In this issue
- A Primer on Priming
- Social-Engineer News
- Upcoming Classes
- What's coming...
- Social Engineering Penetration Tests
The first ever SEORG T-Shirt Contest has ended and the Winning Design has been chosen.
Many are asking how they can get some awesome Social-Engineer Schwag... we have opened up a new SCHWAG Store for those of your coming to Defcon 20!
Join Chris at Hack France for a couple speeches and some good ol'fashion french hacking fun!
Social-Engineer.Com has launched their Social Engineer Penetration Testers course. It is literally the first of it's kind. As a subscriber to the newsletter you are getting first dibs on knowing where and what is happening.
July 2012 Las Vegas NV for Black Hat - SOLD OUT
Nov 2012 Bristol UK - Some Seats Still Available
Detroit MI - March 4-8, 2013
We are limiting the number of attendees in each class to 22 and under, so first come first serve.
- 5 days of ground breaking training
- The Social Engineering Penetration Testing Course guide
- Special tools to enhance your SE practice
- A Chance to take the first ever Social Engineering Pentesting Certification
- Lots more
If you want to ensure your spot on the list register now - Classes are filling up fast and early!
Do you like FREE Stuff?
How about the first chapter of Chris Hadnagy's Best Selling Book: Social Engineering: The Art of Human Hacking?
If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!
UNSUBSCRIBE by sending an email to email@example.com
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
To contribute your ideas or writing send an email to firstname.lastname@example.org
What's coming up..
If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.
Want to say thank you to our sponsors this month
- Spy Associates for continually giving us some awesome products to test out.
- The EFF for supporting freedom of Speech
- Want a very cool website? Check out Social-Engineer.Org's graphic and web dev at Tick Tock Computers.
A special thanks to our Editor:
Dan 'Ming' Sharp
John 'J' Trinckes, Jr
Check out Robin Dreeke's amazing book called "Its Not All About Me" packed with the top 10 techniques to building rapport fast. It is an awesome book!
A Primer on Priming
In the world of persuasion, priming is your first move; a move most will never know was made. Priming is placing your target into your desired frame of mind before you attempt to persuade them. Priming can be the difference between a successful Social Engineering attack and epic failure.
Scientifically defined, priming is an implicit memory effect in which exposure to stimulus influences a response to a later stimulus. Implicit memory is the opposite of conscious or explicit memory and deals with the unconscious memory. Remembering to call your mother, remembering to pick up the dry cleaning, or remembering where health bonuses are located on a map of your favorite video game are all examples of explicit or conscious memory dealing with recollection. Operating through a distinctly different mental process, implicit memory allows you to perform tasks without consciously thinking about how the task is performed such as riding a skateboard or mixing records on a turntable.
In order to understand priming, we must first understand implicit memory. Only recently has much attention and study been paid to implicit memory. Studies over the past 20 years have shown that a large portion of our daily mental process is done unconsciously. Implicit memory allows for previous experiences to aid in future decisions or for previous experiences to set the stage for how we will act or react to a situation. Implicit memory has also been shown to lead to the illusion-of-truth effect. A 1977 study by Hasher, Goldstein, and Toppino where individuals were shown 60 plausible statements every two weeks and asked to rate the validity of said statements showed that the more often a person read a specific statement, the more validity that person gave to the statement, regardless if it was true or not. Statements were regarded as true even if the participant did not remember previously hearing the statement. In fact, participants even rated statem
ents they had heard repeatedly as true, even after being told the statements were false! This is our implicit memory at work.
Another study, performed in 1989 by Arwas, Rolnick, and Lubow took two groups of people and gave them a flavored carbonated drink. One group was then exposed to motion sickness. The participants, after experiencing the ills of motion sickness, then developed an aversion to the taste of the carbonated beverage given to them previously. Interestingly, the test group was made aware that the drink did not contribute to their motion sickness, but the test group still avoided the drink. A type of implicit memory called procedural memory is responsible for this unconscious link between the flavored drink and illness. This type of implicit memory is the same type of implicit memory that allows us to remember how to tie our shoes.
