Skip to main content

Social Engineering or: How I Learned to Love a Flash Sale

Social Engineering or: How I Learned to Love a Flash Sale

Disclaimer: This was originally written as a blog post for a social engineering graduate class. It was developed to provide non-InfoSec and everyday folks with an explanation of what social engineering is. Hopefully, something that could be given to your parents or the grandmother that just got hired on at your company.

There's a misconception that social engineering is only used by nation-state actors, thieves, and used car salespeople. What people miss is that social engineering is all around us. It's in the media that we consume, it's in the habits that we have, and the bonds we form with people. By demystifying social engineering, we can help people understand that this isn't some fringe concept that is only employed by the mischievous and maleficent, but something that is used by everyone. It's easier to guard yourself against the everyday spring rain shower than it is a nuclear holocaust.

Scarcity

Each of us can probably imagine a time that we fell susceptible to the "Call within the next 5 minutes!" commercial or the "Flash Sale! Today Only!" offer at our favorite clothing store. It might surprise some people to find out that this common marketing technique is just another form of everyday social engineering. In social psychology, this is called the scarcity principle and it's the tendency of people to place a higher value on resources that are not in great supply. We've all seen the wild blitz that is Black Friday; one of the biggest events of the season for "getting the best deal of the year" and making sure that you beat the crowd to that one prized purchase. While you can find deals all of the holiday season companies marketing would love to have you believe that only on Black Friday will you get the best deals. Through creating a feeling that only on Black Friday will you get the best sale of the year and that if you were to come in later you might be missing out companies are creating an air of scarcity.

Of course, while a hacker might not be trying to convince you to buy a new TV they might just as easily be trying to convince you to send them your personal information. Recently there has been an influx of auto warranty scams. Many of these calls begin with the line "This is your final call regarding your expiring auto warranty" sending whoever picked up the line on the other end scrambling for their information thinking this is their last chance to get whatever information they need to correct an issue with their car's warranty. The similarities between these auto warranty scams and marketers flash sales are uncanny. Scammers are employing the same techniques to rob you of your personal information that marketing departments are using to pry open your wallets.

Liking

Have you ever needed a favor from a friend and tried to flatter and sweet-talk them before asking for what you needed? We can probably all think of the child telling their parents how much they love them before asking for ice-cream. We're all guilty of it. We want people to like us and we know that if they do they are more likely to help us out. When was the last time that you were willing to go out of your way for someone you didn't like after all? Unsurprisingly we don't normally think of this as social engineering, but in all reality that is exactly what it is. By buttering someone up persuasion and social psychology are being used to gain an advantage.

Unfortunately, criminals are using these techniques as well. To paint an example, imagine a friendly smiling individual coming up to you and saying that they heard through the grapevine that you might be able to help them. They are kind looking and are flattering you by letting you know how helpful your coworkers think you are. Their request for you to print their resume off their flash drive seems a little strange, but the last thing you want is them thinking you're not helpful. So far, they have been cordial, pleasant, and complimentary. You go ahead and plug in their flash drive, unknowingly installing a trojan, and print their resume for them. Strikingly they have used the same techniques on you that the ice-cream loving child has used on their parents.

Open Source Intelligence (OSINT)

Your child gets invited to a playdate with a new friend. For most of us, I'd imagine the first thing that we would do is Google the friend's parents. You get invited on a date with someone new you just met on Tinder. Wonder if they happen to be on Facebook? The latest water cooler gossip is that Jim in accounting got a DUI this weekend. Think there's any chance that it might show up somewhere online? For a lot of us, our first reaction is to Google. Whether that is how to fix a broken washing machine or for the details on the next interviewee this week. It's relatively standard at this point to Google not only ourselves but each other. As a society were always looking for just a bit more information and if that means Googling someone then grab a computer.

As with the trend, malign actors are using these same practices that we are using on a daily basis. The difference between Googling Jim in accounting and what these malign actors are doing is that they are using this information to find out details about you, me, and everyone else so that they can better profile for you for potential phishing. By knowing whether someone, for example, donates to a specific charity or participates in local softball meetups you can imagine how easy it would be to create a directed phishing email asking for confirmation information in regard to their latest donation or next weekend's softball match. What we are doing on a daily basis to follow up on the latest gossip is what criminals are doing every day to create more convincing ploys.

What can we do?

By recognizing that social engineering isn't some exotic practice only employed by spies and hardened criminals we can begin to better guard against it. When you can recognize the techniques that are being used against us and by us on an everyday basis you can far more easily recognize it when it's being used for harm. Knowing what is happening on Black Friday will help to understand what is happening when you get an automated call about your car warranty ending. It's not about fearing the everyday but knowing that we've already guarded against the extreme on an everyday basis already.

Comments

Popular posts from this blog

Biohacking: Upgrading People

Biohacking: Upgrading People Last summer I was lucky enough to get one c00p3r's last chips installs before the end of DEFCON. This past weekend I spent over 20+ hours answering questions about biohacking, watching implant installs, and explaining the use cases for each type of chip. At this point, you could say that I rep the colors of the biohacking community. I wanted to create a short list of some of the questions I received, recommendations I gave, use cases, and thoughts I had.
FAQWhat about the mark of the beast? I actually only received this question once during the course of the weekend. It sparked some interesting conversation though. Looking at the specific scripture we find the following...

And he causes all, the small and the great, and the rich and the poor, and the free men and the slaves, to be given a mark on their right hand or on their forehead, 17  and he provides that no one will be able to buy or to sell, except the one who has the mark, either the name of the b…

Android 10/Q and WiFi Scan De-Throttling

Android 10/Q and WiFi Scan De-Throttling Some simple instructions on how to enable WiFi scan de-throttling in Android 10/Q. The phone in the following example was a Google Pixel running Android 10/Q. Open the Settings appScroll to the bottom and select About phone.Scroll to the bottom and tap Build Number 7 times.Return to the previous screen (Settings) to find System near the bottom.

Under System is Advanced Options

Scroll to the bottom and select Developer Options

Under Networking is the setting for Wi-Fi scan throttling

Untoggle the previous option and WiFi scanning should be de-throttled...Happy WiGLE'ing!

CompTIA Pentest+: A Retrospec.

CompTIA Pentest+: A RetrospectiveI get asked by students often enough what certifications they should be aiming at. Usually, it's a few freshmen that heard that the OSCP was industry standard for penetration testing and have now set their every so green sights upon that. It's always an interesting conversation correcting that piece of misinformation. There's also an occasional couple of soon to be graduating seniors who would like to bolster their resume with a cert. There are also the students who heard that the CEH was the way to go if you want to become a "real hacker". Bleh. I think this is where the Pentest+ comes in.
Recently, I sat for and passed the CompTIA Pentest+. This will be the certification that I now recommend to my students....along with the Security+ of course. While the argument can be made that this certification is not comprehensive enough with it being completely theoretical and not at all practical there's still value to be found in it.…