview tactics, even using them on law enforcement agents who are experienced in interview tactics. He used those tactics so successfully that he was undetected in his methods and obtained all the information he wanted.
Eric also seemed to have an excellent grasp of and ability to use influencing tactics. Probably one of the most noticeable in the attack was when he asked the police officer to call back to get a different DMV agent. This was probably annoying for the officer, but what made the tactic successful is that Eric “gave” the office something first. That is, he “verified” the data the officer needed and when he was supposed to give the officer final piece of info is when the “computer” froze.
Applying some rules of influence Eric was easily able to get the officers to comply.
Closely linked to Eric’s pretext was his ability to use framing successfully. To refresh your memory, framing is bringing the target inline with your thinking by positioning yourself and your stories to make them believable. It is an important piece of the pretext puzzle that makes you stand out and prove to the target you certainly are who you say you are. Eric’s pretexts were great and believable, but what really sold them were the frames that he used. His frame changed depending on who he was talking to. At one point he had to make sure the officer on the other end would give him the Teletype number; on the other call he had to be a knowledgeable and skilled DMV agent.
Eric made himself believable using framing by assuming he would get the information he asked, showing no fear in his dealings, and confidently asking for information he “felt” he was owed. All these attitudes framed the target to accept his pretext and allow for natural responses.
As you can see, you can learn much by analyzing Eric’s social engineer attack. One can only assume that Eric either had practiced all these methods or had a few dry runs to know all he did about the internal systems used in the attack.
Eric’s methods worked out for him and were successful, but I would have taken a couple extra precautions. For example:
When he was fielding DMV calls, I would have made sure I forwarded the number only when I was in the “office.” I would have set up an office area with some background office noises and had the proper supplies to take down all the information I needed to avoid the risk of a waitress or friend blowing my cover.
Although a disposable cell phone is a good idea for tracing purposes, another technique is to have that number forward to a Google Voice or Skype number. I tend not to trust cell signals, and nothing could have ruined the gig faster than having the call drop or having a weak, static-filled signal.