Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Proxemics … Have you heard of personal space??

Proxemics is all about that little bubble we like to call personal space, depending on how people position themselves in that bubble effects how we feel. Below is a generalisation on acceptable distances based on interaction, but its important to be aware that we are all individuals so all of our bubbles are different, and also different countries and cultures (you will know this if you have ever been to Hungary) have totally different concepts on what is acceptable in the personal space intrusion stakes.

So why is proxemics of any interest to you as a social engineer? Well when it comes to gaining physical access, looking to influence and / or manipulate someone this is really important. This is very much linked to your body language and other non verbal cues, but where you position yourself has an impact on how you are perceived, the position or structure you are trying to portray as well as territorial aspects you may be trying to convey with your physical positioning.

The social boundaries are what you would consider acceptable in a public / exhibition environment (not the local social club / pub). If you were waiting to meet someone, or speaking to a stranger to ask directions this is the typical personal space requirements that would be considered normal in most parts of the western world. Distances greater than the social boundary are more public spaces, like visiting a park, or museum, etc.

The personal boundary is the area I would imagine most people feel is invaded on a more regular basis. This area tends to be where we are happy for friends and close colleagues to venture into, and what we could consider a more ideal spacing if we are waiting for the bus. When people breach this boundary we can often feel threatened and looking to withdraw, or considering the option of standing our ground even though it may be an uncomfortable and stressful experience.

The intimate boundary is reserved for those we are most closest and trusting of, this is because at such a close range we are very vulnerable so trust is of paramount importance. A slight exception to this is when we are happy for us to whisper something we value to us, and for this we have happy to grant a temporary reprieve and allow that person in to share information, before getting the hell out.

As mentioned before, ethnicity and culture we will result in variances in this, but I quick bit of people watching will help establish a quick baseline of the cultural  norm. You will of course experience the odd one out, who for variance reasons will keep a distance from you, or be all up in your face as part of their natural way of communicating, so even though it will feel awkward judge other non verbal cues to establish any possible intent before reacting. During our interactions people can possibly move through various boundaries depending on the social situation, intent of the interaction, the topic of discussion and even their gender.

So when you are next involved in an onsite engagement, and you are attempting to build rapport and influence individuals or groups be sure to give some thought to your proximity along with other verbal and non verbal cues we have discussed before.

Thanks for reading, and until next time happy hacking.

Tweaking your Critical Factor … Understanding RAS

In previous posts (probably over a year ago now) I have spoken about this thing called the critical factor. In the hypnosis world this is the gatekeeper or firewall between your conscious and subconscious mind, helping to keep out all the junk and irrelevant information and focus on what is most important. I have also spoken about how the subconscious mind is gathering and processing all this information external to us and then feeding the conscious mind with just a small subset of this information to help us form our reality. When we are looking to manipulate or influence people we use language in various forms to either bypass the critical factor by making it lazy (Yes Sets, etc) or by finding agreement in beliefs and opinions to build rapid rapport to increase chances of success, or possibly give the impression of authority (in a positional or knowledgable sense) to utilise social compliance to get to our desired outcome.

So if you read my blog already this is old news, but something I have been looking into is how does the human mind pre-determine what is critical information, and if we understand this does it help us bypass easier, but more importantly does learning about these techniques (as I have said before) help us be less susceptible to manipulation that may result in a negative experience.

What I found as part of some neuropsychology reading I was doing is that part of how the mind works and organises / filters this critical information is with the use of a RAS. RAS stands for Reticular Activating System, the system is considered by some as the Command and Control center for all brain and body activities.

I wont try and talk science about how the RAS works with the rest of the brain as I am sure to make a dogs dinner of it, but essentially what the RAS is doing is taking onboard all subconscious stimulai and checking this against a priority list, if the information matches with something on the priority list you will be consciously alerted, if not its stored in subconscious for a later date.What the priority list does is make us aware of things around us that are either important to our health (fire alarm for example), and things we are interested in (type of car perhaps) and things that are personal to us (our name for example). This is why when going about our daily duties and among a crowded room we can distinguish our name being called, this is why when we have decided on our next car purchase every damn car we see is the car we thought was unique and you dont see many on the roads. In my Googling, I also found alot of reference to programming your RAS to reach your goals by life coaches, now this really isnt my bag, but at the same time I can see how it would work.

So how do you get additional items on your RAS priority list and tweak your critical factor? Well I dont have any scientific proof but when I think about the items that are common place in most peoples RAS it seems that they are either there because large forced repetition or freely chosen repetition because you are interested in something. Now I know this to be true, because when I am interested in something, or thinking of making a purchase I research the hell out of it, and then when out and about I either see or hear many things in relation to that something I am thinking of buying.

In short by engrossing yourself on a regular basis allows you to tweak your filters to be more aware of specific happening in your world. If you have studied body language and find it interesting, and look for things daily, all of a sudden you realise you are seeing and reading gestures effortlessly. When learning the types of languages used to influence, you hear more readily when a sales person is spouting the BS. So this stuff really is simple and obvious, but I think its interesting to understand and appreciate what part of your mind is working, and for some people this is key to realising you can make tweaks and improvements.

