You are so awesome, now give
me your passwords…
As you read the above title, I am sure you chuckled a little..
You may have even sarcastically asked yourself, “Who would possibly fall for
that?” Would it be unreasonable to think that anyone, in this day and age,
would fall for this type of flattery and give up the goods?
Before we can even get to the social
engineering aspect of this, we have to analyze what it is that makes
us believe that flattery would work or not.
To Flatter or Not To Flatter; That is the Question…
In 1997, two researchers, Fogg and Nass, wrote an article entitled,“Silicon
sycophants: the effects of computers that flatter”. In this paper, the
researchers stated that flattery still works much of the time since humans
tend to want to believe good things about themselves. That is a very
interesting fact for us as social engineers.
Think of it, Fogg and Nass were basically saying that as long as you say
something believable to the target, they may have a greater likelihood to
believe what is being said. Two questions come to mind… first, what if the
flattery stinks? I mean, it is obviously done pretty bad or with ulterior
motive. And secondly, what is the effect of the listener to flattery? Will
they really give you their passwords?
The first question was answered by a recent study done by a group of
researchers out of Hong Kong. Chan and Sengupta wrote a paper called,
“Insincere Flattery Actually Works: A Dual Attitudes Perspective.” This
amazingly interesting paper talks about the effects of flattery and focuses
on what if the flattery is done insincerely and with a hidden motive.
To test this concept, they identified students that where ready to become
clothing shoppers. They sent each of these “shoppers” a flyer that had
very insincere flattery as well as a very outward exterior motive. Basically,
the ad said, “We’re contacting you because you’re fashionable and stylish”
then it followed up with an invite to the store.
They found that rather than the person’s judgment center kicking in and
stopping them from reacting negatively to the flattery, that the judgment
coexists with the favorable reaction to flattery. In essence, what they found
is that even though most people can see through the flattery, they were not
able to completely erase the positive effects of flattery upon their
They found that even though flattery may have a negative impact in the short
run, the reaction to the flattery might be more influential than the judgment
that the person has. In the end, Chan and Sengupta said, “In particular, we
…. propose that the positive impact of flattery can be difficult to
eliminate, even in situations in which a clear ulterior motive exists.”
This conclusion leads us to an even greater question: How can flattery be
used by social engineers?
Flatter Your Way to Social Engineering
In my opinion, the research done by Chan and Sengupta was very important. It
is easy to say that flattery wouldn’t work on you, that you are too smart to
fall for that; however, as I was writing this article, a story came to me
that made me think about how well this works.
A friend of mine was on the beach. She was walking down this particular beach
and a woman engaged her in conversation. She told her how beautiful her
daughter was and how happy she looked sitting on the beach. Then, she told
her that she was selling beachside massages or foot massages. Right away, she
said to herself, “the compliments were just to get me to buy her
She declined the services, but later on, as she told me the story, she asked
me, “Do you really think that my daughter is that beautiful?” along with, “Do
you think I look happier?”
This is a perfect example of the research above. My friend didn’t buy the
woman’s services, but the effects of the flattery stuck with her to where my
friend thought about it afterwards. Now, what do you think would happen if
another masseuse was to come up to her and tell her the same things? She
might be more prone to fall for the sales pitch since it is multiple people
telling her the same thing.
This is where we can learn something. The effect of the flattery, when it is
something believable and plausible, can be long lasting. Imagine this
scenario, you want to gain access to the CFO, but the target company is notorious
for hiring guard dogs as receptionists.
You call in and get a young sounding woman with a southern accent on the
phone. “Hello there, my name is Chris. I know this will sound weird,
but I just love your accent.”
“Good morning Chris, how can I help you?”
“Well, I would say keep talking, but I doubt either of us have the time. I am
going to be in the area tomorrow and need to drop off a package for Mr.
Smith. the CFO. When is a good time to see him?”
“Sorry, I cannot give out that information, but feel free to drop it off at
the front desk.”
