Social Engineering - Christopher Hadnagy [72]
To me, this groundbreaking research proves that a person can manipulate another person to a certain emotional state by displaying subtle hints of that emotion. I have started conducting some research into this from a security angle and I am calling it “neurolinguistic hacking,” mainly because it takes much from microexpressions as well as neurolinguistic programming (discussed in the next section) and combines them to create these emotional states within a target.
Imagine this scenario. A social engineer wants to walk into a company with the goal of getting the receptionist to insert a malicious USB key into the computer. His pretext is that he has a meeting with the HR manager, but on the way in, he spilled coffee all over his last resume. He really needs this job and to help, would she print him out another copy of the resume?
This is a solid pretext that tugs on the receptionist’s heartstrings and has worked for me in the past. Yet, if the social engineer allows his own emotional state to run rampant he might be showing signs of fear, which is linked to nervousness. That fear can translate to an uneasy feeling in the receptionist and failure or rejection of the request. Whereas if he were to control his emotions and flash subtle hints of sad microexpressions, which is closely linked with empathy, then he might have a very good chance at his request being honored.
Recall the previous discussion of the commercials that encourage people to donate “only a dollar a day” to feed a child in need. Before requesting money, before flashing a phone number and URL, before telling you that credit cards are accepted, many long images of very sad children flash across your TV screen. Those images of children in need and children in pain put your brain in the emotional state that is needed to comply with the request.
Do those commercials work on everyone? No, of course not. But although not everyone donates, it will affect almost everyone’s emotional state. That is how a social engineer can use ME to the fullest. Learning to exhibit the subtle hints of these ME can cause the neurons in your target’s brain to mirror the emotional state they feel you are displaying, making your target more willing to comply with your request.
This usage of ME can be malicious, so I want to take a moment to talk about a mitigation (see also Chapter 9). Being aware of how ME can be used doesn’t mean you need to start training everyone in your company to be an ME expert. What it does mean is that good security awareness training does need to occur. Even when requests are designed to make you desire to help, desire to save, desire to nurture, the security policy must take precedence. A simple, “I’m sorry we cannot insert foreign USB keys into our computers. But two miles down the road is a FedEx Kinko’s shop. You can print another resume there. Should I tell Mrs. Smith you will be a few minutes late?”
In this scenario, such a statement would have squashed the social engineer’s plans as well as given the target the feeling of being helpful.
To utilize the power of ME, sometimes you have to combine it with other aspects of human behavior as well. The second method, how to detect deceit, describes how you can do this. The second method for using ME as a social engineer is in detecting deception. Wouldn’t it be nice if you could ask a question and know whether the response was truth or not? This subject has been a source of heated debate among many professionals who claim that eye patterns, body language, facial expression, or a combination of all the preceding can indicate truth or deception. While some do not believe this to be the case, others feel these can be used as an exact science.
Although some