Appreciating this, in my opinion will make you a better social engineer. As you continue to discover and understands both the art and science of SE it makes you more effective. It provides you with a better ability to be consciously aware of the various situations you find yourself in, meaning you can make quicker, better and more informed decisions. This results not only a better threat simulation in the activities you be carrying out, but it also makes you more informed to educate people into what can be done to identify when they are being socially engineered real time, to reduce the risk of wrongful manipulation.

Playing Nicely with Scammers … Wasting their time for giggles :)

So I am in the business of social engineering people (with authorisation of course), and depending on who you speak to this could be interpreted as scamming, conning, or generally straight up manipulation. The reason I do this is to simulate a real world threat to see how people hold up and utilise the training they have had, as well as identify those gaps that need improving. Now I see alot of examples of real scammers and phishers in action, but rarely would I rate them as being very good, but I do appreciate they dont actually have to be that good to get decent results when they play the numbers game.

So why am I telling you this, well in July someone attempted to scam / commit online fraud against me, and I have to say it was one of the best approaches I have seen to date. So the aim of this post is to give some awareness, and to share the little story of how I wasted their time for the week and perhaps bring a smile to your face :)

So my story starts on the 1st July 2012 when I put my MacBook Pro up for sale on Gumtree. I did some searching around for how much they are selling for and wanted to avoid eBay fees so Gumtree seemed like a winner. Below is a pic of the ad:

Soon after posting I received an email via Gumtree asking if the item was still for sale, and indeed it was so I replied confirming as much.

About 24 hours later the guy gets back to me saying he would like to buy the laptop and will be £20 towards delivery, and provided me a mobile number to call (

+447035920292). Now I did think this was a little odd as who in the UK tells someone else in the UK the country code, but hey I thought I would give him a call.

So I make the call and I speak to what I think was an African guy calling himself Francis Saine ([email protected]), hes English wasn’t great but I have sold things to foreign students before, and decided to set my paranoia to the side and see how it goes.

Now the next bit is the clever bit, so he asked me to send him a PayPal money request for £770 and he can then make the payment. I had never used this feature before, but as you are protected by PayPal I thought all is good.

My new friend Francis later in the day sends me an email letting me know the address the laptop will be sent to (a London address) which backed up part of the phone conversation we had. Another 24 hours later I get an email from PayPal informing me Francis has paid me, and the money will be released once I provided proof of posting. ALARM BELLS RINGING….. Fun Time :D

Now as you can see this PayPal email is set so the response will be sent to [email protected] which obviously isnt PayPal, so I decided to also check the headers and I saw this:

MIME-Version: 1.0 Received: by 10.224.184.75 with SMTP id cj11mr31753768qab.16.1341334634836; Tue, 03 Jul 2012 09:57:14 -0700 (PDT) Sender: [email protected]

Now I got a couple of emails from the fake PayPal email dude and I have to say aside from this oversight it looked really really good. The clever thing is, because you sent a payment request, if you login to your PayPal account it says pending, and the phishing emails also confirm pending status, so the average Joe is going to fall for this.

About the same time I get an email from Francis telling me he has sent me the money, and that I must send the laptop tomorrow for Next Day Delivery before 1PM tomorrow, and its going to his sister as a Birthday present. So I assume they dont want to be waiting all day to intercept the laptop.

So what would you do in this situation? Well I am a nice guy, so I wrapped up the laptop as its a Birthday present and sent it in the post!!

Well at least thats what Francis thought, and thats what Shazad and his fake PayPal thought to. It took me a while but I eventually managed to create a Royal Mail Special Delivery tracking number that showed up as valid on the Post Office tracking page :)

Then I get an email from fake PayPal confirming I have sent a valid tracking number and I will get the funds in my account in 24 hours, wooohooo.

Now during this time, just so its clear I have informed Gumtree, PayPal, London Met Police and the eCrime center, so they can utilise the information I collect to possibly catch these guys in the act.

The next day about 3PM I get another email from fake PayPal saying that my tracker number does not appear to be authentic, I also guess the laptop is now 2 hours late being delivered so they are wondering if I sent it at all? Obviously I hadn’t sent it, so how can I send them a picture of the receipt to confirm the tracking? I make one :D takes about 45 mins and I send it off, fake PayPal are happy and confirm again my money is on its way :)

So at this point I have a phone number, some email addresses and a drop off address. I thought it would be handy to get hold of Francis’s IP address then I could find out his ISP and Country to aid the Police further. So I decided to Phish him myself :)

So I continued to exchange emails with him to build some rapport with him, and get him interested in other things I might be selling. He is interested in the iPad I have for sale, and he wants to see pics and get more info. So eventually he visits the fake site I spun up and I get his user agent info from the Apache logs :) Sadly these guys are doing abit to protect themselves, looks like they are using anonymous proxies and routing traffic through a VPS in the US. Oh well it was worth a shot.

This is really the high level story, I hope it brought a smile to your face, I know it did me just for wasting 6 days of these guys time overall, and I can only assume a wasted day hanging around in London for the laptop to arrive. As far as I know they didn’t get caught, but they didn’t get my laptop, and I am still waiting for fake PayPal to send me my funds, I keep asking but now they dont want to email me any more :)

So please take this blog post as a reminder that even people in the industry like us could fall prey to the scammers, but if we ID it early we can have abit of a play. Of course be careful what you do, as you dont know who these people are, or what resources they have available to them.