Social engineering makes headlines because human behavior is often the weakest link of even well-defended targets. Automated social engineering tools can help reclusive hackers touch these techniques, but the study of how to hack human interactions in person is often ignored. Today, we will examine how to use subtle, hard to detect persuasion techniques to compromise a human target.
Where have all the great conmen gone? The clever ones who would get people excited about splitting a fake winning lottery ticket and then let the victim gleefully drive to an ATM to stuff cash in the thief's pocket?
They haven't vanished, they've simply become a disruptive and unpredictable element in the growing ranks of hackers and techno-criminals. These threats may lack the technical computer skills of advanced persistent threat hackers or nation-states, but their knowledge of exploiting human behavior allows them to accomplish goals which, from a technical perspective, may otherwise be impossible.
Zero-day exploits and malware frameworks are the conventional weapons of the current cold cyberwar. These tools are bought and sold on the market for their predictable technological effects, yet skilled social engineers regularly buck this trend to produce stunning effects through knowledge of how human organizations work from a psychological perspective. While a pile of malware and zero-day exploits can cost you a lot of money, an attractive or persuasive person with a USB stick can accomplish the same result quickly and cheaply.
Human hacking is an evolving art, but people as a whole can be persuaded to act in largely predictable ways. These predictabilities vary by culture and region to some degree, but will almost always apply. In our advanced social engineering series, we'll cover using persuasion, power, identity, and stress to increase the likelihood of a successful social engineering attack.
Many of these techniques were developed by the US government to replace torture after the CIA banned the practice. The intelligence community asked leading scientists to help develop a framework for getting information from a target that may not trust you or actively hate your guts. The techniques are so powerful that persuasive people can change a target's perspective of themselves, their own position in life, or the significance of the data and access they possess. Skillful persuasion is aimed to lead the target to feel as though they have come to these conclusions independently.
The extent to which any of these techniques will work varies depending on several factors, including the target's willingness and ability to consider perspectives other than their own, their intellectual capacity and curiosity, and the range of beliefs they were exposed to as a child. You may also consider external factors which can persuade and influence the target, such as family, friends, and business partners which might influence their perception.
The persuasive framework is a set of core principals that can be applied to developing social engineering tactics that are subtle, powerful, and hard to detect when used correctly. Each can be applied to persuade a target to behave in relatively automatic ways — without much thought on their part.
How many times have you done a small favor for someone you like? Whether it's getting the door or requesting the Wi-Fi password, people like to say "yes" to people they like. We respond automatically to people we like, and "liking" can be broken down into a few key attributes that people respond to:
- Physical attraction is a powerful factor that people are hard-wired to respond to, and many people are particularly susceptible to this honeypot approach.
- In general, people like people who are similar to themselves or have attributes or beliefs in common. Determining cross-cutting identities can be key to positioning yourself as someone similar to the target.
- Social style, such as the way in which a target talks and conducts themselves in public, can also be mirrored to appear more likable to a target.
Through research of a person's interests and social contacts, a social engineer can create an association with something or someone the target already knows and values. Giving convincingly authentic praise and compliments, when appropriate, will also sway a target towards liking a social engineer.
To some degree, nearly all societies will include a pressure to obey, or at least listen to, an authority figure. Whether it's a police officer, doctor, lawyer, government official, or ticket-collector, we are all expected to take these people's requests more seriously. In the context of social engineering, it pays to be an authority!
People's respect for authority can be exploited by taking on roles like "doctor," "specialist," or "CEO." Pretending to be in a position of power that might be advantageous to the target may get them to bend the rules to please you, or to avoid upsetting you.
People also derive context from appearance and the way others treat you. A business suit and official-looking work badge can be enough to make employees suddenly stop texting, worried you're someone important they haven't met yet. In taking on the role of an authority figure, it's important to consider characteristics such as speech, writing, and other physical aspects like grooming and clothing to match who you say you are. A security guard and a visiting executive can both boss around a new employee, but both dress and act differently. Match your role!
Feeling the need to return favors is nearly universal and can be used as a tactic to lure people into doing something they otherwise wouldn't consider. We all love getting free stuff, but the pressure to reciprocate naturally drives us to want to do something in return.
