Social Engineering - Christopher Hadnagy [82]
For example, in one audit my pretext was very simple—I was just an employee who belonged. Armed with a trade publication I found in the trash, I followed a few employees through the door and past the security guard. As we approached the security guard I began a very simple conversation with one of the employees about an article in the journal. All of my actions contributed to theme development. Your goal is to give the people who would normally stop you justification for not doing their job.
The more you fit in, the less you stand out, and the easier it is for security guards and the like to justify not stopping you and letting you in.
Handling Denials and Overcoming Objections
Whether on the phone or in person, what is the plan of action if you are denied access to the place or information you are seeking? I like to call these conversation stoppers. People use them with salespeople all the time, “I’m not interested.” “I don’t have time right now.” “I was just leaving….”
Whatever flavor of stopper targets throw out, you must have a plan to overcome it and handle the denial of access. I like to preemptively dismiss objections if I feel the situation warrants.
When I was in sales, I worked with a man named Tony who had a tactic that involved knocking on a door and introducing himself, and without pausing saying, “I know you might want to say you are not interested, but before you do, can you answer this one question: Is five minutes of your time worth $500?”
At this point, the person was much less likely say, “I’m not interested.” By diminishing the possibility of denial and following up with a question, Tony was able to get the target to think about something else besides her objection.
In a social engineering engagement you can’t walk up to the security guard and say, “I know you don’t want to let strange people in the door but…” because it would raise way too much suspicion. Using this methodology to overcome objections is much more complex for social engineers.
You have to think about what objections might arise and organize your theme, story, dress, and person to pre-empt those objections. Yet you still have to have a good answer to give for when objections come up. You can’t just run out the door or hang up the phone. A good exit strategy enables you to come back to attack later on.
An exit strategy can be as simple as, “Well, ma’am, I’m sorry you won’t let me in to see Mr. Smith. I know he will be greatly disappointed because he was expecting me, but I will give him a call later and set up another appointment.”
Keeping the Target’s Attention
If you handled your social engineering move correctly up to this point and you are in front of the target, then the target may start to think about what would happen if she does not allow access, take the file, or do what you are asking. You need to feed off of that inherent fear and use it to continue to move the target to your goal.
A few short statements like, “Thank you for your help. I was so nervous about this interview that I obviously put the wrong date down in the calendar. I hope that Mrs. HR Manager is some place warmer than here?” Allow for a response then continue, “I want to thank you for your help. When will she be back so I can call to make another appointment?”
Presenting an Alternate Route
When you are interrogating the target in a social engineering audit, the possibility exists that your first path will not be greeted with smiles, so having a lesser but just as effective path of action ready is a good idea.
Maybe you have used all these tactics to try to get Sally, the receptionist, to let you in to see Mr. Smith. The tactics are all failing and you are being shut down. You should have an alternative path prepared, such as, “Sally, I appreciate you have to make sure things are done by