The Social Engineering Stack Overflow

Robin Dreeke is back with another exciting chapter in the story of Steve and John. This week we look at how social engineers stack talents and methods:

Social Engineers “Stack” Techniques for Effectiveness
When we last left our story, Steve had taken some time to continue to lower John’s defensive shields by using validating statements and displaying non-threatening demeanor. Steve then used the elicitation technique of

“bracketing” and obtained John’s salary. John’s next task is to obtain the contract bid amount from John. Steve will also attempt to ascertain John’s date of birth. Steve will ascertain this sensitive information without asking direct alerting questions. Steve will utilize intentional misstatements, bracketing, and quid-pro-quo to obtain the information. The use of multiple techniques is known as stacking (Nolan, 1999).

Background
Following the conversation the two had concerning where John was staying, his position, and salary, Steve quickly moved the dialogue onto a much less threatening topic. Steve leaned in closer to John and asked him for his opinion. Steve said that his wife’s birthday was coming up and wanted to get her a really special gift. She was turning 40 and he wanted her to feel good about herself. Steve went on to say that she had gotten him a really nice fishing pole that he could use with his son last summer. Steve continued that it was easy, because his birthday was in the summer. Steve’s wife’s birthday was in the winter and he was at a bit of a loss. John responded that his birthday was in the winter also, but that his wife had gotten them dancing lessons one year that they really enjoyed. Steve responded that it was an excellent idea and inquired whether John was one of those unfortunate few that had his birthday during Christmas. John replied that he didn’t, it was on December 15th, but his wife’s was on Valentine’s Day. John lamented the Valentine’s Day birthday challenge. Through the course of the next few minutes, Steve and John discussed how long John and his wife had been married and how old they were when they got married. John was thoroughly enjoying his conversation and the flight was going by quickly.

Discussion Points
Using a non-threatening theme of a relative’s or friend’s birthday is very effective at lowering an individual’s guard. Seeking the opinion from someone validates the other person and gives them the feeling of being important. Feeling important will continue to drive the targeted individual to stay engaged and seek further validation. Steve used the technique of intentional misstatements to ascertain John’s date of birth. He also achieved a bonus of John’s wife. Using intentional misstatements about birthdays induced John to correct Steve with the proper information. Additionally, A SE will utilize other indirect techniques like Steve did to ascertain information such as year of birth. Steve discussed how old John and his wife were when they got married. He later asked about how many years they have been married. This dialogue was great because it required a non-threatening quid-pro-quo exchange between the two. Quid-pro-quo is the act of giving information in order to get information (Nolan, 1999). Steve made John feel very comfortable will revealing personal information because Steve intentionally gave some first.

Playing the “high / low” Game as a Professional Peer
Steve and John took a break from their conversation when the flight attendant came around to see if they needed another beverage. Steve and John returned to their laptops. The pilot came over the intercom and informed them that they were about twenty minutes from landing. John offered that he had really enjoyed meeting Steve and handed him his business card. Steve said he was still job seeking and hoped that this conference was productive for him. Steve went on to say that he had dealt with the company that John was pitching when he was still in the military. Steve offered that he had become friendly with one of their employees a number of years ago. He said that he didn’t know if it would be of any help, but the employee said that companies that made bids on John’s type of projects, typically bid between ranges of numbers that Steve provided. John smiled as he offered, “I’m glad that we are not doing business a few years ago, our bid is lower than that range.” Steve laughed as he commiserated with John on the state of the economy.

Discussion Points
Individuals will share information with someone they regard as a professional peer more times than you would imagine. Lawyers will exchange stories and information and so will doctors (Nolan, 1999). Law enforcement professionals will share stories and anecdotes with peers but not the general public. This sharing of stories with peers is yet another example of individuals seeking validation from individuals they deem as credible to give it. Steve used his experience with the company John was pitching to demonstrate his peer level. Steve then stacked the techniques with an intentional misstatement as well as bracketing. Steve appeared non-threatening because he had the appearance of trying to help as well as not asking a direct question. Steve did not ascertain the exact bid amount, but he does know what dollar amount it is lower than. Many times it is just as valuable to know the range something is within. A SE will gauge the difficulty to the benefit.

A Social Engineer Builds for Continued Dialogue
The plane landed and the two new friends gathered their belongings. As they deplaned, Steve had to wait for his bag that was checked. John felt a pang of guilt and offered to buy Steve a drink at the hotel that evening. Steve accepted with a warm smile, saying he would enjoy that. Steve went on to suggest that he may be looking to move to the area where John lived if all went well with his meetings over the next few days. John became very excited at the prospect, offering that he knew a very good realtor and his wife could help him in selecting great schools for his children. The two departed with plans to meet later that evening.

The Target of a Good Social Engineer is Unaware
When John arrived at the hotel, he saw his friends checking in at the reception counter. They asked how his flight was and he recanted the story of how he met a great guy. John went on to say that he would probably join them for a drink later, he owed him because of the kindness he offered when giving up his over head bin for him. His friends seemed intrigued and they asked what the two discussed on the plane. John responded that they hadn’t spoken about too much, just kids, birthdays and job hunting / moving prospects for his new friend Steve. John went on to say that he felt bad for Steve. He was recently out of the military and seemed to need a good friend and advice on the transition.

Discussion Points
Steve never used direct questioning when it concerned the information he was targeting. He intentionally used non-threatening themes of family, birthdays, and anniversaries. Steve validated John as a successful father and business man. Steve put his own ego aside as he flattered Steve in a non-apparent fashion. Steve made John feel safe about revealing information because he would give some first. Steve gave the greatest gift that most individuals seek, a listening ear. Steve exercised great patience and flexibility as he brought his well thought out social engineering plan to bear against John. Steve left the conversation with all the information that he was after. John left the conversation unaware that he had divulged anything sensitive. John thought he had a great conversation with a new friend.

Social Engineers Will Continue to Exploit and Open Doors
Steve got his bag plane-side, then walked to the baggage claim area where he met his employer. Steve’s employer asked how the flight went. Steve responded that it went very well and according to plan. Steve elaborated that he had ascertained the approximate bid number from John’s company on the contract, John’s exact date of birth, how much he makes a year, and his wife’s date of birth. Steve went on to say that they had a meeting planned over drinks tonight with John and his colleagues. Steve’s employer congratulated him stating that the information was exactly what they were looking for and it would be perfect for their company use. Steve inquired whether the company needed any more information since he would be seeing John again later. His employer asked whether he thought he could ascertain John’s password methodology for his banking and computer access. Steve replied, “No problem, the relationship is well anchored and he enjoys the validation I give him.”

Lessons in Personality
This story illustrates the mere tip of the iceberg when it comes to the information that can be gleaned from an individual by a well trained Social Engineer. Steve utilized multiple techniques that we all do naturally in everyday life. The only difference being that Steve executed them consciously and with a plan. Steve was completely successful and will continue to be able to able to elicit sensitive information that is relevant to his employers business, unbeknownst to John. This is the art form know as, Social Engineering.

In conclusion, although humans are guarded about giving away personal information, crafting non-alerting dialogue can elicit sensitive information for two main reasons. First, a human being seeks the validation that a Social Engineer gives. Most importantly, a Social Engineer is an expert at making people feel comfortable.

Reference:
Nolan, J. (1999). Confidential: Business secrets – getting theirs, keeping yours. New york, NY: Yardley – Chambers.

Robin Dreeke, a 1992 graduate of the United States Naval Academy and former US Marine Corps Officer, has been studying interpersonal relations for the past 23 years of his government service. Through the use of non-verbal behavior; the Personal DISCernment Inventory, the Myers Briggs Type Indicator and personal anchoring, Robin has built highly effective tools for all aspects and stages of interpersonal communication. For the past thirteen+ years Robin has applied and taught his tools and techniques for the FBI as a member of the Counterintelligence Division’s elite Behavioral Analysis Program. Robin has combined all these tools and techniques and created a very unique, People Formula.

Today Robin is a recognized expert, author, and gifted lecturer, in the art of interpersonal communication. These skills are used every day in the areas of leadership, sales, human resources and all relationships both business and personal.