People are hard wired to want to balance social relationships and will respond to this feeling of indebtedness, even if the person doing the giving isn't otherwise very likable. Utilizing reciprocity can be very effective as it is more of a feeling of imbalance that will pressure the target to reciprocate, rather than a conscious thought process or deliberation.
Even when the initial gift or offering is small or relatively insignificant, studies show that people are driven to reciprocate even when the request is much larger or more significant than what was initially given. This effect is so powerful it even applies to uninvited gestures, provided the gift or favor provides some real value.
Psychology teaches us that the more committed someone is to an idea or opinion, the more important it is to them to appear consistent in what they do, say, and believe. All people share this desire to some degree or another, as failing to can make one appear inconsistent or untrustworthy.
This hardwiring can be exploited by leading a target to take an initial position consistent with your desired outcome. Con people frequently do this to pressure people into making a decision they would otherwise never do if they weren't feeling defensive. Carefully study a target to understand what issues it is personally important for them to be consistent on, such as religious beliefs, professionalism, or social causes.
The desire to appear consistent is powerful and even can cause a target to act against their own best interests. People have a notoriously hard time backing down from a position once stated out loud. Guiding a target to state a position or belief can apply intense internal pressure to live up to that statement later.
Some social engineers are naturally skilled at getting people to initially say or commit to things that are stupid or hasty. They subsequently challenge the target to live up to their own statements, both to distract or pressure them into doing something they would otherwise refuse to do.
When people don't know what to do, they look to their peers to feel comfortable. Whether it's a business owner trying a new product, a person checking Amazon reviews before making a purchase, or skimming through Yelp reviews before visiting a restaurant, the core need for social validation is hardwired into us.
In new situations, people look to the behaviors of others to understand how to act and what to do. In particular, people pay special attention to the behavior of those who are the most similar to themselves (or how they see themselves). Many small businesses will make purchases simply because their competitors use the same product and assume that the product has earned the trust of their peers.
If you can create a situation where the appropriate behavior is impossible or difficult to determine, you create the opportunity to employ this tactic though peer validation.
People feel uneasy in unfamiliar situations, and they will tend to assume others around them know more about the situation than themselves. Because of this, a target will often take any information provided at face value, allowing the target to be persuaded to take actions they might otherwise not feel comfortable taking. Even otherwise cautious or skeptical people can be convinced to do things like give their credit card number, password, or other sensitive information if they see peers exhibiting the same behavior as though it were expected.
Social proof works best when a target is put in an uncertain environment and is presented with examples of behavior from people who appear similar to themselves. Casually mentioning examples of peers or similar organizations behaving the way we wish to persuade the target to behave can lower any resistance to taking an action they otherwise might hesitate to do.
Resources are finite, and we all hate the feeling of a deal slipping through our fingers. Limited time offers, limited availability, and rare items grab attention because humans are hardwired to prize items that are scarce or hard to find. This effect is greatly amplified when someone has something scarce or valuable (or feels like they were going to receive it) and then loses it. The scarcity of an item that is desirable will invoke a feeling of craving for the item in question, and this can be enhanced by using tactics like deadlines to create artificial pressure.
This tactic works best when something becomes newly scarce, particularly when it involves something the target is used to receiving. Implying there is a limited amount, only enough for a few people, or only availability for a certain window of time is a tried and true method of making people commit to things they don't want to for fear of losing out. While this tactic has been around for a long time, scarcity still makes the human mind scramble to get their share of whatever valuable thing they fear may become unavailable.
Humans are as hackable as any system, and these frameworks of persuasion can help you begin to utilize exploits in human behavior to bypass technical hurdles. Securing the cooperation of a target through social engineering can slash time and resources required to complete an objective, and a good red team knows that humans are always the weakest part of a system.
Stay tuned for my next tutorial on the persuasive framework — identifying core concerns and how to exploit them — and make sure to keep an eye on Null Byte for more hacking tutorials. You can ask me questions here or @sadmin2001 on Twitter or Instagram.