Social Engineering - Christopher Hadnagy [180]
The main lesson in this case study is probably practice makes perfect. Realistically, John could have confronted the hacker, told him he was an admin and that he was being logged, and that his life was over. All sorts of threats could have flown back and forth and he could have tried to use fear as his main tactic.
Most likely, the hacker would have fled the scene only to return later and try to format the system or do even more damage to cover his tracks. Instead, thinking very fast, John was able to farm a lot of usable information on his target. John later used the target’s e-mail address and name and a good copy of Maltego to get a very clear picture of this individual’s activities.
Another minor lesson one can learn from analyzing this story is how to be fluid. What I mean by that is learning to go with the flow. When John started “gathering information” from the hacker he really didn’t know whether this person was a hacker or an admin. John’s first line, “Hey what’s up,” could have been answered by the attacker in many ways. Without knowing exactly the response he would get, John had no time to really prepare. He had to try to use lingo and react the way he imagined a hacker would.
John took it even a step farther. Realizing that the best avenue was a submissive one, John put on the pretext of a “n00b,” or new hacker who didn’t know much and wanted a wonderful and intelligent real hacker to educate him. Feeding into the hacker’s ego, John got him to spill his guts about all sorts of things, including all his contact information and even a picture.
Why Case Studies Are Important
These case studies are just a few of the stories that are out there, and these are by far not the scariest. Every day governments, nuclear power plants, multibillion-dollar corporations, utility grids, and even whole countries fall victim to malicious social engineering attacks, and that doesn’t even include the personal stories of scams, identity theft, and robbery that are occurring by the minute.
As sad as reading all these stories is, one of the best ways to learn is by reviewing case studies. Experts from all fields utilize this methodology. Psychologists and doctors review countless hours of tapes and interviews to study the microexpressions people use when feeling certain emotions.
Persuasion experts review, analyze, and study accounts of positive and negative persuasion. Doing so helps them to pick up on the subtle areas that affect people and see how they can be used to learn and to protect their clients.
Law enforcement reviews case studies as part of their everyday lives to learn what makes a criminal tick. Along those lines, criminal investigators analyze and dissect every aspect of a malicious person, including what he eats, how he interacts with others, what he thinks about, and what makes him react. All of this information helps them to truly understand the mind of the criminal.
These same methods are how professional profilers target and catch the “bad guys.” In the same fashion, professional social engineers learn a lot by studying not only their own case studies but also cases in their own practice and malicious accounts they can find in the news. By reviewing case studies a social engineer can truly start to see the weakness of the human psyche and why the tactics in the social engineering framework work so easily. That is why I have been working hard to make sure the framework on www.social-engineer.org will include updated web stories and case studies that you can use to enhance your skills.
In the end, all of these exploits worked because people are designed to be trusting, to have levels of compassion, empathy, and a desire to help others. These are qualities that we should not lose as we have to interact with our fellow humans every day. Yet at the same time, these qualities are the very things that are more often than not exploited by malicious social engineers. It may seem that I am promoting each of us to become a hardened, emotionless creature