Social Engineering - Christopher Hadnagy [33]
I want to take this discussion one step further because many governments educate and warn their employees against elicitation because it is used by spies all over the earth.
In training materials, the National Security Agency of the United States government defines elicitation as “the subtle extraction of information during an apparently normal and innocent conversation.”
These conversations can occur anywhere that the target is—a restaurant, the gym, a daycare—anywhere. Elicitation works well because it is low risk and often very hard to detect. Most of the time, the targets don’t ever know where the information leak came from. Even if a suspicion exists that there is some wrong intent, one can easily pass it off as an angry stranger being accused of wrong doing for just asking a question.
Elicitation works so well for several reasons:
Most people have the desire to be polite, especially to strangers.
Professionals want to appear well informed and intelligent.
If you are praised, you will often talk more and divulge more.
Most people would not lie for the sake of lying.
Most people respond kindly to people who appear concerned about them.
These key factors about most humans are why elicitation works so well. Getting people to talk about their accomplishments is too easy.
In one scenario in which I was tasked to gather intel on a company, I met my target at a local chamber of commerce function. Because it was a mixer I hung back until I saw the target approaching the bar. We got there at the same time and because the purpose of these functions is to meet and greet people and exchange business cards, my first move wasn’t extreme.
I said, “Escaping from the vultures?”
He replied with a chuckle, “Yeah, this is what makes these things worth the time—open bar.”
I listened to him order, and I ordered a similar drink. I lean over with my hand out, and said, “Paul Williams.”
“Larry Smith.”
I pulled out a business card I had ordered online. “I work with a little import company as the head of purchasing.”
He said as he handed me his card, “I am the CFO for XYZ.”
With a chuckle I responded, “You’re the guy with the bucks—that’s why everyone is after you out there. What exactly do you guys do?”
He bagan to relate a few details of his company’s products, and when he listed one that is well known, I said, “Oh right, you guys make that widget; I love that thing. I read in XYZ Magazine it hit a new sales record for you guys.” From my previous information gathering I knew he had personal interest in that device so my praise was well received.
He began to puff his chest out a bit. “Did you know that device sold more in the first month that our previous and next five products combined?”
“Yikes, well I can see why, because I bought five myself.” I chuckled through the mild praise.
After another drink and some more time I was able to discover that they recently purchased accounting software, the name of the CSO (and the fact he was on vacation for a few days), and that my friend here was also going on vacation soon to the Bahamas with his wife.
This seemingly useless info is not useless at all. I have a list of details about software, people, and vacations that can help me plan an attack. But I didn’t want to stop there; I went in for the kill with a question like this:
“I know this is a weird question, but we are a small company and my boss told me I am to research and buy a security system for the doors. We just use keys now, but he was thinking RFID or something like that. Do you know what you guys use?”
This question I thought would send up red flares and smoke signals. Instead, he said “I have no clue; I just signed the checks for it. What I do know is I have this fancy little card…” as he pulls out his wallet to show me his card. “I think it is RFID, but all I know is that I wave my wallet