Volume 01 Issue 03

·         Marketing Manipulation Case

·         Social Networks and Morons

·         SE Tool Review

·         The Monthly Tip

·         Next month...

Feature

Marketing Manipulation Case Study - Training the Social Engineer in all of us

As we started planning our newsletter out for December we felt it was only right to do an article on marketing and how it affects us.  As soon as I started working on this however, the first thing that came into my mind is a wonderful article I read one or two years ago that just consumed me at the time.
The article covered the topic of social proof as it applies to marketing. If you don't know what social proof is, don't worry, we have you covered. Within the Social Engineering framework we define social proof as looking at what those around you consider normal, cool or acceptable to assist in making decisions on what to do. You can see an amazing example of this in a video that is linked in the framework that shows an older 1950's clip of Candid Camera.  Where they had actors stand in an elevator all facing a different way or acting a certain way and when one person got on the elevator it only took a matter of seconds for that person to conform.

That is a small, humorous experiment... can the same be true on a large scale?

Our Case Study

What we need is a case study, something we can dissect to see how this can work or if it can work on a large scale.  We go back to that article I read a couple years ago.  It was about a movie by the name of The Secret .  Basically the synopsis about the movie is "Interviews with leading authors, philosophers, scientists, with an in-depth discussion of the Law of Attraction. The audience is shown how they can learn and use 'The Secret' in their everyday lives."  Why it fascinated me at first was that it is portrayed as a movie about The Law of Attraction and a secret that involves that law that will change all of our lives.  Yet that is just the tip of iceburg.

The learning lesson in The Secret is not so much in the contents of the film but in how they marketed it.  Why?  Look at these results?  A mere 6 months or less after the movie was released with an accompanying book it sold almost 4 million copies of the book and 2 million copies of the DVD.  It was the #1 best selling movie on Amazon.com and still holds that title as #1 Best Seller in self-help. 

It beat out movies like The Prestige, The Departed and other Academy Award nominated films. Now to add the icing to the cake, it's author, Rhonda Byrne was named as one of the top most influential people in the world in 2007 by Time Magazine.  How did a documentary about a self-help topic top some of the years best flicks?  How did a small film made by scientists and philosophers reach #1 hits, beating academy award winning films and thousands of influential people earth wide?

Multi-Level Marketing or Pure Manipulation

Looking through what The Secret did will give us great insight into social proof, as a form of manipulation.  First, each person involved in the film reached out to his/her social network.  Online, blogs, tweets, facebook - all of it was used.  Viral videos were produced and played promises that this film's creator was like you and me... life was bad, she was down, she was a normal struggling person like you and me... but then one day out of the desperate despair that was her life rose this secret.  It was so profound, so perfect that she had no choice but to follow it.  It was a secret shared by some of the worlds brightest and most influential people for thousands of years.  When she followed it, it changed her life forever.  She then tapped into the best philosophical and scientific minds in the world to confirm this secret and now she will share it with you.

Videos and posts like this would make one wonder... "What is this secret?"  "What can it do for ME?"  "Do I want to know?"... This in itself is genius.  She was able to create an atmosphere where we as a people are performing perfect elicitation on ourselves.  We opened our minds to be willing to ask these questions... when we did there were blog posts, tweets, viral videos pointing to the fact that this book, this DVD held the answers.  

Did it stop there?  No, this same group reached out to all their contacts and landed interviews on Oprah, Larry King and other such talk shows.  Famous celebrities, the likes of Oprah and others wrote reviews on the film.  They used People, Participation and Persuasion to draw our minds open, then draw us in to the movie.  Once our minds where opened (mentioned above) not only did all the media give us the “answers” but we then had social proof that everyone we love… everyone we watch… everyone we look to for guidance, the great talk show hosts, the great teachers, the great philosophers all agreed… it was life altering.  It doesn’t matter if it was or not, they told us it was and our minds HAD to accept it.

Really where we learn the most is in the way they promoted this movie.  Many people had much participation and it persuaded us to believe the secret really did lie inside this film.  Not just one or two of us... but that movie was at a point of selling 7,500 copies per day.  Yepper, 7,500 people per-day sought enlightenment, sought the answer to bring them out of darkness from this film.  

Why all the hype?

