Human Psychology

With social engineering, you are not working with hardware or software, but wetware. Wetware is the human element of computing. People are naturally trusting of others, and social engineers exploit this to their advantage.

Social engineering is essentially the art of persuasion. Social psychology defines seven types of persuasion:

• Conformity

• Logic

• Need based

• Authority

• Reciprocation based

• Similarity based

• Information based

Conformity Persuasion

Conformity persuasion relies on peer pressure. If the target person believes that everyone else is doing it, he is likely to conform and do the same. An example of conformity persuasion is impersonating a help desk staff to obtain access to a telecommuter computer:

PenTester: Hello, this is Dave. I am with the help desk, and I am calling to do routine maintenance on your system.

VictimUser: Really? I have not heard about the help desk doing routine maintenance on our computers.

PenTester: Yeah, we just started doing it last quarter. We have been doing it for all telecommuters. I just finished up doing all of the computers in the northeast region. In fact, most of them have reported a significant improvement in the speed of their computer after I get done.

VictimUser: Really? Well, if others are seeing better performance, I want to be a part of it, too. What do I have to do?

PenTester: Oh, you do not have to do anything. I am able to do it all remotely, but to do this, I need access to your VPN username and password to get in.

VictimUser: You are able to do it all remotely? That is amazing! Well, my username is jdoe, and my password is letmein.

PenTester: Great! Thank you for your help. I will VPN in to your computer and perform our routine maintenance. It should only take a few minutes.

At this point, you have just obtained the logon name and password of the user to give you access to the company network.

Logic Persuasion

With logic persuasion, the social engineer relies on logical arguments to obtain access. This is best deployed by presenting two true statements followed by a conclusion that results in your favor. For example, by impersonating a help desk technician, you can acquire a password through the following technique:

PenTester: Hello. This is Mike, and I am with the help desk. As you know, security is an important concern for networks today. (first true statement)

VictimUser: Yeah, I read about it everywhere. It is amazing how many networks are being broken into because administrators are leaving their systems unprotected.

PenTester: Well, my job is to make sure all systems are protected by ensuring secure passwords. I am sure you want to make sure your computer is secure, right? (second true statement)

VictimUser: Absolutely.

PenTester: So, I want to make sure you are using a secure password. (conclusion) I am going to walk you through changing your password and give you an example of a secure password. We will go ahead and do this now. Press Ctrl-Alt-Delete and click Change Password.

VictimUser: Okay.

PenTester: For your new password, type ABC123!!. By using a combination of letters, numbers, and special characters, we have made your password harder to guess. Get the idea?

VictimUser: Yes. How often should I change my password?

PenTester: Well, we just changed it, so you should be set for a while. I will call again in a few months when it is time to change it again.

Here, by stating two true statements, you are able to present a conclusion. The victim is already agreeing to the two previous statements, so he is likely to agree to the third.

Need-Based Persuasion

With need-based persuasion, because people generally want to help out fellow human beings, you can present a need that the victim user can assist you with, such as giving you a password. A classic example is calling the help desk of a large corporation as a new employee:

PenTester: Hello? Yes, I just started here, and I need some help.

VictimUser: Well, you called the right place. How can I help you?

PenTester: I am supposed to create a report and print it, but I do not know my username and password.

VictimUser: What is your name?

PenTester: It is Andrew Whitaker.

VictimUser: Hmmm... I do not show you in our directory. Are you sure a username and password were set up for you?

PenTester: No, my boss said it was set up, but this is the first time I have needed to log into the network. Can you set me up real quick?

VictimUser: Sorry, but I cannot do that without authorization from your supervisor.

PenTester: Oh, my supervisor just went into a meeting with a client. I am supposed to be printing this report to show the client, and I am afraid to interrupt my supervisor during this important meeting. Can you please just help me? I just started here, and I do not want to set a bad impression to my boss.

VictimUser: Well, we are not supposed to, but I guess I can help you. Your username is going to be awhitaker, and your password is going to be password123.

PenTester: Thank you!

When you are doing need-based social engineering, the target might be hesitant, like the help desk technician was in the previous example. If this happens, increase your emotional response. People are emotional beings and often curb policies to help someone if they feel an emotional connection. In the preceding example, the penetration tester appealed to desperation to cause the help desk technician to empathize and want to help.

Authority-Based Persuasion

Authority-based persuasion is a popular method that offers great results. Here, you masquerade as someone in a position of authority. Commercials on television do this all the time, having athletes tell you about their favorite deodorant or shoe. They are not experts on these products, but because they are pop culture figures, people listen to them. In social engineering, the same tactic can be used by acting like a person in a high position. This is most commonly done by impersonating executive-level management:

PenTester: Hello, this is John Doe. Is this the help desk?

VictimUser: Yes, sir. How can I help you?

PenTester: I am trying to dial in from home, but it is not working. I think I deleted the existing configuration. What do I need to do to get it to work?

VictimUser: Let me walk you through it.

Note

It is a federal crime in the United States to impersonate a federal police officer and a state crime to impersonate a state or local police officer.

At this point, the help desk technician would proceed to walk the PenTester through the steps for setting up remote access connectivity. They would provide the phone number and probably the username and password if asked. If not, the PenTester would appeal to emotion by acting annoyed at the help desk technician, which would make him feel that he might get into trouble if he does not give PenTester the executive password. The PenTester now has access to dial in to the company network and gain access to sensitive data.

Note

You might be wondering how you would know the name of the executive when you are from outside the company. Most websites offer profiles on each of their executives. Often, they include a picture. From this information, you can get the name, sex, and approximate age of the executive. You only need someone of the same sex and approximate age to call in and impersonate the executive. Because most help desk personnel do not speak to executive-level management on a regular basis, they probably would not be able to tell if the voice were different. Besides, voices over a phone line always sound slightly different than they do in person, especially if you are calling from a cell phone.

Reciprocation-Based Social Engineering

Reciprocation techniques involve asking someone to do you a favor in exchange for doing that person a favor in the future. It is similar to the car salesman acting as if he is doing you a favor by saving you money in exchange for buying a car. Although it seems like he is doing you a favor, he really is doing no such thing.

A good example of this is when a dot-com company was moving into a new data center. The social engineer discovered this because the company issued a press release about it. The social engineer waited outside the building until he found employees carrying office supplies from their old location. He offered to give someone a hand in carrying in the supplies. When they got to the front door, which was secured by a card reader, he explained that he had left his card at home. He asked the employee to let him in just this once. Because he had done the employee a favor by carrying supplies for her, she obliged and let the social engineer into the building. After he was in, he walked to a row of empty cubicles with new computers. He started grabbing them and carrying them out of the building. Because everyone was used to seeing people carry equipment around during the move to the new building, no one thought twice about it.

Similarity-Based Social Engineering

Similarity is another technique that is often used in sales. It deals with appealing to the personal tastes and hobbies of the target person to build up a positive rapport with him. For example, most companies have a section outside designated for smokers. As a penetration tester practicing social engineering, you can hang out around this area until someone else walks out and begins smoking. You engage in a conversation and try to find out more from the employee:

PenTester: Have any kids?

VictimUser: Yes, I have three boys.

PenTester: Really? So do I! (Even if you do not, you act as if you have many similarities with the employee.) How old are they?

VictimUser: 9, 11, and 14.

PenTester: Oh, that is just about the age of my children. They are 10, 12, and 14 (Do not make it exactly the same because then it gets eerie.)

VictimUser: No way! That is such a coincidence.

You continue to discover more about the employee, agreeing with each point he makes. Over the course of a few minutes, you build up a friendly relationship with this person. When she heads back into the building, you walk in with her, even though the building might have a strict policy against letting others into the building without a badge. She feels familiarity with you, and she trusts you now. At the heart of every social engineering tactic is exploiting the trust of others.

Information-Based Social Engineering

The last type of social engineering technique is using an information-based request. Here, you give enough information to show that you know what you are talking about. For example, you might show up at a company saying you are with a computer consulting firm and have been asked to look at the router. If you then proceed to discuss routing protocols, access lists, and other technical information known only to those who work on routers, the victim employee will believe you and grant you access.