You are so awesome, now give me your passwords…

As you read the above title, I am sure you chuckled a little.. You may have even sarcastically asked yourself, “Who would possibly fall for that?” Would it be unreasonable to think that anyone, in this day and age, would fall for this type of flattery and give up the goods?

Before we can even get to the social engineering aspect of this, we have to analyze what it is that makes us believe that flattery would work or not.

To Flatter or Not To Flatter; That is the Question…
In 1997, two researchers, Fogg and Nass, wrote an article entitled,“Silicon sycophants:  the effects of computers that flatter”. In this paper, the researchers stated that flattery still works much of the time since humans tend to want to believe good things about themselves. That is a very interesting fact for us as social engineers.

Think of it, Fogg and Nass were basically saying that as long as you say something believable to the target, they may have a greater likelihood to believe what is being said. Two questions come to mind… first, what if the flattery stinks? I mean, it is obviously done pretty bad or with ulterior motive. And secondly, what is the effect of the listener to flattery? Will they really give you their passwords?

The first question was answered by a recent study done by a group of researchers out of Hong Kong. Chan and Sengupta wrote a paper called, “Insincere Flattery Actually Works: A Dual Attitudes Perspective.” This amazingly interesting paper talks about the effects of flattery and focuses on what if the flattery is done insincerely and with a hidden motive. 

To test this concept, they identified students that where ready to become clothing shoppers.  They sent each of these “shoppers” a flyer that had very insincere flattery as well as a very outward exterior motive. Basically, the ad said, “We’re contacting you because you’re fashionable and stylish” then it followed up with an invite to the store.

The results? 

They found that rather than the person’s judgment center kicking in and stopping them from reacting negatively to the flattery, that the judgment coexists with the favorable reaction to flattery. In essence, what they found is that even though most people can see through the flattery, they were not able to completely erase the positive effects of flattery upon their thinking.

They found that even though flattery may have a negative impact in the short run, the reaction to the flattery might be more influential than the judgment that the person has. In the end, Chan and Sengupta said, “In particular, we …. propose that the positive impact of flattery can be difficult to eliminate, even in situations in which a clear ulterior motive exists.”

This conclusion leads us to an even greater question: How can flattery be used by social engineers?

Flatter Your Way to Social Engineering

In my opinion, the research done by Chan and Sengupta was very important. It is easy to say that flattery wouldn’t work on you, that you are too smart to fall for that; however, as I was writing this article, a story came to me that made me think about how well this works.

A friend of mine was on the beach. She was walking down this particular beach and a woman engaged her in conversation. She told her how beautiful her daughter was and how happy she looked sitting on the beach. Then, she told her that she was selling beachside massages or foot massages. Right away, she said to herself, “the compliments were just to get me to buy her services…”  

She declined the services, but later on, as she told me the story, she asked me, “Do you really think that my daughter is that beautiful?” along with, “Do you think I look happier?”

This is a perfect example of the research above. My friend didn’t buy the woman’s services, but the effects of the flattery stuck with her to where my friend thought about it afterwards. Now, what do you think would happen if another masseuse was to come up to her and tell her the same things? She might be more prone to fall for the sales pitch since it is multiple people telling her the same thing.

This is where we can learn something. The effect of the flattery, when it is something believable and plausible, can be long lasting. Imagine this scenario, you want to gain access to the CFO, but the target company is notorious for hiring guard dogs as receptionists.

You call in and get a young sounding woman with a southern accent on the phone.  “Hello there, my name is Chris. I know this will sound weird, but I just love your accent.”

“Good morning Chris, how can I help you?”

“Well, I would say keep talking, but I doubt either of us have the time. I am going to be in the area tomorrow and need to drop off a package for Mr. Smith. the CFO. When is a good time to see him?”

“Sorry, I cannot give out that information, but feel free to drop it off at the front desk.”

Sounds like failure?  Not really.  After all, you did lay it on pretty thick….

The next day, you go to the office and as you walk in, you see the girl you spoke to yesterday. You walk up to the desk and you say, “Yesterday I called in and spoke to the most charming young lady with a very cute southern accent, but I didn’t catch her name….”

“Well, I am not sure about that, but that may be me…”

“Yeppers, I would recognize that voice anywhere. Anyhow, I really need your help and I was wondering if I could make an appointment to see Mr. Smith. I just need 5 minutes of his time.”

“Well, we don’t normally do this, but let me take a look….”

The previous day’s flattery, although laid on thick, left her in a positive frame of mind. Maybe that night, she even thought about her “cute accent”. Then, when you approach her the following day, she is primed and ready.

Another approach to make the effect of flattery work for you, according to this research, is using the inherent positive feelings people have for themselves against them. Maybe something like this scenario: Your goal is to get information from the guards at the security post about their procedures. Information gathering has given you the name of the CFO, but your attempts at reaching her have failed.  So you place a call to the security guard’s desk and say:

“Hello this is Harry Security, how can I help you?”

“Did you say Harry?”

“Yes, how can I help you?”

“Harry, Excellent! My name is Paul and I am from Sec Magazine. I was speaking to your CFO Deborah Smith and I asked her if I can speak to the best security employee they have and she gave me your name.”

“Really? Wow, that’s great. Thanks. What can I do for you?”

“Well, I just have a few questions for an article I am writing about your security policies and Ms. Smith said you were the man to talk to….”

These are just a few of the examples of how flattery can help you in a social engineering audit.  What should strike our attention, in this community, is how much scientific and medical research can teach us about how people think and act and how that can augment our knowledge as social engineers.