Implicit memory is cited as the reason for increased performance over time in a study focusing on the Tower of Hanoi puzzle, a complex puzzle requiring dozens of steps to complete. In this study, conducted in 1996 by Kolb and Whishawm, two groups of individuals were profiled. One group has severe brain trauma resulting in heavily impaired long-term memory. The other group showed no mental impairment. Both groups of individuals showed the same rate of progression on the puzzle over time, even when the mentally impaired group could not even remember seeing the puzzle even once previously. Consciously, the impaired individuals had no knowledge of the puzzle; let alone how to solve it. However, unconsciously, they had retained as much knowledge about the puzzle as the test group with no impairment. This indicates they were using their implicit or unconscious memory as opposed to their explicit, conscious memory.
Priming is the process in which your brain reacts to stimuli in a way that enhances its ability to process future stimuli which relates to the priming stimuli. In other words, your brain unconsciously builds relational networks which it uses as reference when faced with something similar. Priming your target is like planting little seeds and shaping those neural networks in a way that you can leverage later.
One of the many interesting things about priming is that it works with related sets of data, not only identical sets of data. Because of this, priming and implicit memory is also cited as one of the core causes of stereotypes. For instance, in 1996, John Bargh conducted a study on stereotypes where participants were primed with words made to conjure images of elderly people. Words like Florida, retirement, forgetful, wrinkles, etc. were used to prime the subjects. The results were stunning. The participants who had been primed exited the testing area walking slower than the neutral test group, and slower than they did while entering the testing area, even though there were no words used that explicitly mentioned speed or slowness. A similar study was conducted using three groups of individuals all primed differently. Group A was primed with rude words, Group B primed with neutral words, and Group C was primed with polite words. The results showed that
after priming, Group A was most likely to interrupt the interviewer, followed by Group B, and least offending was Group C, the group primed with polite words.
What would happen if you primed your targets with polite words or words of compliance? They will act more polite and more compliant toward you. This would work well in situations where there is someone between you and the place you would like to be. For instance, imagine you show up for a job interview. Your intent is not to interview for a job, but instead to gain access to the restrooms where you can drop a USB stick labeled wife’s sexy shots or payroll data. While waiting in the lobby, prime the secretary with words of politeness and words of compliance. Perhaps tell a story where politeness and compliance is the overarching tone. Doing this will dramatically increase the chances that your request to use the restroom is granted without suspicion or hesitation. This technique would also work quite well if your attack vector involves a telephone call to a sales department or a customer service department. Prime them with words relating to giving
, sharing, and trust and you will be surprised at how much more willingly they will give up information at your request.
Advertisers have been aware of priming for years. Food companies use priming to deliberately make us eat more and crave snack foods. A famous Yale study by Harris, Bargh, and Brownell conducted food priming experiments in adults and children and concluded that when exposed to food advertising, children and adults consumed up to 45% more snack foods after being exposed to the primes. Similar to the stereotype study results, the increase in food consumption was not directly tied to the specific product used in the advertisements. Because of the way our brain relates things, when snack foods were advertised, consumption of similar snack foods increased.
Political campaigns have use priming with great success in push polling. Push polling is a nefarious technique in which political campaign supporters masquerade as pollsters with the explicit intention of planting seeds of thought into the minds of those they contact. These pollsters have no interest in actually collecting data for analysis that is not the point of these polls. The point is to unconsciously influence the people they’re speaking to. A pollster might ask a potential voter a question, such as, If you found out that Senator Cooper had a sex addiction, would you be less likely to vote for him?. The actual answer is immaterial; the potential voter has been primed. What the pollster did was create an association between Senator Cooper and antisocial or deviant behavior. In 1994 George Bush’s gubernatorial campaign used push polling by calling voters and asking them whether they would be more or less likely to vote for Governor Ric
hards if they knew that lesbians dominated on her staff. It was alleged that Bush’s campaign again used push polling in the 2000 presidential primaries when voters in South Carolina, a state known for having a deep history of racism and intolerance, Would you be more likely or less likely to vote for John McCain for president if you knew he had fathered an illegitimate black child?. In the 2008 presidential election, push polling was used against Barack Obama when Jewish voters were contacted and pollsters linked Obama to the Palestinian Liberation Organization. This technique is extremely efficient and is essentially a form of mass marketing by priming.
