This method involves throwing yourself at someone’s mercy or begging for help. This is an effective technique for getting assistance (particularly if you’re good at faking strong emotions) because it’s not something that a lot of people know how to deal with. Although people may be relatively informal with close colleagues, it’s only during times of great stress, pressure or a catastrophe in their personal lives (if then) that they show strong emotion or cry in front of them (let alone total strangers).
This approach has the ability to roll completely over the walls others build around themselves in a professional environment. When confronted by someone in genuine distress, people react in a variety of ways (usually with some degree of embarrassment) but the instincts of the vast majority of people will be to help if they can, regardless of the security consequences. By generating a sense of crisis, you imply urgency. Examples of the ways this technique can be used include:
• acquiring contact details (‘It’s an emergency!’).
• acquiring an elevated level of access to a system or asset therein or an area of a building (‘My contact’s off sick. If I don’t get this done, I’ll lose my job!’).
As with any social engineering scenario, it’s a good idea to put yourself in your target’s shoes and think howyouwould react in the circumstances.
64 AN INTRODUCTION TO SOCIAL ENGINEERING TECHNIQUES
Invoking the Power of Authority
One of the most powerful social-engineering attacks is using the ingrained tendency of target staff not to question those in a position of authority. This is a similar approach to inducing fear except that it is more subtle. In this instance, you don’t have to make it clear to staff that disobedience means loss of employment: people know where the rent money comes from.
To pull this attack off in a truly believable manner, it’s essential to have access to target hierarchy information in order to be sufficiently convinc- ing. There are two approaches: the first involves directly masquerading as a figure of authority; the second involves masquerading as someone acting on their behalf. Exploiting the power of authority is a common technique when performing social-engineering attacks over the phone particularly in corporate espionage attacks. The more junior and inexpe- rienced the target, the more effective the attack becomes as they have had less time to familiarize themselves with operational procedure and fellow staff members.
A common approach is to call the target in the guise of a senior project manager (preferably someone the target has not met) and give some excuse as to why you can’t access your data – for example, you’re on the road and have lost your BlackBerry – and request project documents for an urgent meeting. One of the benefits of using an authority figure is that they have the power to reward as well as punish. A clever social engineer understands this and will further motivate his target by promising that such assistance will not be forgotten. There are variants on this approach: your guise could be that of a manager at a client who needs a copy of all recent documentation. It is not uncommon for attackers to masquerade literally as figures of authority, such as police officers investigating a crime.
As Niccol `o Machiavelli states inThe Prince, ‘It is best to be both feared and loved; however, if one cannot be both it is better to be feared than loved.’ It is better for the social engineer to motivate staff in a positive manner if possible, but the ultimate motivator is always fear.
It might seem odd or unbelievable that people will respond to the concept of authority from people they don’t know, or think they know but can’t verify. However, this is one of the most successful approaches a social engineer can deploy and, like previous attacks, it employs a strong sense of urgency to achieve compliance from the target before they’ve had a chance to think things through. Companies should make it clear to their staff that there are no repercussions for failing to comply with instructions given over the phone from unverifiable sources.
TACTICAL APPROACHES TO SOCIAL ENGINEERING 65
Employing Ingratiation or Deference
This is a reverse form of the power-of-authority attack where you play to others’ perceived sense of importance. This is a form of manipulation where you acknowledge another’s power over you. You imply, ‘I know that I’m only a lowly cog in the great scheme of things butyouhave the power to make this happen, will you please?’
This attack works because you’re taking someone’s (often deluded) sense of being irreplaceable and important and making it real, at least for them and for a short period of time. Also, the more exaggerated sense of importance that a person has of their position in the corporate machine, the lower down the rungs they tend to be, causing them to seek continual reinforcement of their own elevated worth.
Playing to people’s often erroneous perceptions of their own self impor- tance is not limited simply to authority per se. A few years ago, when I was doing a lot of consulting for various departments of the British gov- ernment in London, it was common to hear the private sector consultants refer to the civil servants we worked with as ‘Mittys’ – a reference to Walter Mitty, a fictional character who lived in a delusional dream world where he saved people’s lives and did top-secret work. A person’s self importance tends to be colored by their surroundings. For example, a doorman is letting you intohis theatre and similarly a civil servant in a department concerned with security often thinks of himself as one step away from being James Bond. Psychologically, this is a compensation for the feelings of worthlessness and failure that a lot of people suffer from in this day and age. It’s mostly harmless, but you can turn it into an exploitable weakness with a correctly phrased request, such as, ‘Hi, I understand you’re the authority around here on such and such, everyone says so’ or ‘My knowledge on such and such is pretty weak, I’d really appreciate the input from someone in your position.’
What flattery would it take to get you to open up and talk? What would it take for someone to make you feel important? Would you be more forthcoming if they did?