So why is this so amazing? In the end the secret of The Secret was we all have the potential to alter our lives by controlling our thoughts.  The boiled down the Law of Attraction by saying that whatever happens to you in your life is what you deserve because you attract it through your thoughts. Basically there was no amazing secret, there was no life altering truth.  Actually just the opposite, one of the people involved in the movie was quoted as saying that the genocides in Rwanda are due to the fact that the people there are attracting those negative things to themselves.  Women who are raped… children abused… or the guy who made a million dollars are all because of how you thought of it. Even with all of this, the movie hit #1, sold over 300 per hour per day for over a year.  How?

They used some pretty basic social engineering tactics to convince mass amounts of people there was something there they MUST have.  Overall, marketing has been doing this for years, but we used The Secret as a case study.  The part that makes this case study so amazing is that even after people watched it and saw there was no real secret… even after people heard the interviews with directors and those involved saying that atrocities are a result of those peoples thinking habits, even after all that – there are still those that feel The Secret contains life altering truths that can be followed like they are gospel.  That is the power of social proof.  

Learning to harness that power can make one a great social engineer.  But How?

Using in Social Engineering

When we use elicitation we can use words or phrases that will create a feeling or impression that others have accepted and acted on this.  A very simplistic example of this is the insurance salesmen that comes to the door and say, "Hi ma'am, my name is Paul.  I work for ABC Insurance and I was just next door talking to Mrs. Smith and after she bought our premium policy she mentioned you might be interested in hearing about our policy too."  

What happened in this simple sentence?  While he introduces himself and introduces his product he puts your mind at ease telling you

1) your neighbor let him in

2) your neighbor bought the policy

3) your neighbor was so happy that she referred him over here to save you through this policy.

If the argument is convincing enough, if it fills a hole (even a hole created by the same person) then the mind is more open to accept this truth.  For example, (sorry for bashing insurance salesmen) the old insurance sales pitch that goes something like, "Imagine the loss for your family if you were to suddenly die or become disabled..." shortly after he offers you insurance for life and disability.  That hole was created by his elicitation and if it is serious enough to you, what he offers next will automatically be accepted.

That “if” is not good for us social engineers.  We need to create a hole that must be filled.

Recently I was doing some work with Mati and we saw a commercial on a TV in a hotel that was selling "miracle water".  Basically you call this number, buy some water that when you drink it, or pour it on yourself you will have wealth, happiness, whatever it is you want, why?  Cause God blessed this water and he says if you pay this guy some cash he will pour this blessings on you.  Then there are dozens of interviews of people who drank the water, got the water… just BOUGHT the water and the got $5,000, $10,000 checks… healed from ailments, no more cancer, no more arthritis.  All gone from this water.  Sounds silly no?  Yet there were dozens if not hundreds of people lining up to buy it... no joke, that same person was on the Internet that in 1987 he had a similar scam and made over $4.3 million dollars PER MONTH.  Millions of people lined up!  They wanted to believe, no they NEEDED to believe wha! t he had can cure them.  So it was worth the risk.

Ok I digress... we are not trying to tell people how to fraud or scam, our goal here is to show how we can use the principles here in social engineering.  So let's outline the principles:

1.    Making people believe their friends or even the majority of the “crowd” are doing, accepting, buying, giving the same information that you are asking for or selling will open them up to suggestion

2.    Creating suspense, wanting or desire for something will also open up the person to suggestion

3.    Persuasion is more effective without the use of force
The Law of Attraction does exist - social proof does exist - learning how to utilize these will boost your social engineering experience.  

Practice Makes Perfect

Again we go back to elicitation.  Practice wording and phrasing techniques that help create the emotions you want in the target.  Take an example from the insurance salesmen or from major marketing.  They tell us that this night on TV is "Must See TV"... they tell us that this new gadget is a "Must have" and like sheep the majority of people watch or go to the store.

Being able to elicit emotions with out speech will greatly enhance our ability to use social proof.  People buy with emotion and reason with logic.  In a social engineering gig it is often better to get them to react to that emotion as by the time the logic center kicks in we can be gone.  What is one of the best ways to elicit emotion in our speech?  Stories or describing things in great detail.

Here is an example:
Story 1:  I was driving to town and I almost hit a deer.

Story 2:  I was running late for a dinner meeting.  It was important because we were meeting with a potential larger client.  As I got into my car I notice the gas light came on.  I was irritated that I forgot to get gas earlier that day when I knew I would be pushing for time.  As I drove towards town I knew one area that had some good flat, straight aways.  I sped up as fast I felt safe.  Every little bump I felt my stomach drop a bit.  I knew I was going fast but I was practicing my pitch I was going to discuss over dinner.
I rounded one corner and in the middle of the road was a huge buck.  I had no time to think and I decided to swerve and try to miss it.  As I slammed on my brakes and my tires locked up I began to slide sideways.  My heart was pounding 100 mphs per hour, like a drum in my chest.  The back tires spun around and before you know it I was sliding backwards into a ditch…..

Which story did you get more involved in?  Both happened.. both are real, both are the same story.  But the later one gets your emotions involved.  It makes you feel what I felt and in turn will open you up to suggestion for how best to handle what comes next.

Second, learn to control your facial expressions.  I swear we will write about mircoexpressions soon, but learning to control our facial gestures can go a long way in eliciting emotion in our speech and controlling the outcome.  Think of this to illustrate the power.  Have you ever walked by a restaurant with windows in front of people eating.  If you see a group of people laughing and joking you will find yourself smiling as you pass by.  This illustrates the power of the facial expression.  If we look nervous, unsure or not confident we might as well not even try.  We have to have natural facial expressions that can also be converted to the emotions we want to portray.

A good actor can make us feel what they want simply with a good facial expression.  Babies do this every day.  They read our emotions through our vocal tone and our facial expressions.  We don’t loose that, we just let communication and what is being said cloud that as we get older.  You can walk up to a baby and put on a huge smile, and in a very cute voice say, “I really hate your guts.. oh yes I do, you filthy worm, I hate you…..gooochie gooo”  (please do not try this) That baby will probably laugh and smile.  Because it is not WHAT you said but HOW you said it, and how your LOOKED saying it.

Thirdly, get familiar with the idea of social proof.  The same way a bartender may "salt" the tip jar by putting in 10 or 20 one-dollar bills in the tip jar.  As you order your drink you see money in the tip jar and it automatically tells you MANY others before you have tipped him, you don't want to be the one guy that doesn't.  So you put a tip in the jar, and so does the next 100 people.  Learn to lead people down the path you want them to take believing in your heart they agreed to do this and it is 100% completely normal.  Just like that Candid Camera video.  The people in the elevator believed that was the right way to stand and because they did the people that came in complied without even asking.  That is power.
Learning to elicit people to an action of our desire is a powerful tool.  When I was younger I worked for a guy that had this amazing ability to make you feel special with anything and make you feel like you WANTED to do what ever he asked of you.  Here is a “rendition” of a real conversation where he is trying to get me to do something I just don’t want to do.

Him – “Hey I have a big problem and I wanted to get some advice on how to deal with it.  I noticed you have a good head on your shoulders can I see you after lunch.” (this genius gets my head all puffed up, gets me thinking I am going to advise the boss and gives me time to gloat on this glory)

Me – “Sure.  I will come back early if you need me to.”
Him-“Whenever you get back just let me know.”
After a short break I come back all eager and ready for my special meeting….

Him – “Look I got a big problem and I don’t know how to handle it.  As you know Ben just left.  He did a great job here, but there was some special duties I wanted to assign to the right person.  I thought about Joe but he doesn’t have that quality I was looking for.”  (again perfect, special duties… he knows Joe and I compete so by putting it this way I was painting the picture of this glory position I was about to get)

Him – “I am not sure if I can burden you with this extra duty since you already have a full plate. But I have a feeling you are perfect for this.  Do you have any ideas about what I can do or who I can assign this to?”
(will I actually convince myself I am right for this job?)

Me – “Well I know that Steve has some extra time since he lost that one account, but I think if I rearrange my time a bit I can take on some special tasks. If anything you can give me the work then if I have the time you can take it back and give it to Steve.  We can do this as a trial run.”

Him – “Wow that is a great thought.  I never even thought of asking you to do that.  Forward thinking, perfect”

I find out later on I am the official report filer… a terrible, meaningless job.  I hated it, but after all it was “my” idea….

Getting people to buy in, get involved then convince themselves is a powerful tool.  I once saw this same guy convince the secretary it was her idea (and a great one) to clean the men’s room herself instead of having a cleaning service.  This guy was gifted.

Practice getting your facial gestures and your voice tone and your phrases/words perfected so this becomes second nature to you to.  One key to this is to be genuine.  When he was telling me I was the best for this job etc, he was real.  He honestly believed I was the best for that job… he let my mind convince me that it was something it wasn’t, but in the end he was real.  

Finally, learn to observe and listen.  If you work out all the above but you are so busy planning out your next sentence on the spot you may miss a facial queue or a verbal answer that is important to your end game. Practice so it is second nature and then when you with the target you are observant and listening so you can hear or see the answer when it is given.

The end of the matter is, social proof is a powerful tool.  It can be used for bad, so we have to watch out that we don’t get suckered into a scam or fraud.  On the other hand, as professional auditors of security, we can use this to uncover a weakness in most people then train then to watch for these queues.  Teach them what to look out for and this very well may save them for a serious security breach.

By Chris loganWHD Hadnagy

Trust, Social Networks, Television, and Morons.

A few weeks back a local TV station came by and asked for some help. Sweeps week was coming up, and they wanted to have a story that would really grab people. We threw a number of ideas into the air to them, and the one they picked to run with had to do with Facebook and some of the dangers that are posed with how people use it.

Incidentally, the reason they went with the Facebook story had to do with their demographic. Turns out, it is mostly middle-aged mothers that watch the news, and when they watch they are often doing something else at the time. So, when they run stories they need something that will reach out and grab their attention so they want to turn and watch the TV. With that in mind, pay attention to your local news when you get a chance and see if that changes the way you watch the news.

Matt and I were responsible for this, so we set up a fake Facebook account with the intent to get as many friends as possible. The basic approach for that is to set up an account with an early 20s female, attractive but not too much so, non-threatening job, intelligent but not too much so. We went about collecting various friends from the area in an effort to make the account look legit.

After it was built up, we had two goals. First, to try to see what we could find out through Facebook about the people that worked at the news station doing the story. Second, the station gave us the names of a family in the local area that had agreed to be the subject of a story, we were to see if we could become their friends and what information we could gather on them.

As you can guess, those were not hard goals to accomplish. The news people want to be as welcoming as possible so they accepted all friend requests that come in. The approach with them was to look for sensitive data they were leaking.

The family on the other hand was more interesting. We did not know how much or little they were told by the news crew, so we had to operate as if they would be on guard. We first sent a friend request to the mother, who accepted it with no problem. At that point we targeted the kids, as then the requests would come in with the mother listed as a mutual friend. In a sense, the mother was vouching for our fake account. Of course, the kids accepted the request. Mission accomplished.

As for the information leakage, across the board we had information concerning when people were going to go out of town and where they were going, full dates of births, various other personal bits of information, and so on. Not a great surprise for anyone that has done this work in the past, but remember most people don't think of this sort of stuff. If you care to see the whole thing, the news story is online at http://www.wowt.com/home/headlines/67332677.html.

That is all public, but what was really interesting to me is many of the things that are not in the news story.

First off, making fake accounts.

Every time I have to do this sort of thing, I can't help but shake my head at how predictable guys are. Have a reasonably attractive female be nice to guys and you can get anything you want. We never use guys as fake accounts because it seems that no one ever trusts them.

I will admit, I was not always an angel. I remember before the Internet took off, my friends and I used to use BBS' all the time. For fun, my friends and I would create fake accounts on the multiline boards. We always made them females with really strange and unrealistic fethshes and the handles to reflect them. For instance, a favorite was one named "CheezeWig" who had a thing for wigs made out of cheese.

We would then use these accounts to have people show up in public places thinking they were going to meet some kinky female, so that we could make fun of them. No matter how extreme we got ("Make sure you bring a block of cheddar baby and you will get the time of your life"), they would still show up on the slim hopes that these women were real. (And, they would bring bags of cheese with them.)

Well, guys are no better now. We skipped the simple "can I become a friend" with some people here locally. We had popular, well known, local media figures that we know are married with kids asking us out for coffee to get to know us.

Unprovoked.

We never told the news people about that, as that is a story we did not want to be involved with. But, I really wish I could of known what their reaction was when they found out the account was fake and part of a news story.

Really, you are known in the region, you see some girl on Facebook and think "This is someone I would like to have an affair with."? Then send private messages to the accounts, sleazing on them? At the end of it, I had to block one of them as he would not leave me alone.

Another amazing thing to me is what happened after the story ran.

