“The
simpler, the better” principle just can’t be overstated. If the pretext has so
many intricate details that forgetting one will cause a social engineering failure,
it is probably going to fail. Keeping the story lines, facts, and details simple
can help build credibility.
Dr. Paul
Ekman, a renowned psychologist and researcher in the field of human deception,
cowrote an article in 1993 entitled, “Lies That Fail.” In that article he says
[t]here is not always time to prepare the line to be taken, to
rehearse and memorize it. Even when there has been ample advance notice, and a false
line has been carefully devised, the liar may not be clever enough to
anticipate all the questions that may be asked, and to have thought through
what his answers must be. Even cleverness may not be enough, for unseen changes
in circumstances can betray an otherwise effective line. And, even when a liar
is not forced by circumstances to change lines, some liars have trouble
recalling the line they have previously committed themselves to, so that new
questions cannot be consistently answered quickly.
This very
salient point explains clearly why simple is better. Trying to remember a
pretext can be almost impossible if it is so complex that your cover can be
blown by a simple mistake. The pretext should be natural and smooth. It should
be easy to remember, and if it feels natural to you, then recalling facts or
lines used previously in the pretext will not be a task.
To
illustrate how important it is to remember the small details I want to share a
story with you. Once upon a time I tried my hand at sales. I was placed with a
sales manager to learn the ropes. I can recall my first call with him. We drove
up to the house, and before we left the car he looked at the info card and told
me, “Remember, Becky Smith sent in a request card for supplemental insurance.
We will present the XYZ policy. Watch and learn.” In the first three minutes of
the sales call he called her Beth and Betty.
Each time
he used the wrong name I saw her demeanor change and then she would say
quietly, “Becky.” I feel we could have been giving away gold bullion and she
would have said no. She was so turned off that he couldn’t get her name right
that she was not interested in listening to anything. This scenario really
drives home the point of keeping the simple facts straight.
In addition
to remembering the facts, it is equally important to keep the details small. A
simple pretext allows for the story to grow and the target to use their
imagination to fill the gaps. Do not try to make the pretext elaborate, and
above all, remember the tiny details that will make the difference in how people
view the pretext.
On the
other hand, here is an interesting tidbit: A popular tactic used by famous
criminals and con men is to purposely make a few mistakes. The thought is that “no
one is perfect,” and a few mistakes make people feel at home. Be cautious with
what types of mistakes you decide to make if you employ this tactic because it
does add complexity to your pretext, but it does make the conversation seem
more natural. Use this tip sparingly, however you decide to proceed, keep it
simple.
Let me tie
all this together with a few examples that I have used or seen used in audits.
After some excellent elicitation on the phone, a nameless social engineer had
been given the name of the waste removal company. A few simple Internet
searches and he had a usable and printable logo. There are dozens of local and
online shops that will print shirts or hats with a logo on it.
A few
minutes of aligning things on a template and he ordered a shirt and ball cap
with the logo of the waste company on it. A couple days later, wearing the
logo-laden clothing and carrying a clipboard, the social engineer approached
the security booth of the target company.
He said, “Hi,
I’m Joe with ABC Waste. We got a call from your purchasing department asking to
send someone over to check out a damaged dumpster in the back. The pickup is
tomorrow and if the dumpster isn’t repairable I will have them bring out a new
one. But I need to run back there and inspect it.”
Without
blinking, the security officer said, “OK, you will need this badge to get
onsite. Just pull through here and drive around the back and you will see the
dumpsters there.” The social engineer had a free pass to perform a very long
and detailed dumpster dive but wanted to maximize his potential so went in for
the kill with this line. While looking at his clipboard he said, “The note says
it is not the food dumpsters but one of the ones where paper or tech trash
goes. Which block are those in?”
“Oh, just
drive the same way I told you and they are in the third bay,” replied the
security guard. “Thanks,” said Joe.
A simple
pretext, backed up by clothing and “tools” (like the clipboard), and the
storylines were simple to remember and not complex. The simplicity and lack of
detail actually made this pretext more believable, and it worked. Another very
widely used pretext is that of the tech support guy. This one only requires a
polo shirt, pair of khakis, and small computer tool bag. Many social engineers
employ this tactic to get in the front door because the “tech guy” is usually
given access to everything without supervision. The same rules apply: keeping
the storyline simple will help make this particular pretext very real and
believable.
No comments:
Post a Comment