Sounds like failure? Not really. After all, you did lay it on
The next day, you go to the office and as you walk in, you see the girl you
spoke to yesterday. You walk up to the desk and you say, “Yesterday I called
in and spoke to the most charming young lady with a very cute southern
accent, but I didn’t catch her name….”
“Well, I am not sure about that, but that may be me…”
“Yeppers, I would recognize that voice anywhere. Anyhow, I really need your
help and I was wondering if I could make an appointment to see Mr. Smith. I
just need 5 minutes of his time.”
“Well, we don’t normally do this, but let me take a look….”
The previous day’s flattery, although laid on thick, left her in a positive
frame of mind. Maybe that night, she even thought about her “cute accent”.
Then, when you approach her the following day, she is primed and ready.
Another approach to make the effect of flattery work for you, according to
this research, is using the inherent positive feelings people have for
themselves against them. Maybe something like this scenario: Your goal is to
get information from the guards at the security post about their procedures.
Information gathering has given you the name of the CFO, but your attempts at
reaching her have failed. So you place a call to the security guard’s
desk and say:
“Hello this is Harry Security, how can I help you?”
“Did you say Harry?”
“Yes, how can I help you?”
“Harry, Excellent! My name is Paul and I am from Sec Magazine. I was speaking
to your CFO Deborah Smith and I asked her if I can speak to the best security
employee they have and she gave me your name.”
“Really? Wow, that’s great. Thanks. What can I do for you?”
“Well, I just have a few questions for an article I am writing about your
security policies and Ms. Smith said you were the man to talk to….”
These are just a few of the examples of how flattery can help you in a social
engineering audit. What should strike our attention, in this community,
is how much scientific and medical research can teach us about how people
think and act and how that can augment our knowledge as social engineers.
Of course, this is not to say that flattery alone is the key to
success. For in-person flattery to work, you need to match your
non-verbals (i.e. body language, facial expressions, etc) to the charm you
are trying to exhibit. The research done by Chan and Sengupta was
conducted using written flattery which, of course, requires no other input
besides general flattery that can work on most people. If you want to see all
the details, I have downloaded the full
report from Chan and Sengupta. Till next month.
Written by Christopher Hadnagy
We live in a world of
I am not that old, but even at my age, I am amazed when I pause
and take a step back and look at how much the world has changed from when I
was a child. When I was a kid, I would walk around with a paperback book that
could fit in my coat pocket. I had an old black and white TV that was my
mothers from when she was a little girl. The TV was hooked up to a cable box
that had a “chip” in it, allowing me to get any channel I wanted for free.
Later on, when the cable company got wise to this and started sending out
“spikes” to “burn out” the chips, I lost that “feature”; however, I figured
out that if I
climbed the pole behind my house and removed two filters from the
cable, I could get two of the premium channels for free. Until junior
high, that was the extent of my hacking experiences.
So what did I do with all that other energy without a hacking release? That
goes back to the books I used to carry around with me. The fiction of power
fantasies has been around forever in many different forms. The idea of a
fictional character that is special in some way and can affect those around
him, or perhaps even the world in examples like Superman, He-Man, Jonathan
Swift, the Hardy Boys, or even the old Encyclopedia Brown books. This
type of escape is not only just for kids, fiction also targets adults through
sources like The Terminator, The Matrix, and William Gibson novels that give
people a place to get away from the standard day to day. If not for fiction,
there are other outlets ranging from music to sports, but the result is
always the same, a place where people can feel powerful without parents,
teachers, bosses, or whatever controls them.
The world of today
Now, we walk around with computers in our pockets that are hooked up to the
knowledge of the world. We have computers that are smaller than old school
books, but yet are faster than we really ever use. Instead of a book, we have
an e-reader with thousands of books. Instead of remembering things, we
look them up. We stay connected and plugged in to the world at all
times, with expected response times measured in minutes, if not less.
