A Request By Any Other Name
Sometimes the quickest route to a goal isn’t to come at it head-on. Human beings are finicky creatures with limitless variations in how they respond in social situations. Social cognition is the term given to the study of how people of a particular generation and culture think, make decisions, and respond while also trying to assess why people seem to be so darn irrational when they do (Aronson, 2012). In other words, one way of understanding people can mean studying what happens internally given a particular external context. Successful social engineers tend to have a knack for effective use of typical human behavior because life is not rational but people can be predictable.
Start high to aim low
Imagine I approach a target with the goal of getting their signature and possibly their personal email address as well. I could use a petition as an excuse to get a signature but simply walking up as a stranger on the street and asking the target to please sign my petition to stop the abuse of these cute little puppies might not be foolproof enough to waste my one interaction with them on it.
First, I can use context to pick a vector which capitalizes on predictable human behavior. Approaching someone on the street as a stranger does not build as much rapport or trust as approaching a fellow co-worker in the office hallway (though it better be a big office with lots of employees). So I can dress the part, take my clipboard with handy-dandy half-signed-already petition, and tailgate my way into the building. But I still have to walk up to the target and ask for a signature and their personal email address. Now pretext and elicitation skills come into play.
What social cognition has shown us is that if I prime my target by first asking for a $30 donation, and when refused I asked for a $15 donation, and again when refused I now offer the option of just signing the petition and adding their email, the priming helps frame the last request as a reasonable option for the target. Social science calls this the contrast effect, where an option only appears reasonable because the other options given are not (Aronson, 2012). In the world of sales it’s also called the “door in the face” technique and as last month’s newsletter on vishing pointed out, telemarketers use it all the time.
Another way SE’s use the contrast effect is to elicit the last four digits of a target’s social security number. It’s usually a tactic used over the phone when the SE is pretexting as HR or IT and just needs to update or verify information on one database or another. The trick is presenting the request in contrast without actually requesting the unreasonable option. It can go something like this:
“Okay, looks like we have almost everything corrected then. I just need the last four digits of your social security, not the whole thing, [slight chuckle]. Just give me the last four digits.”
What this does is allows the target to feel like you are looking out for them as you point out that you aren’t asking for the unreasonable option. The last four digits sound harmless when compared to the whole number. Stating it this way also makes an assumptive suggestion that they were about to give you the whole thing and you just prevented them from that excessive mistake.
Defenses against created context
SEs work hard to create favorable contexts which allow them to test security training the target might have had. However, there are ways to gear education which would allow users to remain polite and helpful at work while protecting themselves and the business as well. A word of caution though, this type of education includes instilling an internalized motivation for critical thinking. This means making the training matter to the individual receiving it.
One defense against such tactics would be a self-awareness of your reactions in any given context. Are you strangely happy to be talking to this delightful stranger on the phone and who is now prompting you to visit a website to download a PDF or view a video? Chances are they created a context that made you feel it was a reasonable request. Is it really part of your job to go view that website? Again, self-awareness is needed to stop and think about why you are doing something and if you should. Some ways to cultivate this self-awareness are role-play type training, tabletop exercises, real-world SE pentesting, or phishing awareness campaigns. These all give your user a chance to “think through” a situation while making it (and the consequences) real for them.
Another defense against such tactics is a polite-yet-firm policy or even scripted answers for employees who would normally be targeted, such as customer service. It can be as simply as, “I’m sorry ma’am. I understand you are frustrated but I simply can’t do a password reset without that information.” Have a process for your people to follow if they need to verify requests for information such as someone calling from HR to ask for date-of-birth and employee badge number. Have a process for your people to report suspicious activity but make sure there is follow up on any reports. A lot of processes, yes. But none of them need to be complicated or grandiose. In fact, simple is better.
We know we say this frequently but if you have never heard examples of a contrast effect, it would understandably be harder to see them when they happen. Knowledge is power. The fact that you are reading this newsletter confirms that you know this. Context matters. So create a context where knowledge primes your people to frame their activities with security awareness. The alternative is unreasonable in comparison.
Written by Tamara “Black Widow” Kaufman