Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

A positive (?) story about social engineering

A positive (?) story about social engineering

  • Comments 2

I’m currently on vacation in South America* so I thought I’d pre-write a few stories about how spam/malware relates to real life.

We all know that a big trend in recent years with malware is social engineering.  Social engineering is an attempt to trick the end user into doing something by impersonating someone else or by playing on their emotions.  This is usually a bad thing… but not always.

When someone nefarious gains access to your credentials, they don’t necessarily have to use it right away.  They can sit on it for a while before making use of it.  That adds another dimension of social engineering because something that you did several months ago (giving up your credentials) can come back to haunt you many weeks or months later.  And then, when it happens, you can’t recall when you might have surrendered them.

But what if social engineering was used for the powers of good?  Let me tell you a story.

Many of my readers will know that I am a magician, and this year my focus has shifted to mentalism.  This branch of magic focuses on predictions, reading thoughts, and creating experiences in the minds of the audience.  Well, this year, I was sitting on a couch preparing to depart from a local establishment.  I was leaving, I overheard another lady talking to someone else.  She was talking and said something like “Give me a call” and said her phone number.  My brain flipped into action.

I pulled out a pen and notepad and wrote it down (I memorized as soon as I heard it).  This might come in handy, I thought to myself.  I started thinking about how I could use it.

And that time came a few months later.  I decided to use it in a magic effect.  I decided to test out something new.  I walked up to her and said “Amanda” (not her real name), “I want you to think of a number.  Make it a meaningful number… your phone number.”  Keep in mind that I have never asked for it nor obtained it in any fashion.  “Concentrate, now.  Visualize it, floating in front of you,” I said as I waved my hand in front of her as if it were a few inches in front of her eyes such that only she could see it.  I moved in closer, putting my hand on her shoulder while gesturing with my other hand.  “Still seeing it now, I want you to silently recite the numbers in your head.  Echo them one by one, clearly.”  She looked up and to the right, saying the numbers.

I played it up a bit more.  “10 digits,” I said.  She nodded.  I then said the numbers very slowly “1… 2… 3… 4, 5, 6… 7, 8, 9, 0.”  Her eyes went wide and she smiled in disbelief.  I had just performed a miracle.  I smiled in return, thanked her for helping out and proceeded on my way out the door.

Now for some analysis on social engineering:

  • The original leak of information is something that I overheard by accident.  Sometimes people slip information without realizing it.  They enter in their username and password over clear text (like a discussion forum) and then re-use that those credentials elsewhere.  If a hacker breaks into those forums and obtains that information, they have revealed their info by accident to an eavesdropper.

  • But it doesn’t stop there.  In fact, it’s just the beginning, because my trick illustrates real social engineering using body language techniques.  The first thing I said was to think of a number, but not just any number – a phone number.  Getting someone to think of something related to them makes it about them.  Once that happens, emotions start to kick in.  When emotions kick in, it becomes more difficult to think logically.

  • I put my hand on her shoulder.  That breaks a psychological barrier of personal space invasion and again triggers an emotional response.  It’s something I do a lot when I perform magic close-up.  The sensation of touch makes it even more personal.

  • At the same time, I waved my hand in front of her, at eye level, and my eyes followed it.  Her eyes did the same.  This wasn’t necessarily designed to do anything, however, I say to illustrate the fact that I was using a psychological technique to control (actually, influence) her gaze.

  • Finally, when I got closer to the end, I leaned forward and moved in closer.  Moving in towards a personal is a technique I picked up from Neuro-Linguistic Programming and general techniques of learning body language.  When we lean in to someone, it means we are interested in them, or what they are saying.  Whether or not she actually was interested in me (or more accurately, what I was saying and doing), I was using a psychological technique to suggest interest.  It’s not particularly overt but at the same time it is not subtle.

So you see, I was using a lot of social engineering technique to generate an emotional response because when the number was revealed, I got a positive response.  All I basically did was say “Think of a number”, but I spiced it up.  And when you spice things up and get the person to start thinking more with their emotions, you can get away with a lot more.

But in this case, it made me look pretty suave and sophisticated, if I do say so myself.

image

Leave a Comment
  • Please add 4 and 3 and type the answer here:
  • Post
  • Great article - I am always retweeting yoru stuff. However, I am real curious on how you made your picture at the bottom of the story. I am looking for something similar.

  • I found that photo doing a search on Bing images.

Page 1 of 1 (2 items)