In a very real sense, we are the cyborgs that used to be in science fiction.
With the difference being that we have opted to keep the tech outside of our
bodies. All of this has provided us far more empowerment than what used
to be. More than some people realize.
Examples of this are all around us if you have turned on the news lately.
From governments changing to companies being laid bare, technology has
empowered people to see all of these things as never before. The seeds for
the current situations have been around for a while, embedded deep into
modern society, but a unique combination of events have finally put things
over the tipping point.
The other result of this technology is that people have a new escape.
Instead of power fantasies, we all actually have power. Sitting at home, we
can reach out and have an impact on the world. The tools to directly impact
the world are called “commodities” and the only thing preventing them from
being used more is the fact they are so commonplace, they seem mundane.
It has long been understood that people will say and do things online to
someone that they would never say or do to their face. While over-hyped and
over-blown, cyber-bullying is an example of this. I remember the first time I
discovered IRC as a kid, what was the first thing I did with it? Went into
random channels and did everything I could, just to watch people get angry. I
realized I could get away with this since no one knew who I was and I would
not get in trouble for it. So, for a time, I had a lot of fun, but the impact
of my actions was pretty limited. The impulse to act in ways that you
normally wouldn’t is strong the first time you experience this freedom.
But now, the impact is much greater. The world is more wired, more dependent
on modern technologies and tools to manipulate it that are widespread and
readily available. It is not an exaggeration to feel like Neo, from The
Matrix, in that we can now sit back and change the world around us. The rules
that are in place in many cases have become suggestions that society hopes
people follow, with very little in place in terms of enforcement.
This is not the place, nor am I the person to complete an in-depth review of
the various geopolitical
impacts that technology is having on the world. It is also not
the time to discuss the economic impact that pranks can have on modern
companies, but it is obvious that the world is different than before.
Take for example that instead of reading a Superman comic, someone can just
as easy join with the group, Anonymous, on their latest raid to ruin a
It’s not just individuals that have discovered the power that the current
world allows them. Based on some of the leaked documents that have come out
of recent hacks, we have been able to see how both social media as well as
good old exploitation is being conducted in the corporate space.
Again, this is not something that I am going to pass judgment on, one way or
the other, but this is something that people should be aware is going on and
consider the impact of what it means. For a long time, the “threat” focus has
been on cyber criminals, nation threats, and pranksters, but when you
consider under what circumstance businesses would commission (say the
building of a rootkit) it adds a whole new dynamic to how defenses are built.
The current economic climate has to be taken into consideration as well. Just
like people, companies that are under threats are more likely to take risks
that they otherwise would never consider. With many companies having to fight
to stay open, opportunities that would have never been considered may become
the key to keeping the lights on.
Impact to SE
It really is fascinating times that we are in right now. We are still too
close to recent events to effectively evaluate their impact, but it is
important that we keep them on our radar. What we do know is:
• It’s very easy for anyone to play a part in any sort of
movement. SE works in two ways: first, to motivate someone to become part of
a group or to increase the active involvement of the group through peer
pressure, social norms, etc. and second, to infiltrate on the part of the
• The Google hacks were not run-offs, everyone is using
social networks to target their ultimate goals. People make a big deal out of
items relating to fake profiles to infiltrate groups, but this practice is,
and has been, wide spread for a very long time. It’s not hard to do and it’s
• If you think in regards to singular attack approaches,
you are way off. When under active attack, everything that might be attempted
will be done.
• You can’t close off communication channels, as new ones
will take their place. In many cases, it is better to leave visible channels
in place so they can at least be monitored.
• Many people that are aware of best practices don’t bother
making use of them. This includes everything from opening attachments they
should not, to re-use of passwords, to trusting that people are who they say
they are without proof.
All of this impacts SE, how we conduct it, and how we defend against it. It
is in times of flux, like these, that new techniques and practices often get
developed. So keep your eyes open to try to identify the beginning of the
next SE trend.
Written by James O'Gorman