In this issue
- Top 10 Tips From Con Men
- The Monthly News
- What's coming...
Social-Engineer.Com has launched their Social Engineer Penetration Testers course. It is literally the first of it's kind. As a subscriber to the newsletter you are getting first dibs on knowing where and what is happening.
The March Class starts today - Look for some posts on how it went coming soon.
No fear though, we have a few more classes coming up.
July 2012 Las Vegas NV for Black Hat
August 2012 Bristol UK
Nov 2012 Columbia MD
We are limiting the number of attendees in each class to 25 and under, so first come first serve.
- 5 days of ground breaking training
- The Social Engineering Penetration Testing Course guide
- Special tools to enhance your SE practice
- A Chance to take the first ever Social Engineering Pentesting Certification
- Lots more
If you want to ensure your spot on the list register now - Classes are filling up fast and early!
Do you like FREE Stuff?
How about the first chapter of Chris Hadnagy's Best Selling Book: Social Engineering: The Art of Human Hacking?
If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!
The Social Engineering: The Art of Human Hacking is still selling great.
If you haven't had a chance yet to vote, head over to the Social-Engineering Poll and give us your opinion.
UNSUBSCRIBE by sending an email to firstname.lastname@example.org
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
To contribute your ideas or writing send an email to email@example.com
What's coming up..
If you want to listen to our past podcasts hit up our Podcasts Page and download the past episodes.
Want to say thank you to our sponsors this month
- Spy Associates for continually giving us some awesome products to test out.
This month we have a really cool toy - a hidden camera and voice recorder in a Mercedes Benz Key Chain.
- The EFF for supporting freedom of Speech
- Want a very cool website? Check out Social-Engineer.Org's graphic and web dev at Tick Tock Computers.
A special thanks to our Editor:
Dan 'Ming' Sharp
John 'J' Trinckes, Jr
Check out Robin Dreeke's new amazing book called "Its Not All About Me" packed with the top 10 techniques to building rapport fast. It is an awesome book!
The Top 10 Social Engineering Tips We Learn From Con Men
Victor Lustig is, perhaps, one of the greatest known con-men of our time. Born January 4, 1890 in, what is now known as the Czech Republic, Victor was best known for trying to sell the Eiffel Tower, not once, but twice. His scams were widely varied, but always highly successful. Extremely charming and fluent in multiple languages, Victor employed a lot of similar tactics as social engineers do today. What we know about rapport, thanks to folks such as Robin Dreeke, was used masterfully by Victor throughout his illustrious career.
In 1925, Victor traveled to Paris to achieve, what some call, his best scam.The Eiffel Tower, during this time, was in disrepair and needed some serious attention.Victor forge
span>d credentials and posed as the Deputy Director General of the Ministère de Postes et Télégraphes. He then arranged meetings with French scrap dealers and pitched the idea that the city was looking to sell the tower for scraps. One of the dealers bought the scam hook, line, and sinker. The dealer put down a deposit to be
the one who tears down the tower. When the scrap dealer went to the city to claim his bounty, he quickly realized he had been duped. By this point, Victor was long gone. Having a love for the con, Victor couldn’t help himself and returned to Paris one month later, gathered another group of scrap dealers, and tried the scam again! This time, the dealers were suspicious and went to the police. Victor narrowly escaped the country.
One of Victor’s trademark scams is a scam known as the money box scheme. Victor prepared a box which he claimed would copy and print $100 bills every six hours. He would demonstrate the box’s ability to his targets showing them that, indeed, the box would spit out $100 bills every six hours. Realizing the monumental profits possible with such a machine, greedy marks happily handed over as much as $30,000 per machine. As it turned out, the machine was preloaded with a couple real $100 bills which it would spit out on the desig
nated interval. The only problem was, after producing two bills after twelve hours, the machine ran out of the real money and only produced blank paper. By the time his targets realized they had been scammed, Victor was long gone.