Colors can also have a profound priming effect on humans. The color orange, a combination of red and yellow, stimulates the appetite. Take a look at the logos and color schemes for fast food restaurants. They are all red and yellow. McDonald’s, Wendy’s, In-n-Out Burger, Burger King, and Carl’s Jr. all use red and yellow in their logos. Other fast food places that do not use red and yellow use either red or yellow such as Five Guys and Subway. The color red is the color of vitality and invigoration where yellow is the color of brightness and cheer. It’s not by accident that so many fast food chains use these color schemes. Green, the combination of yellow and blue, is a calming color that has a calming effect and can help in stress reduction. The color blue has the most calming effect of all the colors. Studies have shown that blue promotes trustworthiness. Experiments conducted show that people who wear blue appear more trustwor
thy than when wearing other colors. The color purple, a combination of red and blue, is associated with royalty. People wearing purple are looked as regal or with authority.
In addition to promoting vitality and generating feelings of invigoration, the color red has some interesting properties when worn by men and observed by women. A study published in the Journal of Experimental Psychology showed that by simply wearing a red shirt or being bordered by red hues made men more attractive and desirable to women. It was found that women view men in red as higher in status, more likely to make money and more likely to climb the social ladder. It’s important to note that while red increased the level of sexual desire, red did not increase the perception of kindness, likability, or sociability. If your strategy is to charm your female target, wearing red is a good idea and will give you an edge.
Colors can also have a negative priming effect when used too much. For instance, one can become tired, stressed, angry, or frustrated with too much red. Too much blue can promote depression and sadness.
A common attack technique for social engineers is to get your target to click a link sending them to an evil URL or to get them to open a PDF attachment containing exploits giving you access to the target’s computer. This can be done by either phishing to strangers, or by building rapport first with your target. In the realm of corporate espionage, if you first establish yourself as a trusted source, getting your victim to do as you wish becomes much easier. After you’ve identified your target and established communication, prime your target by first sending emails with legitimate articles or information that is interesting and noteworthy. After a few of these emails, your target will be primed to view your emails as a source of interesting information and will virtually eliminate any second guesses or hesitation in clicking your links or opening your files. This type of priming is called direct priming or repetitious priming.
All parts of our behavior are affected by priming. When approaching a target and engaging in conversation, use of aggressive words and tones will make subsequent communication by your target more likely to be aggressive in nature. The opposite is also true. By priming your target with passive, compliant toned conversation, you are increasing the likelihood that their subsequent interactions and conversations will have a passive, compliant tone. It’s like the old saying, do unto others as you wish they do unto you. You can set the tone of the conversation and actually increase compliance.
In addition to influencing the tone of the conversation, a type of priming, called semantic priming, can be used to prime a situation. A wonderful example of this in retail is in the case of Starbucks coffee. When you approach the counter to order a drink at Starbucks, the barista will ask you a carefully worded question, What can I get started for you?. The use of the word started infers that this is the beginning of something and that there is an ending that is separate from the beginning. Starting something infers that the task must be finished which draws your attention back to the bar and onto the food items. Your brain wants to finish your order, started with a drink, with something to eat.
Semantic priming can work with either verbal or visual primes. When priming with one modality, better results will be seen with future stimuli of the same modality. For instance, if primed with a word or set of words, future compliance is best generated with verbal stimuli, but, priming also works across modalities. You can prime with a visual prime and then follow up with verbal stimuli related to the prime and vice versa. You will get better results when being consistent but the point is it still works across modalities.
