Social Engineering - Christopher Hadnagy [40]
Expressing mutual interest is an important aspect of elicitation. This particular scenario is even more powerful than appealing to someone’s ego because it extends the relationship beyond the initial conversation. The target agreed to further contact, to accept software from the attacker, and expressed interest in discussing plans for the company’s software in the future. All of this can lead to a massive breach in security.
The danger in this situation is that now the attacker has full control. He controls the next steps, what information is sent, how much, and when it is released. This is a very powerful move for the social engineer. Of course, if the engagement were long-term, then having a literal piece of software that can be shared would prove even more advantageous. Sharing usable and non-malicious software would build trust, build rapport, and make the target have a sense of obligation.
Making a Deliberate False Statement
Delivering a false statement seems like it would backfire off the top, but it can prove to be a powerful force to be reckoned with.
Attacker: “Everybody knows that XYZ Company produced the highest-selling software for this widget on earth.”
Target: “Actually, that isn’t true. Our company started selling a similar product in 1998 and our sales records have beaten them routinely by more than 23%.”
These statements, if used effectively, can elicit a response from the target with real facts. Most people must correct wrong statements when they hear them. It’s almost as if they are challenged to prove they are correct. The desire to inform others, appear knowledgeable, and be intolerant of misstatements seems to be built into human nature. Understanding this trait can make this scenario a powerful one. You can use this method to pull out full details from the target about real facts and also to discern who in a group might have the most knowledge about a topic.
Volunteering Information
The DHS brochure makes a good point about a personality trait many of us have. A few mentions of it have appeared in the book already and it’s covered in much more detail later on, but obligation is a strong force. As a social engineer, offering up information in a conversation almost compels the target to reply with equally useful information.
Want to try this one out? Next time you are with your friends say something like, “Did you hear about Ruth? I heard she just got laid off from work and is having serious problems finding more work.”
Most of the time you will get, “Wow, I didn’t hear that. That is terrible news. I heard that Joe is getting divorced and they are going to lose the house, too.”
A sad aspect of humanity is that we tend to live the saying “misery loves company”—how true it is in this case. People tend to want to share similar news. Social engineers can utilize this proclivity to set the tone or mood of a conversation and build a sense of obligation.
Assuming Knowledge
Another powerful manipulation tool is that of assumed knowledge. It is commonplace to assume that if someone has knowledge of a particular situation, it’s acceptable to discuss it with them. An attacker can deliberately exploit this trait by presenting information as if he is in the know and then using elicitation to build a conversation around it. He then can regurgitate the information as if it were his own and continue to build the illusion that he has intimate knowledge of this topic. This scenario might be better illustrated with an example.
One time I was going to China to negotiate a large deal on some materials. I needed to have some intimate knowledge about my target company in the negotiations and had to find a way to get it before I met with them. We had never met face to face but I was heading to a conference in China before my negotiations started. While at the conference I happened to overhear a conversation starting about how to place yourself in a higher position when dealing with the Chinese on negotiations.
I knew this was my opportunity, and to make