The Art of Distraction and the Social Engineer

The bird in this video is known as a Killdeer, a predominantly North American bird whose “broken wing” distraction technique is well documented amongst bird watchers and ornithologists. The Killdeer typically attempts to lure a ground predator away from its nest and offspring by appearing to be injured and offering what looks to be an easy meal. As the threat closes in, the bird flies to safety before trying to entice the stalking predator again. In a bid for the survival of its offspring, the bird uses distraction and deception to increase the odds of the hatchlings’ survival.

The art of distraction and the social engineer

Our friend Apollo Robbins is also a master of directing attention. In this TED Talk, he not only demonstrates his skill in manipulating the attention of his target, but also does this on a greater scale with the entire audience, revealed in the last 40 seconds or so of his presentation. The maddening aspect of this video is that paying closer attention doesn’t help all that much. Apollo is simply great at what he does and despite all best efforts, manages to make one attend to the details that he chooses.

Why is this important?

These examples demonstrate the same point. The use of distraction is an extremely effective method in directing the attention of a target, whether it be a potential predator or a social engineering target. The appropriate use of distraction is an excellent way for us to influence others by guiding their focus in a direction that accomplishes our goals (and away from salient facts that may get us caught).

Something else that helps us in the implementation of distraction is the faulty human operating system. I imagine we would all prefer to think of ourselves as observant people, but most of us simply aren’t. In psychology, there is a fascinating phenomenon known as inattentional blindness; it’s basically the failure to observe something that is fully visible to you because you are distracted in some way. This concept has been demonstrated a number of times, probably the most well-known by Simons and Chabris (Simons, D. J., & Chabris, C. F. (1999). Gorillas in our midst: Sustained inattentional blindness for dynamic events. Perception, 28, 1059-1074.) In this study, the researchers found that about half of people concentrating on counting the number of times a basketball was passed amongst teammates failed to see a man in a gorilla costume walking through the middle of the players.

This isn’t just a problem with your average human. While one might excuse this sort of tendency in most people, we would expect that experts with experience or training would be relatively immune to this sort of failure, especially if they are paid to observe. Not necessarily so. In a recent study conducted by researchers at the Harvard Medical School and Brigham and Women’s Hospital, radiologists were asked to perform a standard task; viewing lung scans and identifying suspicious nodules. Except in one of the conditions, researchers inserted a picture of a gorilla in the final trial. What they observed is that an astounding 83% of participants failed to notice the gorilla.

Now, before we go off screaming to our radiologists, here are some important pieces of the puzzle. One of the main aspects of inattentional blindness includes the fact that the stimulus that is missed is unexpected. In other words, we don’t expect to see a gorilla either on a basketball court or on a lung scan. The second aspect is being engaged in something else. This is exactly why cell phone hands-free devices in cars do very little to reduce accidents. Although juggling a phone and a steering wheel is clearly unsafe, it’s the concentration on a conversation that keeps you from noticing the car ahead of you has stopped short; even though you may be looking right at it. This is also exactly the situation that both the Killdeer and Apollo Robbins create that allow them to pursue their respective goals.

Are there social engineering implications?

Taken together, this has clear implications for the social engineer. Time spent in the development of a proper pretext and use of good props can set the stage for an engagement in which the target is paying closer attention to all the wrong things. Perhaps a distressed job applicant with a ruined resume can temporarily make a secretary dismiss the fact that corporate policy forbids inserting an unknown flash drive into the network. Or maybe a heated argument between “strangers” in an office lobby creates enough confusion for a third party to gain access to the building without having their credentials double checked.

Well-prepared and knowledgeable social engineers can create and exploit situations favorable for a chosen attack vector. In this article, we have highlighted the fact that people are very vulnerable to distractions and they generally have a hard time paying close attention to everything going on around them. Be aware of this as you operate and as white hat social engineers, be sure to defend your own organization against this component of human behavior.

Written by: Michele Fincher