Victor Lustig used his charm and charisma to brazenly extract $5,000 from Al Capone. He first convinced Capone to invest $50,000. Instead of investing, Victor placed Capone’s money in a safe for two months. After the two month period, Victor returned the money to Capone claiming the deal had fallen through. Capone was pleased with Victor’s integrity and awarded him $5,000 which is all Victor wanted in the first place. Victor did not steal from Al Capone, but by convincing Capone that he was a stand-up guy, he was rewarded for his character. Brilliant.
We can learn a lot from Victor Lustig and men like him. Victor passed away in 1947, but left a list of ten instructions on how to be a con-man dubbed, the "Ten Commandments for Con Men".
Here are Victor’s Ten Commandments with some social engineering twist for each one:
- Be a patient listener (it is this, not fast talking, that gets a con man his coups).
This ties in well with the idea of active listening. A social engineer who is too quick to want to get to the goal will leave the target feeling used or cheap... never a good idea if you need them. Building rapport takes time and showing care and concern.
This ties in well with the first point. If we are actively listening then we don’t look bored. This means we avoid looking at our watch, looking through or past the target and especially we watch our body language. We want to make sure our hips and feet face the target. If we don't, it can give the impression that we are not interested.
- Wait for the other person to reveal any political opinions, then agree with them.
This is a good point, once we say something, taking it back is very hard to darn near impossible to do. If we wait for the target to reveal their belief system then agree, we build rapport and join their frame. Doing so can make a world of difference in building that ever needed rapport.
- Let the other person reveal religious views, then have the same ones.
Basically the same point as above... wait and then make them similar, not exactly alike. Be cautious to not be so similar it is as if you are parroting them, that can turn some people off.
- Hint at sex talk, but don't follow it up unless the other person shows a strong interest.
Personally, I do not subscribe to this method in social engineering engagements. If we think about the goal of an SE Engagement is to educate, protect and secure... leaving a target feeling cheap and worthless does more damage than good. That is my personal view, but I can also see how in a con, this would be very effective.
- Never discuss illness, unless some special concern is shown.
You never know a person’s disgust factor. Describing some illness you have, or are feigning, could work (if it is a disability), but sickness will, at times, make a person not want to be near you for fear of "catching it".
- Never pry into a person's personal circumstances (they'll tell you all eventually).
Getting too personal before rapport is built can sever any chance you have at building rapport.
- Never boast - just let your importance be quietly obvious.
This point is amazing - Robin Dreeke puts it like this, “Ego Suspension”. If we can suspend our ego's, we attract people to us. We appear more open and pliable. Arrogance closes doors and irritates people. If this was a pie chart, I would say that there is a 1% to 3% period of time that the angry, upset, and arrogance pretext works. More often than not, it is better to be the humble, friendly rapport builder.
Back in Victor's time, styles were more neat and tidy. This meant that someone who looked unitdy was obviously a vagabond (or vagrant). Well, that is not the case anymore, but this is still a great point. Sloppy, messy clothes or hair, or even bad breath, can throw a person off to the extent that they will not work with you or comply with your requests. Dangerous.
Chris actually talks about this in his book. Alcohol lowers inhibition and makes people less likely to think appropiately. As a target, this is good for the social engineer, but as the social engineer, it is never good to lose control of your thought process. Maintaining that control and balance can make the difference between success and failure.
As social engineers, we often play the role of a con man and what better way to learn than from one of the greats! For a modern day example, check out the latest blog post on Social-Engineer.org about modern day con man, Steve Comisar.
written by: Eric Maxwell & Chris Hadnagy
Looking for Professional Social Engineering Services?
Social-Engineer.Org is branching out with our new website www.Social-Engineer.Com
We are providing some of the following services:
- Social Engineering Pentests
- Social Engineering Risk Assessments
- Social Engineering Training for Pentesters
- Professional Information Gathering Services
For more information on any of the above or how we might be able to help you protect your company from malicious social engineers contact us at: firstname.lastname@example.org