Of course, this is not to say that flattery alone is the key to success.  For in-person flattery to work, you need to match your non-verbals (i.e. body language, facial expressions, etc) to the charm you are trying to exhibit.  The research done by Chan and Sengupta was conducted using written flattery which, of course, requires no other input besides general flattery that can work on most people. If you want to see all the details, I have downloaded the full report from Chan and Sengupta.  Till next month.

Written by Christopher Hadnagy


We live in a world of science fiction

I am not that old, but even at my age, I am amazed when I pause and take a step back and look at how much the world has changed from when I was a child. When I was a kid, I would walk around with a paperback book that could fit in my coat pocket. I had an old black and white TV that was my mothers from when she was a little girl. The TV was hooked up to a cable box that had a “chip” in it, allowing me to get any channel I wanted for free. Later on, when the cable company got wise to this and started sending out “spikes” to “burn out” the chips, I lost that “feature”; however, I figured out that if I climbed the pole behind my house and removed two filters from the cable, I could get two of the premium channels for free.  Until junior high, that was the extent of my hacking experiences.

So what did I do with all that other energy without a hacking release? That goes back to the books I used to carry around with me. The fiction of power fantasies has been around forever in many different forms. The idea of a fictional character that is special in some way and can affect those around him, or perhaps even the world in examples like Superman, He-Man, Jonathan Swift, the Hardy Boys, or even the old Encyclopedia Brown books.  This type of escape is not only just for kids, fiction also targets adults through sources like The Terminator, The Matrix, and William Gibson novels that give people a place to get away from the standard day to day. If not for fiction, there are other outlets ranging from music to sports, but the result is always the same, a place where people can feel powerful without parents, teachers, bosses, or whatever controls them.

The world of today

Now, we walk around with computers in our pockets that are hooked up to the knowledge of the world. We have computers that are smaller than old school books, but yet are faster than we really ever use. Instead of a book, we have an e-reader with thousands of books.  Instead of remembering things, we look them up.  We stay connected and plugged in to the world at all times, with expected response times measured in minutes, if not less.

In a very real sense, we are the cyborgs that used to be in science fiction. With the difference being that we have opted to keep the tech outside of our bodies.  All of this has provided us far more empowerment than what used to be.  More than some people realize.

Examples of this are all around us if you have turned on the news lately. From governments changing to companies being laid bare, technology has empowered people to see all of these things as never before. The seeds for the current situations have been around for a while, embedded deep into modern society, but a unique combination of events have finally put things over the tipping point.

The other result of this technology is that people have a new escape.  Instead of power fantasies, we all actually have power. Sitting at home, we can reach out and have an impact on the world. The tools to directly impact the world are called “commodities” and the only thing preventing them from being used more is the fact they are so commonplace, they seem mundane.

Consequences?

It has long been understood that people will say and do things online to someone that they would never say or do to their face. While over-hyped and over-blown, cyber-bullying is an example of this. I remember the first time I discovered IRC as a kid, what was the first thing I did with it? Went into random channels and did everything I could, just to watch people get angry. I realized I could get away with this since no one knew who I was and I would not get in trouble for it. So, for a time, I had a lot of fun, but the impact of my actions was pretty limited. The impulse to act in ways that you normally wouldn’t is strong the first time you experience this freedom.

But now, the impact is much greater. The world is more wired, more dependent on modern technologies and tools to manipulate it that are widespread and readily available.  It is not an exaggeration to feel like Neo, from The Matrix, in that we can now sit back and change the world around us. The rules that are in place in many cases have become suggestions that society hopes people follow, with very little in place in terms of enforcement.

This is not the place, nor am I the person to complete an in-depth review of the various geopolitical impacts that technology is having on the world.  It is also not the time to discuss the economic impact that pranks can have on modern companies, but it is obvious that the world is different than before.  Take for example that instead of reading a Superman comic, someone can just as easy join with the group, Anonymous, on their latest raid to ruin a company.

Business Ethics

It’s not just individuals that have discovered the power that the current world allows them. Based on some of the leaked documents that have come out of recent hacks, we have been able to see how both social media as well as good old exploitation is being conducted in the corporate space.

Again, this is not something that I am going to pass judgment on, one way or the other, but this is something that people should be aware is going on and consider the impact of what it means. For a long time, the “threat” focus has been on cyber criminals, nation threats, and pranksters, but when you consider under what circumstance businesses would commission (say the building of a rootkit) it adds a whole new dynamic to how defenses are built.

The current economic climate has to be taken into consideration as well. Just like people, companies that are under threats are more likely to take risks that they otherwise would never consider. With many companies having to fight to stay open, opportunities that would have never been considered may become the key to keeping the lights on.

Impact to SE

It really is fascinating times that we are in right now. We are still too close to recent events to effectively evaluate their impact, but it is important that we keep them on our radar. What we do know is:

•    It’s very easy for anyone to play a part in any sort of movement. SE works in two ways: first, to motivate someone to become part of a group or to increase the active involvement of the group through peer pressure, social norms, etc. and second, to infiltrate on the part of the opposing views.
 
•    The Google hacks were not run-offs, everyone is using social networks to target their ultimate goals. People make a big deal out of items relating to fake profiles to infiltrate groups, but this practice is, and has been, wide spread for a very long time. It’s not hard to do and it’s effective.

•    If you think in regards to singular attack approaches, you are way off. When under active attack, everything that might be attempted will be done.

•    You can’t close off communication channels, as new ones will take their place. In many cases, it is better to leave visible channels in place so they can at least be monitored.

•    Many people that are aware of best practices don’t bother making use of them. This includes everything from opening attachments they should not, to re-use of passwords, to trusting that people are who they say they are without proof.

All of this impacts SE, how we conduct it, and how we defend against it. It is in times of flux, like these, that new techniques and practices often get developed. So keep your eyes open to try to identify the beginning of the next SE trend.

Written by James O'Gorman