After filming the segment, a week before it ran, we deleted all the friends. We did not want anyone to feel targeted or picked on, as we knew people would look up the accounts afterward and did not want to draw attention to these random people.

We were shocked with the amount of  “friend requests” that came in after the story ran. I mean, people watch this show talking about how you have to be careful about the information you share and who you share it with. Their first reaction is to bring what they know is a fake account by people up to no good inside their social network? They think that was a good idea?

So yeah. I accepted the friend requests.

And, back to the topic of men are dogs again. Here is a message I got the other day:

---
you are a Very attractive and ...give off a nice sensuality that most women have to try real hard to get..!! get some more photo's & send some to me...you don't have to be shy..live a little..i am not a stalker ..you can see that from my friends list and i even post my cell on my site... It would be cool to find-out more about you..your prof. is really lacking in any real info about you... thats why i am asking... anyway..take a risk...get some more pics and let me no a little more ...age...likes /dislikes...what is fun to you...etc kids? divorced? etc...
........HAVE A GREAT DAY...REMEMBER" WE ONLY HAVE RIGHT NOW! :)
---

What a lovely message from a random creeper. So, I reply with a link to the news story, expecting the dork to go away. In reply, he sends me:

---
you made a great point ..I tend not to "care" about my privacy and such...I should be more cautious that article made some real intresting reading and points.... anyway... thanks for the heads-up!! I still would like to "know" more...as the saying goes...more will be revealed.....have a great night sweetie!! :)
---

So, I guess he is still interested in me. I could not just let this go, so I replied to him:

---
You still want to know more about me huh? Well, as seen in the video I sent you, I am a 31 year old male that works in the information security sector.

You did notice from the article that this account is fake, right?
---

And of course Mr. Observation replies back:

---
no ...you got me... I was skimming and NOT Paying close ATTENTION...WELL YOU got -it NOW...! THANKS...Somtimes I am a little slow or much to trusting...I coulda swore I kinda new that face... Don't ass-u-me anything!!
---

Thing is, I bet he did know the face. I stole it from a fake twitter account that started following me. They were advertising a cam-girls porn site and I took their profile pic to use as this Facebook accounts profile.

So, what SE lessons can we draw from all this?

Like I mentioned, I have been doing fake accounts for years for various reasons. I would like to think I have matured and do them for better reasons now, but the basic methods are the same today as they were over a decade ago. Only now, the potential target base is larger so I can trick more people with the same amount of effort.

Social networks are not evil at all, they are just tools that a lot of people don't know how to make use of correctly. As social engineers, if we know the fish gather at a known location in the ocean we would be fools not to cast our nets there. Its too easy for the type of return we get.

There have been multiple penetration tests that I have done where information gathered from social networks was the key that let me into the network and it was far easier then doing a custom exploit. 

The problem I encounter a lot after using these techniques in a pentest is the customer then asks me "How do I correct this problem?".

That is a fair and expected question. The problem is that there is no good answer for it. Most companies are in no position to dictate whether or not their employees are allowed to use social networks, or what sort of data they can put out there. Plus there is the question of how do they enforce any policies dealing with this? Where would control and audit fit in to this? Its just not there.

The only effective solution really is user education. Employees have to be taught how and why this is a matter they should care about. They have to see the outcomes of negative behavior as well as see positive behavior to model off of. This has to be reinforced on a regular basis far more often then a once per year compliance class no one pays attention to.

This is difficult as it is far more then buying a new appliance and dropping it into the network. However, what is the alternative? Its fun for me to laugh at the media personality that was hitting on my fake account much in the same way that it used to be entraining to trick users on BBS', but the stakes are much higher.

What could have been done to the media personalities job? His marriage? How would of his kids felt of his behavior had it been made public? Beyond personal affects to him, what about the damage to the employer? How much would the issue cost them in ratings and associated advertising losses? We are talking real life issues and real money.

It goes far beyond a prank.

Reasons like this is why we created www.social-engineer.org.  To help the person, the company and the auditor have a place to gather information for education.  Education is the key to preventing this type of attack.  Education can help someone to use common sense and education can make the difference in being secure or not.

(Just as a note, I deleted all the messages from anyone that could in anyway be embarrassing to anyone in regards to this fake account. Don’t bother asking for it.)

Written by Jim "Elwood" O'Gorman