A Yale experiment took two groups of individuals. Each group was to conduct a quick interview with a potential job candidate and then determine if they would hire the individual based on their quick interaction. Both groups interviewed the same guy with the same set of questions in the exact same environment. Before the interview and meeting the candidate, the test groups were asked to hold a beverage. Group A was given a warm beverage; Group B was given a cold beverage. Across the board, the group primed with a warm beverage said they would hire the candidate, Group B, given the cold beverage, all said they would not hire the candidate! The simple act of priming the target with a warm beverage totally changed the outcome of the interview, all unconsciously. Next time you are performing an on-site penetration test, have a warm drink handy and find an excuse to get your target to hold it for you. The idea is that the warm drink triggers thoughts of comf
ort, warmth, and friendliness. These triggers change people’s perception of events after the priming.
You can capitalize on priming even if you were not the one who delivered the prime. A few years back one of those surprise home improvement shows came to my city. You know the ones where they take a deserving family, trick them into leaving for a week, rebuild their house from the ground up, and then bring them back to their home for the big reveal. Well, the big reveal was happening and my wife decided she absolutely must be a part of it. Begrudgingly, I accompanied her to the residential site where crowds of people had formed utilizing bleachers erected by the film crews and production companies. Oh, I almost forgot the best part. It was pouring rain. There we sat on the bleachers in our ponchos waiting for the big moment which might come in 5 minutes or perhaps in 5 hours. No one seemed to know. As if sitting there in the rain wasn’t bad enough, three feet from the side of the bleachers was a chain linked fen
ce diving the workers and film crew area and the spectator area. Compared to my current environment, the restricted area was Shangri La. It was covered with giant tents filled with heat lamps, dozens and dozens of doughnuts, tables full of snacks and sandwiches, pitchers filled with hot coffee, hot tea, and hot coco as far as the eye could see. There it sat, the restricted area, just a stone’s throw away, mocking me as I sat drenched in my plastic poncho.
I was determined to occupy the restricted area and shed myself from the damp and cold commoner area. I did a little reconnaissance and noticed there was one way in to the area. The entrance was guarded by a large gentleman with a jacket that clearly read SECURITY. I noticed as workers would walk into the restricted area they smiled and nodded in a familiar way to the security guard. The guard would nod back as the workers continued into the restricted area. I told my wife I would be back in a few minutes and left the pedestrian bleachers, looped back around, and headed straight for the entrance to the restricted area. As I approached the security guard I looked him straight in the eye, smiled, and nodded affirmatively. The guard, as anticipated, nodded back and didn’t think twice about allowing me into the restricted area.
You can imagine my wife’s surprise when she received a text message from me saying, Look to your right. Turning to her right, water dripping off her poncho, she was quite perplexed when she saw me dry, smiling, scarfing down my 3rd doughnut and sipping hot coco. After a few tips via text message, she got up the guts to try and join me using the same tactics I did. Needless to say we both spent the rest of the time under dry, warm tents eating snacks and drinking coco. We even managed to get on television for the grand reveal alongside everyone who actually did work on the project. They just assumed we were supposed to be there.
The reason this worked is because the security guard had been primed all day long. A smile and a nod, to him, meant access granted. Even though I wasn’t the one who primed him, I picked up on the patterns through observation and applied the same stimuli he had come to correlate with someone who was supposed to be there.
As a social engineer, priming is an invaluable tool in your ever expanding toolkit. Understanding priming gives you an edge over your competition, an edge that may mean the difference between a successful social engineering penetration test and an unsuccessful penetration test. By priming your targets you gain control over their psyche and can lead them, unconsciously, down whatever road you want to travel down.
written by: Eric "Urbal" Maxwell
As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.
Gold Sponsor for The Social Engineer CTF at Defcon 20:
Sponsoring our Kids SE CTF at Defcon 20:
Also check out our website sponsor: