Social Engineering - Christopher Hadnagy [39]
In most social engineering cases it would much quicker, but I think the principles apply. Being as genuine as you can is essential. Because preloading involves the person’s emotions and senses, give them no reason to doubt. The question you ask should match your pretext. For preloading to work you have to ask for something that matches the belief you built into them. For example, if my offer was to have me go visit my client’s family and take pictures rather than manage his apartment complex, it wouldn’t have matched the belief system he had of me, namely that I was a smart, business-minded, caring young man. Finally, the offer, when made, must be of benefit to the target, or at least perceived as benefit. In my case, there was lots of benefit to my client. But in social engineering the benefit can be as little as “bragging rights”: giving the person a platform to brag a bit. Or the benefit can be much more and involve physical, monetary, or psychological benefits.
Practicing elicitation and becoming proficient at it will make you a master social engineer. Logically, the next section is how to become a successful elicitor.
Becoming a Successful Elicitor
Analyzing just my own experiences I can identify some key components that led to my success from five-years-old to now:
A lack of fear to talk to people and be in situations that are not considered “normal.”
I truly do care for people, even if I don’t know them. I want to and enjoy listening to people.
I offer advice or help only when I have a real solution.
I offer a non-judgmental ear for people to talk about their problems.
These are key elements to successful elicitation. The United States Department of Homeland Security (DHS) has an internal pamphlet on elicitation it hands out to its agents that I was able to obtain and archive at www.social-engineer.org/wiki/archives/BlogPosts/ocso-elicitation-brochure.pdf.
This brochure contains some excellent pointers. Basically, as stated in it and in this chapter, elicitation is used because it works, is very hard to detect, and is non-threatening. The DHS pamphlet approaches elicitation from a “how to avoid” point of view, but the following sections take some of the scenarios and show you what can be learned.
Appealing to Someone’s Ego
The scenario painted in the DHS brochure goes like this:
Attacker: “You must have an important job; so and so seems to think very highly of you.”
Target: “Thank you, that is nice of you to say, but my job isn’t that important. All I do here is…”
The method of appealing to someone’s ego is simplistic but effective. One caution, though: Stroking someone’s ego is a powerful tool but if you overdo it or do it without sincerity it just turns people off. You don’t want to come off as a crazy stalker: “Wow, you are the most important person in the universe and you are so amazing-looking, too.” Saying something like that might get security called on you.
Using ego appeals needs to be done subtly, and if you are talking to a true narcissist avoid eye rolls, sighs, or argumentativeness when she brags of her accomplishments. Subtle ego appeals are things like, “That research you did really changed a lot of people’s viewpoints on…” or “I overheard Mr. Smith telling that group over there that you are one of the most keen data analysts he has.” Don’t make the approach so over the top that it is obvious.
Subtle flattery can coax a person into a conversation that might have never taken place, as stated in the DHS brochure, and that is exactly what you want as a social engineer.
Expressing a Mutual Interest
Consider this mock scenario:
Attacker: “Wow, you have a background in ISO 9001 compliance databases? You should see the model we built for a reporting engine to assist with that certification. I can get you a copy.”
Target: “I would love to see that. We have been toying