In this issue
- Influence vs. Manipulation
- Social-Engineer News
- Upcoming Classes
- What's coming...
- Social Engineering Penetration Tests
The team at Social-Engineer is really excited to announce our brand new service - The Social-Engineer Mastermind Group. For more info click below:
As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.
Check out the schedule of upcoming training on Social-Engineer.com
Las Vegas, Black Hat July 2013
We are limiting the number of attendees in each class to 22 and under, so first come first serve.
- 5 days of ground breaking training
- The Social Engineering Penetration Testing Course guide
- Special tools to enhance your SE practice
- A Chance to take the first ever Social Engineering Pentesting Certification
- Lots more
If you want to ensure your spot on the list register now - Classes are filling up fast and early!
Do you like FREE Stuff?
How about the first chapter of Chris Hadnagy's Best Selling Book: Social Engineering: The Art of Human Hacking?
If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!
If you no longer want awesome social engineering information you can Unsubscribe from this Newsletter
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
To contribute your ideas or writing send an email to [email protected]
What's coming up..
If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.
Want to say thank you to our sponsors this month
- Spy Associates for continually giving us some awesome products to test out.
- The EFF for supporting freedom of Speech
- Want a very cool website? Check out Social-Engineer.Org's graphic and web dev at Tick Tock Computers.
A special thanks to our Editor:
John 'J' Trinckes, Jr
Check out Robin Dreeke's amazing book called "Its Not All About Me" packed with the top 10 techniques to building rapport fast. It is an awesome book!
Influence vs. Manipulation
Often times, the words influence and manipulation get thrown around interchangeably. In this newsletter, we’d like to spend some time discussing influence and manipulation and compare and contrast the two. When should you use manipulation? Which is more beneficial? Are there negatives associated with both? The two concepts are closely related and to the untrained individual, can appear the same. While the two concepts do share similarities, they are not the same. Let’s start by defining the two terms.
“Influence is the process of getting someone else to want to do, react, think, or believe the way you want them to.” Source: Chris Hadnagy, Social Engineering: The Art of Human Hacking.
Manipulation is defined as “exerting devious influence over a person for your own advantage”.
Now that we’ve defined the terms, let’s dive into them to get a good understanding.
Influence comes in many different forms. Each type of influence can be used by itself or you can combine methods of influence for an even stronger reaction. We highly recommend you read Influence by Robert Cialdini for a full, indepth look into the principles of influence and how to master the principles. For purposes of this newsletter, we’ll briefly discuss the types of influence and the types of manipulation so you can see how they compare and contrast.
Reciprocity can be summed up simply as the “golden rule” or treat others as you would like to be treated. When we give someone a gift, they naturally feel indebted to us. This feeling of indebtedness triggers reciprocity in your target and makes them much more likely to fulfill a request. We cover this topic extensively in Volume 3, Issue 39 of our Newsletter titled “Giving to Receive”.
The obligation principal is much like reciprocity, but instead of feeling indebted to someone and the need to return the favor, the feeling is generated from moral, societal, or legal obligation. For instance, saying “thank you” when someone says something nice is an example of obligation triggered by societal norms. How can we use obligation as a social engineer? Simply ask a question. Your target, when questioned, will feel an obligation to respond. It would be sort of weird if you asked someone a question and they just remained silent staring at you, right? Giving tidbits of information can also trigger obligation. Your target will feel obligated to also divulge some information.
Concession is the act of giving up something you want, or appear to want, so your target gives up something they want. This technique is used every day in sales. A good way to use concession is to start with a large request. Something much more than you actually want. When your target declines, you say, “ok, how about this...” and you ask for something smaller in scope. In reality, the final, small scoped request, was actually what you were after from the beginning. This is also referred to as Door-in-the-face technique.
We’re all familiar with scarcity in our daily lives. We witness it every day. Long lines outside tech stores on launch day of a new product, the Twinkie-pocalypse which sent the price of Twinkies into the stratosphere, and the mad rush of Black Friday shopping deals are all examples of scarcity in action. A social engineer can also use time, resources, and availability to achieve a desired outcome.
We are taught from a young age to respect authority and to listen to those in positions of authority over us. As a social engineer, positioning yourself as an authority over your target can aid greatly in generating compliance. Calling a call center employee, pretending to be a Senior IT member, or security guard will go a lot further in generating compliance vs. calling and masquerading as a janitor or mail clerk. Your vocal tone, clothing, body language, and job title are all things a social engineer can use to gain influence through authority.
