Of the $11.7 million companies lose to cyber attacks each year, an estimated 90% begin with a phone call or a chat with support, showing that the human factor is clearly an important facet of security and that security training is seriously lacking in most companies. Between open-source intelligence (OSINT) — the data the leaks out to public sources just waiting to be collected — and social engineering — manipulating people into telling you what you want to know — there’s much about information security that nothing to do with a strong login credentials or VPNs.
There’s great training available if you know where to look. The first time I heard about WISP (Women in Security and Privacy) was last June on Twitter when they announced their first-ever DEFCON Scholarship. As one of 57 lucky participants, I had the chance to attend my first DEFCON and Black Hat, and learn about their organization.
Apart from awarding scholarships to security conferences, WISP also runs regional workshops in lockpicking, security research, cryptography, and other security-related topics. They recently hosted an OSINT and Social Engineering talk in San Francisco, where Rachel Tobac (three-time DEFCON Social Engineering CTF winner and WISP Board Member) spoke about Robert Cialdini’s principles of persuasion and their relevance in social engineering.
Cialdini is a psychologist known for his writings on how persuasion works — one of the core skills of social engineering. It is important to note that while Cialdini’s principles are being applied in the context of social engineering, they are also useful for other means of persuasion, such as bartering for a better price at an open market or convincing a child to finish their vegetables. It is recommended that they are used for legal purposes and that they result in positive consequences for targets. Let’s work through the major points from Tobac’s talk and see if we can learn a little bit about this craft.
One of the most common online dating tips is to start off conversations with information about yourself. If you open up to people, most of them will likely return with information about themselves.
There’s often a sense of social obligation that comes along with this — if someone pays for your meal, you feel obligated to pay for theirs the next time you go out. Likewise, once you start offering information about yourself over the phone with a member of customer support they will most likely feel more comfortable talking about themselves, establishing rapport early on in your conversation. This is true even if it’s fake information you made up for the purpose of vishing — the over-the-phone equivalent of phishing.
Commitment & Consistency
Most people don’t like to go back on something they’ve already agreed to. Starting off your conversation with your target in a friendly and helpful tone will allow the rest of your conversation to remain at the same level of amicability. Soft questions, such as asking them about their pets or finding things you have in common, are the easiest techniques for building up consistency for the future.
If you start off small, with subtle commitments, you can eventually build your way up to convince your target to download malware or visit a suspicious website.
We all have a tendency to trust larger groups, especially if these groups are our close family and friends. Even a stranger associated with a group that we’re close to will make us instantly more trusting of them.
One technique often used in social engineering attacks is name dropping a relative or coworker as a means of gaining the trust of the target. In the off chance that the target starts to press for more details than you prepared, re-direction (“Oh, I think I’m getting another call on my end… what were we talking about again, by the way?”) can be a good way to avoid suspicion.
For in-person social engineering attacks, imitating the body language, cadence, and even word choice of your target can put them at ease and lead them to be more trusting of you. Subtle factors — having similarities, giving them compliments, cooperating with them towards a mutual goal — can make you more likable, and thus easier to work with. Even for vishing attacks, using slang that your target uses or speaking in a similar tone as they speak in can help you be more relatable.
Stanley Milgram was a social scientist famous for experiments about peoples’ obedience to authority figures. He showed that people were willing to obey an authority figure in a white lab coat despite the morally questionable acts they were told to perform. When you start looking into it you may be surprised the lengths that we’ll go to obey authority. People are more likely to follow what credible experts and leaders tell them to do. In a company setting, employees are likely to do as they’re told if the instructions are coming from their boss or someone above them in the hierarchy of their workplace.
Scarcity and Urgency
If you rush someone at their job, they’re probably going to be less careful and make more mistakes, which is exactly what you want as a social engineer. Setting up situations conducive to this — such as pretending to be in an airfield waiting for your airplane to take off or in a house with a crying baby — can make your target more receptive to quicky doing as you tell them to do without question. In the video below, a DEFCON social engineer uses this technique quite effectively to perform a SIM swap and lock the journalist out of their phone.
The vast amount of time spent on a vishing or in-person social engineering attack focuses on gather information ahead of time. This includes social media research (60% of a company’s sensitive information can be found on public Instagram posts), dorking (doing targeted searches on a company to find private documents and information), and picking a target.
Often, photos found by searching Instagram geolocations and hashtags can reveal information such as the operating system, email client, and antivirus used by a company. It can even reveal the landline phone and printer models used by the company, their office layout, and vendors they use (which can be spoofed to obtain information on the company’s finances).
Many times sensitive documents have accidentally made their way into search results. Google dorking — performing searches such as
site:google.com filetype:pdf OR
filetype:docx to obtain files that were not originally meant for public viewing — can help with uncovering internal company documents and policies. These can help an attacker establish general logistics about how the company works, how their IT and helpdesk is structured, and even lingo used inside the company.
Attachers often adopt the person of someone who actually works for the company, making it harder for the victim to figure out a social engineering attack is in progress through a quick search of who they claim to be. This can be accompanied by a spoofed telephone number (something easy to do for free online).
The workshop ended with an OSINT capture-the-flag, where teams of players were instructed to find as much information as they could about a target company from open-source information. Actually vishing a company, however, is against the law unless there are legal steps taken to ensure that the attacks are being done as a way for the company to pen-test their own security.
From the perspective of a defender, this is all incredibly alarming information. Not only are good social engineers difficult to distinguish from actual employees, contractors, or HR professionals, but they’ll be armed with a toolbox of information to use to gain your trust and tap into your intuitive sense of safety.
One tactic that works against social engineers is asking to return the call or to send them an email. Because social engineers usually spoof their phone numbers, a quick call will reveal that they weren’t the person they were impersonating after all. Having a polite paranoia is especially important for client-facing employees, such as support staff and IT professionals.
Furthermore, having 2FA-protected accounts is important. In the case of busting a social engineer, soliciting a security verification — like asking them for a call or email back — can be the difference between being the victim of a hack and staying diligent in the face of cybersecurity threats.
If you have the chance to attend DEF CON, I’d recommend sitting in for one of the open SECTF challenges. It’s quite an experience watching ordinary competitors sit in a glass box and convince companies to give up their most sensitive information for a chance to make friends with ‘Sarah from HR’.