\"Quantcast\"/

Social Engineering And What It Can Do For You




When I was pursuing my master’s in Information Security, I took a class called “Web and Internet Security” and thought it was the best class in the program. One of the topics to securing your network was training your team to thwart social engineering hacks. There was this fantastic TV show that aired at the same time when I had the class called “Lie To Me” and you can watch all three seasons for free if you are an Amazon Prime Subscriber. Between the course and the TV show, I read a lot of books about reading body language, neurolinguistics programming, and social engineering.

I highly recommend reading this book: What Every BODY is Saying: An Ex-FBI Agent’s Guide to Speed-Reading People. As an example of reading body language, a friend of mine were picking up breakfast and there was a conversation in Spanish between him and someone else. Before we even reached this person she was smiling from ear to ear. From there, we knew they were extremely friendly. He complimented her hairstyle. How do I know? She immediately started touching it and running her hands through it and was glowing after that. She was a little extra flirty after that exchange. After we walked away and I understand very little Spanish, I asked my buddy to confirm my observations and was able to pinpoint it based off of her actions since that was pretty obvious.

Another must read book that I have read is: Social Hacking: The Art of Human Hacking. It’s a very fascinating book to start you off about Social Engineering. There are all kinds of examples in the book. Like talking your way into gaining access to a building, finding out if that C level executive is in the office, or convincing someone to install malware onto the computer through a simple “favor.” Con-artists are great examples of masters of social engineering.

One area of social engineering is pretexting which the book defines it as creating an invented scenario to persuade a target to release information or perform some action. In one a security assessment, they were targeting a financial firm and researching an executive.

Finding out what the executive’s interests were allowed Mati to find an easy way into the company, and it worked.

It turned out the executive was an avid stamp collector and Mati created an online stamp collection to tempt the executive to click on the links and fish for extra information.

 

Real World Example Scandal

Here’s an interesting example of using a forensic style way of reading the Ashley Madison leak. Based on the language, John McAfee was able to narrow down that the hacker was a female former insider.

Today, I can confidently claim that the single person is a woman, and has recently worked within Avid Life Media. I have provided IBTimes UK background information and pertinent elements of the woman’s data dump to prove both my access to the data and also to confirm elements of my research, under the strict conditions that it is to be referenced and then destroyed. The data I provided included such delicate material as the decoded password hash tables of every Avid Life and Ashley Madison employee, which I have also now destroyed.

As to gender of the perpetrator, there were a number of telling signs in the manifestos. The most telling was a statement calling men “scumbags” (for those readers that don’t speak American/Canadian English, this is a word that only a woman would ever use to describe men). In a separate section, the perpetrator describes men as cheating dirtbags. I think in any language this would suggest that a woman is speaking.

 

The way language is used can influence how you think. This is one area of social engineering that you need to keep in mind if you want to be successful. Late last year, I asked a question if the actions someone took was a genius travel hack or if it was fraud. When I wrote it, I was very careful choosing my words for you to not create an opinion before you made it to the end. I said that I’ll frame your mindset and I purposely gave you an excerpt that didn’t say he was a banker until the end.

 

Engineering

Real World Example Scandal #2

This one is my favorite of the recent examples. CIA Director John Brennan had his AOL email hacked using some good old fashioned social engineering. A teenager and a couple of accomplices were able to compromise not one, but two companies. He was able to talk his way through Verizon who have authentication protocols given this:

After providing the Verizon employee with a fabricated employee Vcode—a unique code the he says Verizon assigns employees—they got the information they were seeking.

After gaining some information from Verizon, they were able to talk their way through resetting the password to John Brennan’s AOL account more than one time. Impressive.

 

links

 

Build Some Rapport

I have been going to this one particular Walmart consistently for about a year. In the last 3 months, I have been going on a more frequent basis to take care of business. While I have always been friendly with many of the staff members and most times have been pretty smooth, I did lose my cool once because of one person.

In order to build rapport, I always made sure I did something out of the ordinary and make it unique to brighten their day. If I was called next and they were talking to a coworker, I let them finish their conversation. I will ask how their day has been, what their weekend plans are or were, and just make a conversation with them without much thought. It’s important not to distract them during the transaction.

They are people too and want to do something other than plug away at the money center! I’ve been talking to a friend on a non stop basis on gift cards for three maybe four months straight and it’s nearly become a job. I am burned out of it and have made it very clear I need a break from even just talking about it. The CSRs need a break too so chatting them up is a great way to spice it up.