Commitment & Consistency
Humans love consistency. It makes us feel good to interact with a consistent person because it conjures thoughts of stability, wisdom, and confidence. As a social engineer, consistency can be shown when formulating and executing your pretext. A mailroom clerk has no business calling and asking for a password, but an IT guy would. If you’re playing the role of a janitor, don’t wear fancy shoes or jewelry. Fit the part. Commitment comes into play by getting your target to say “yes” to requests. By getting the target to say “yes” to a request will increase the chances they’ll say “yes” to future requests. For example, asking your target to do seemingly innocent and mundane things like, “can you hold this for a second” or “can we step over here to talk, out of the way” triggers commitment and the target desires to remain consistent. After getting a few “yes” responses, move on to your real request.
The simple fact is, people like people who are like them. Expanding on that, people really like people who like them. Getting someone to like you is paramount and the importance can not be stressed enough. As a social engineer, we can project confidence, establish rapport (For the definitive guide to rapport building, check out Robin Dreeke’s It’s Not All About ‘Me’), synchronise with your target (body language, speech rate, etc...), and communicate effectively. People will go to great lengths to do things for people they like.
Social proof is a very, very powerful form of influence. Social proof is where a group or person begins to think that something is good, acceptable, or OK based on the fact or idea that he/she thinks others view it as good or acceptable. Your target will feel pressure to comply if you make them think their peers agree or act in the way you’re requesting. One of our favorite examples of social proof is this elevator experiment. The participants get the target to stand in ways completely out of the norm while inside an elevator simply because everyone else is doing it.
Influence and manipulation are closely linked, the difference is when a social engineer uses manipulation, the goal is to introduce stress, anxiety, or discomfort to their target in an effort to achieve the desired goal.
It’s important to note that while manipulation tactics work, often very effectively, they introduce your target to negative feelings. These negative feelings make it extremely difficult to continue using the target as an information source. If your goal is to use your target as an ongoing source of reliable information, we would caution your use of manipulation. Use these tactics sparingly and only after careful consideration of the possible repercussions.
Let’s take a look at some types of manipulation.
Often times under stress, people will be more susceptible to suggestion and manipulation. As a social engineer, you will want to increase your target’s stress level by altering their emotions. Fear and anger are emotions that are good at increasing stress in a target.
Environmental control refers to manipulating your environment under false pretexts that would cause your target to act in a way he or she wouldn’t normally behave. For instance, using a sexually attractive woman to seduce and perhaps engage in sexual activity (especially if the target’s married or a prominent member of society) with the target. The goal here is information extraction and even blackmail. This tactic is used extensively by spy agencies around the world.
Forced reevaluation is when you present your target with facts or “facts” that contradict their beliefs, rules, or instructions received. As an example, giving the illusion that you or your target may face negative repercussions unless they do something you request, even though the request goes against what they know is protocol.
Removing Their Power
Removing someone’s control, or their perception of control, removes their power. People want to feel in control and when they don’t, they often make wrong decisions. Making your target rush and forcing your target to make decisions without allowing them to think removes their control of the situation and increases their likelihood of compliance.
The reality is, punishment or threat of punishment can be a great way to manipulate and influence someone, but it’s very unethical and we don’t promote use of this tactic. In some very rare situations, in a multi-person engagement, punishment may be used as a ruse to elicit feelings of sympathy in your target if your target witnesses your co-conspirator being punished.
Intimidation can be used in a lot of different ways. You can make your target feel that you have authority over them or that you’re in control of a situation. Looking busy or rushed can also intimidate people around you. Speaking forcefully, using piercing eye contact, as well as aggressive facial expressions are also ways to intimidate your target.
As you can see, influence and manipulation are closely linked, but one leaves your target feeling, or has the potential to leave your target feeling, poorly. We usually recommend using influence over manipulation because it preserves your target for future use and prevents your target from feeling negatively. Ask yourself, “Can I achieve the same goal using influence without manipulation?”.
Influence is one of the greatest things a social engineer can master. It does take time, but it’s worth it. I recently used reciprocity and scarcity to obtain a home address of a target by calling and pretending to be an employee of a gym my target attended. I told him he was randomly selected to win a free 1-year pass to the gym and that we already gave 9 away and he was the last one selected. He promptly gave up his home address to me as reciprocation for the scarce gifts. He even confirmed his birthday and last 4 digits of his credit card “on file”. What a nice guy!
Written by: Eric “Urbal” Maxwell
We want to thank the sponsors for the Defcon 21 SECTF
As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.
Also check out our friends at: