The most eye-opening thing is, at the end of the exercise, the attacker has gained every bit of information he set out to obtain, and the salesman is completely unaware that he has divulged sensitive information.
Among the tactics described are:
- Giving gifts - not major gifts, but little things, such as hand sanitizer, a compliment, gum. Human nature is to want to repay a kindness; the social engineer creates a desire in the mark to reciprocate.
- Non-threatening behavior - the social engineer goes out of his way to appear non-threatening, in attire, in personality, and in facial expressions. He guides conversation to stay mostly on benign topics, so as to not arouse suspicion. After gleaning a piece of information, he quickly steers conversation back to an unrelated topic.
- Creating connections - real or manufactured. The attacker may learn about the mark's background (or more likely, has done some homework in advance), and then claim to have a similar background. He may "discover" that he is staying at the same hotel or attending the same conference. He searches for common ground on which to build an apparent connection between himself and the victim.
- Intentional misstatements - the attacker may make intentionally wrong guesses about the victim's job, salary, to whom he is making a presentation, or which software his company uses. For many people, the natural inclination is to correct such a statement, thereby revealing sensitive information. The attacker may say "I heard you are bringing such and such to market next month" to which the reflexive reply might be "no, actually we are doing this."
I personally experienced this at a recent conference. A sales leader started talking about a conference call she had had with a manager from my company, on a topic I was familiar with, but could not recall the person's name. I had to catch myself before instinctively naming off a few possible names and divulging key decision-makers.
- Stacking - using multiple tactics to piece together information. In the blog example, the attacker talkes with the victim about his family, birthday gift ideas, how long he had been married, etc., and is able to piece together very specific personally identifying information such as birthdate and wedding date -- items that could potentially be used in identity theft.
I write this because, to many of us, social engineering is an abstract thing. We read about SE being used to spread malware (poisoning search results for major events, impersonating a friend to defraud us), but we forget that the first goal of a social engineer is to get our guard down. They will stay as far away from their actual objective as possible, and instead build an apparent relationship upon which to elicit information. And when they are done, we may not realize how much we have divulged.
Take a look at these blogs to follow the scenario through three episodes - you may have your eyes opened.
- Gift-giving, social-engineer style
- Creating connections to persuade your targets
- The social engineering stack overflow
October 2014 update:
- SANS Securing the Human Blog
- Social-Engineer.org Blog, Newsletter, and Podcast