As a child, I was obsessed with card tricks, sleight of hand, you name it. I enjoyed watching street magicians and how they could captivate an audience; how they could fool someone right under their noses with the simplest of gimmicks, yet leaving their spectator with only the imagination to figure out how they pulled it off. You could tell they had been doing this their entire life. I would spend hours practicing tricks and watching tutorials late into the night. Iād study the techniques and then proceed to present them in front of family and friends. Always carrying a deck of cards in my pocketā¦I was very popular as you can imagine.
Of course, as a lot of childhood passions do, that hobby of mine faded away as I got older. I have since moved on to much nerdier things. But very recently, Iāve found myself going back to some of those old techniques Iād spend sleepless nights learning. Believe it or not, in my time working as a social engineer, Iāve come to find a lot of similarities between my job now, and my childhood obsession! Hopefully this article can also shed some light on the work we carry out in this field.
Setting the Stage
As a human risk analyst, part of our job is to perform vishing simulations for our clients and test their internal security. We put on the best performance possible to try and get their staff to give us sensitive information they shouldnāt. Often, this involves us masquerading as someone internal, that can hopefully get our target to drop their defenses. Essentially, we present the illusion of being Doug from IT or Kaylee from HR, perhaps calling them about an outstanding ticket in their name, or a brief company survey.
Whatever the case, careful planning goes into setting the stage for whatever engagement weāre working on. Concocting the perfect alias and pretext to āfoolā our target takes a lot of work! It also requires us to be familiar with techniques that can be used to obtain information from them. Here are some of the tricks up my sleeve that I personally like to use.
The Magicianās Force
In an engagement, our goal is to capture the āflagsā that a client has approved we can pursue. These flags correlate to sensitive data that ranges from ID numbers to manager namesā¦even social security numbers!
There are different approaches we can take to obtain these kinds of flags. Often the success we have hinges on the questions we use. It can be very off-putting if we donāt phrase ourselves correctly or if our request appears unnatural. I personally like to give my target a sense of control in the conversation, essentially having them pick which flag they want to give me. How is this possible? By utilizing what is known as The Magicianās Force. This is a verbal technique that gives the illusion of free choice. The idea is to set up multiple paths that all lead to the same endpoint.
In Performance
The simplest way for a magician to use this force is by dealing two cards in front of his spectator and requesting them to āChoose one card.ā If they choose the card he wants to force, he simply says āOkay that will be yours.ā However, if the spectator chooses the other card, he eliminates it by saying āOkay weāll put this one off to the side.ā The magician uses ambiguity in the word āchooseā so that either way, the spectator winds up with the same pre-determined card.
On the Job
In a similar fashion, a version of this force can also be applied to speaking to our target. Here is an example:
(Not Using the Magicianās Force) āSo to close out the ticket, can you confirm your SSN?ā
(Using the Magicianās Force) āSo to close out the ticket, itās asking you to confirm either SSN or DOB, whichever you prefer of course!ā
In our second scenario, either flag is valuable data that can help us compromise our target. Presenting them with āoptionsā however, gives the target a sense of control and choice in the situation. This technique may seem very transparent or elementary but, in the right hands, it can be incredibly deceptive. For a split second, we shift their mindset from a āYes or Noā decision, to an āOption A or Option Bā choice. We use this brief mental lapse to our advantage and raise the odds of our target divulging sensitive information.
The Art of Misdirection
Being able to control someoneās attention is a powerful skill that opens the doors to many possibilities. A magician uses misdirection to pull his spectatorās focus away just enough to distract from whatās really happening outside their focus. Of course, in vishing engagements we cannot physically see our target, nor can they see us. However, there are still subtle ways to misdirect them internally as opposed to externally. How so?
For me, I like to use misdirection to split my targetās attention and constantly keep their mind moving and occupied. This buys me time and prevents my target from becoming suspicious of me. Iāve found the use of questions to be a great way to distract. Here are some ways this can be done on the job.
Access Memories ā Keeping your target busy by having them access a āmemoryā is a great distraction while on the phone. The memory doesnāt even have to be real. For example, if I was pretending to call from HR about conducting a survey, I could say, āThis is similar to the survey we conducted this time last year; do you remember that one?āOf course, there may not actually be a survey for them to recall. But chances are this can distract them just enough to get past their initial āsuspicion defensesā at the start of a call. I usually follow this up with, āAhh no problem, I know we send out a lot of those; this one only takes 2 minutes.ā
False Statements ā Many people like to correct inaccurate information, which is why using false statements can be a very powerful form of misdirection. For example, I could say to my target, āSo I just wanted to confirm your ID number is XXXXXX right?ā This is a deliberately false statement, but it prompts my target to correct me. For a split second, they become distracted in correcting me with accurate information, and they may just forget about their security protocols. This can be more effective and less suspicious than outright asking for their ID number
Closing the Curtain
So, when it comes to the work of a social engineer/human risk analyst, there are many more techniques we can use. There are different cards up our sleeves that we save for the right occasion and circumstance. Just as a magician adapts to the audience heās performing for, so we must adapt to the people we speak to on the phone. However, simply compromising our target is not our ultimate end goal. We do not seek to deceive our targets with malicious intent.
Rather, our goal is to assess the security posture of the company and provide remediation through education. All the while following our motto, āLeaving others feeling better for having met you.ā In that same vein, when a magician fools his audience, he still leaves them feeling entertained for having been part of the show. Though we cannot speak for our targets being āentertainedā by our engagements, it is still our goal to leave them feeling better for having met us. We would never want to treat them unethically or make them feel foolish if they were to be compromised. Only through proper training can a company strengthen its defenses for when a real attack occurs.
Hopefully this has given some insight into the work we do at Social-Engineer, and even the techniques we use while in an engagement. If youāre anything like me, you may find the psychological principles behind influence tactics, elicitation, and even pretexting to be fascinating. You can find references, research, and concepts about several of these in our Social-Engineering Framework.
Written by: Josten Pena
Sources:
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.org/framework/influencing-others/pretexting/
https://www.discovermagazine.com/mind/use-the-force-how-magicians-can-control-your-decisions
