Why Social Engineering Works

By:The_Eccentric
Most company’s don’t really take social engineering seriously.  Many penetration testers and computer security experts will tell you most company’s don’t care about security until they get hacked. This is a depressing thing to see and hear for the guys you are entrusted with protecting your company but joyful news to someone who has  intent on doing some social engineering attacks on your company. In this weeks post where not focusing on what is Social Engineering but the philosophical question WHY social engineering works and types of targets to exploit using social engineering.

Why perform a social engineer attack?


To test the stability of physical security controls.
To test the level of (and even improve) security conscience among staff.
To give your staff experience at identifying the tactics that social engineers may use.
To teach your staff on how to deal with social engineering situations.
To provide valuable data to support your recommendations on both security awareness training and physical security improvements.
In (part1) we will go through the reasons behind and motivation of “why” along with examples of types of targets to use social engineering exploints against.

Reasons and Motivations

*People follow gernally instructions – If you can convince someone that you are someone in a position of authority, they are more than willing to follow any instructions that you give them, sometimes even if it goes against their better judgement.
*People want to be helpful – For those of us that live in the United States, apologies to my international friends, the environment we live in is very service oriented, it values helping other people and being generous, also it is a basic human nature to want to help others.
* People are trusting by nature – It is also a basic human nature to be trusting people. This sets up prefectly for a social engineer because they are masters in lies and deception. How many times have you seen people willing say yes to most request from you, by just being polite and respectful. This tendency to trust authority persists even in adults. In fact, some people have noticed that simply by pretending that they are important they can get people to regard them as an authority. (Note: 1)

Greed

The “Passwords for candy” law of reciprocal  works great here. Also the “I scratch your back you scratch mine” type of logic and “if I give you X amount of money will you  give me documents or information about client Y”. People always want to know what’s in it for them, what are they going to be getting out of the deal. Unfortunately this is one of the most unethical but widely used mindsets in todays culture.

Complacency

It’s easier to give people information to get rid of them 🙂 This type of exploit works good on lone wolfs or the independent worker that can’t stand to work with someone they believe to be less incompetence and or more emotional than themselves. The very thought of groups project annoy’s them. They prefer to avoid having to deal with mundane politics and gossip without logic. Their logic tells them that the quickest and easiest way for them to get you out of their face is give them what you want (intel), so often they would not have to think twice about giving you what you seek just to get rid of you.

Fear(of getting into trouble for not doing their job)

People don’t like confrontations. When your are impersonating someone important or superior the average Joe won’t normally be willing to confront you about your credentials. He or she doesn’t want to risk the embarrassment of looking stupid or fear of loosing his or her job by questioning someone who asserts to have positional authority over them. Doing things such as walking around with confidence and assertiveness, carrying a clip board, wearing the proper clothes, etc all are effective in helping to pull off this role. Just as pets can smell fear humans, people can tell if you are not confident or fearful, so you will be unsuccessful at trying to play the role of someone superior.

Type of targets where social engineer is likely to be successful

In this section, I go a little further in types of targets where social engineering is most likely to success. This is not a golden rule but some good guidelines which you can follow.(This is not intended to offend any individual or group.  Please do not take this information out of context)

Elderly People

This has been going on by insurance salesmen for a very long time. Elderly people are very easy to target because they can be more sympathetic  and more likely to fall for a charity scam. One that they can relate would be something associated with AARP, Red Cross, American Cancer Society, etc..  The elderly can  be kind-heated and overly trusting and easy to confuse with technical talk.

Women

They have been getting exploited with superficial social norms for years ranging from make up, fashion, material possessions, jewelry, etc.. With women your more likely to get far if you attack their emotions (get in touch with your emotional side). Women are more comfortable talking about emotions than about logic. They also pay attention to detail on fashion. Wear some name brand clothing that will help you to get noticed in a positive way, or bring up a converstion on subjects dealing with fashion. One quick way to build some rapport, is to avoid sports and or technical subjects, unless you see evidence that she’s interested in these subjects (wearing a hockey jersey, carrying a laptop, has books on technical subjects, etc.)  Complements go far with women.  Using compliments or talking fashion normally plays of well when social engineering the lady at the front desk. Try to play off her insecurity’s as-well, Toss light compliments if you  envision some steady work at the site. Tell her she looks nice with whatever shes wearing. Pay a lot of attention to detail, especially her hair. If she changes her hair style  compliment her on it. Trust me women love the attention. After softening her up in this manner, then see how willingly she beomes to handing over information.  I cannott stress this any more don’t OVER do it. You might come off as creepy or seen as being a sexual harasser. You need to be smooth. If you are not smooth today, shadow and learn from someone who is. Its all about progression.

Disgruntled Employees

The only thing worse then getting social engineered is getting social engineered from within your own company. There is no better person to get valuable and accurate information about a company than a person who works inside the company and hates it there. A good way to go about a company your work is to try to befriend employees who seem to be disgruntled. Try to start up conversations with them on topics about work, have an pessimistic view about it to gain rapport quickly. Agree with the negative things they say. After gaining more rapport,  ask little yes or no question about their job and other specific things. Try to let them do all the talking.  Your are just there to lead them into the areas where you need the information. After a while they should be have spilled all they know about what ever you wanted to know.
(part 2) coming soon….
Also if you have any questions or comments leave in the comment section at the bottom.  If want some more real-time contact and want to join the community come join us on IRC.  irc.freenode.net #SEunited
Notes
1http://www.erichufschmid.net/Sheeple_Psychology_Main.html
2http://2010.brucon.org/index.php/Training_3