Social Engineering - Christopher Hadnagy [84]
Combination approach: One interrogator may combine two approaches to have maximum effect. This would be decided upon based on the suspect’s personality.
As a social engineer you may use the same technique—combine your attacks and approaches for maximum effect. For instance, after you discover some personal details about a target—such as their favorite local bar—you can approach the target and start a conversation. Such a tactic, especially when employed in a relaxed atmosphere, can go a long way toward opening people up.
Indifferent approach: This approach is very interesting because the interrogator acts as if he does not need the confession because the case is solved. At that point the interrogator may try manipulating the suspect into giving his side of the story.
As a social engineer you may not be able to use this approach unless caught. If you’re caught in an area or situation you should not be in, you can act indifferent instead of afraid that you are caught. Acting indifferent can cause the person who caught you to not be alarmed as much and afford you an opportunity to dispel any worries. Kevin Mitnick (see Chapter 8 for more on Mitnick) was great at this technique. He had the ability to think quickly on his feet. Also, acting indifferent when he was in a precarious situation allowed him to get away with a lot.
Face-saving approach: The interrogator should rationalize the offense, giving the suspect a way out and an excuse to confess and save face. An interrogator should not make the excuse so good, however, that the suspect can use it in court as a defense.
A social engineer can really utilize this approach. An interrogator does not want to give someone too good an excuse, but a social engineer does. You want the excuse to be so good the target doesn’t even need to think before rationalizing it as an excuse for complying with you.
One approach is to say a higher-level person asked you to be there. You can follow this up by saying, “I can understand how you might feel now, but I don’t even want to imagine how upset Mr. Smith will be if I don’t fix that massive e-mail blunder before he returns on Monday.” This approach gives the target the ability to save face and comply.
Egotistical approach: This approach is all about pride. For it to work you need a suspect who is very proud of an accomplishment. Bragging on good looks, intelligence, or the way the crime was performed may stroke his ego enough that he wants to confess to show that, indeed, he was that smart.
In social engineering gigs this method is often used. Playing up someone’s accomplishments gets them to spill their deepest secrets. In the case of the U.S. nuclear engineer in China (refer to Chapter 3), social engineers loaded the man with compliments, and he spilled the beans and divulged information he shouldn’t have.
Exaggeration approach: If an interrogator overexaggerates the case facts, the suspect may admit to what was real. One example would be if an interrogator accuses a thief of wanting to commit rape and saying, “Why else would someone break into a bedroom in the middle of the night?” This often causes the suspect to admit to only wanting to steal and not commit rape.
You can also use this approach by overexaggerating the task you are there to perform. By overexaggerating the reason for being there you can give the target a reason for providing you lesser access. For example, you can say, “I know Mr. Smith wanted me to fix his computer personally because he lost a lot of data, but if you don’t feel comfortable with that, I can potentially fix his problem from another computer in the office.”
Wedging the alibi: A suspect seldom confesses his transgressions all at once. Getting him to make minor admissions,