Part of all the traveling and working with very diverse cultures, you will learn a few things. One of the things I learned I was able to apply. I noticed something the cashier had and asked a very polite question regarding it. As soon as I asked, first her reaction was surprise, quickly a little defensive, and just as fast to happiness that someone took the time to know her culture. Following our transaction, the cashier whipped out her phone and began showing me pictures of her family because of our exchange. Her shift was ending and she introduced me to a second cashier who I see on a consistent basis as well. I now have my way with two cashiers. As in, they will no longer ask me for a card with my name on it.

 

Building Rapport On Steroids

There was a limited time offer for gift cards that lasted about 4 weeks. Due to all the crazy things that have been going on with me, I was only able to take advantage of the deal on the weekends. Because of the limited time offer, there was no time to waste and do 3 months of regular visits like Walmart.

For 3 weeks straight, I went on Saturday and Sunday mornings. On the first trip, while queued, the cashier looked at us to see how many customers there were. At the time, the customer in front of her was taking a long time. When she looked over, I gave her a very simple smile and when she called next, we hit it off with some friendly bantering as soon as I arrived in front of her. It turned out she knew her stuff. I didn’t know the rules of the store like the max cards per transaction.

During the summer, I listened to this podcast from Planet Money about using your signature as verification. I thought the podcast fit perfectly when I was prompted to sign for the transaction. As my out of the ordinary thing, I just draw a straight line across as my signature. It turned out the POS automatically rejected a line as a signature and she found it very amusing.

In the subsequent weeks, like clockwork, I’d see her every Saturday. On the second visit, she was training a new cashier. During check out, I gave her a simple smiley face as my signature and asked if it worked. From there she explained to the new cashier the single line story and introduced me to him. Unfortunately, not every Sunday when I stopped by she was there.

However, the new cashier she trained has been there every other time I visited. Between the two of them, I was able to clean out the store. By the time both the promotion and I were done, there were no good gift cards left and have nearly maxed out every credit card.

 

Lessons To Learn

Anyone can do any of the things I’ve done. Matt has done it over the phone and I find that more difficult when he was able to use his American Express Platinum credits. He built rapport with the phone agent with shared details about his travel plans.

Just keep it simple, authentic, and be observant. Know the difference between hearing and listening.

8 comments… add one
  • Thanks for the quality post like this. This is very refreshing and informative as well. Keep it up and hope you will post something more like this often in the future posts too.

    Reply
  • Really excellent post, and something I’ve been subconsciously practicing and learning over the past few years! 🙂 It really helps when you naturally like people and strive to be genuine in all you do. People can tell genuinity and appreciate it. And it goes way beyond them doing whatever you want them to…I think of all these cashiers I’ve built rapport with almost on the same level as friends. Employees at Target and Simon have high turnover and I always felt sad when one told me they were leaving (but obviously happy since their next stage of life was always a great thing for them).

    When Redbird finally died for reals, I was actually sad not only because of all the easy cheap points I was missing out on, but that I would no longer see my awesome few Guest Services employees at Target every week. I hate driving, but I always dragged myself in every week, and always came out laughing and smiling and feeling great. I’m still going to go back and thank them for the months of kindness they’ve shown me, and give them some gift cards or bring snacks for them though, they deserve it. 🙂

    Really great post that I highly resonate with. Thanks for writing it up 🙂

    Reply
    • Thanks! It is tough when there’s a high turnover, but you can practice your craft!

      Reply
  • Best post I’ve read in a while. A LONG while!

    Reply
  • I guess I see it differently, perhaps I’m in the minority. I think this approach is anything but “authentic”. Why would you do this, other than the self-stated “I now have my way with two cashiers. As in, they will no longer ask me for a card with my name on it.” So if it’s store policy to accept only cards with names, you’ve found a way around that. Good for you. Perhaps you justify it by thinking that the policy is unfair or wrong or inconsistent with rules. To me this falls back to the title of the previous post that linked to this – “selling my soul”. But I guess we each have our own boundaries and limits.

    Reply
    • It’s funny, since publishing this post, the Walmart has gone sideways and a new policy has been put in place and they have been checking all the cards. It is likely attributed from the demise of Redbird with many people loading their Bluebird

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.