Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Summer Reading for Social Engineers

It’s summer time…

Which means warm weather, margaritas, and lazy summer afternoons.  To help fill in the gaps, here is a list of classic readings for every social engineer.

Nonverbal Communication

Everyone agrees that nonverbal communication plays a huge role in social engineering.  Here are some of the original texts that changed the field of nonverbal communication.

Silent MessagesSilent Messages

By: Dr. Albert Mehrabian

Chances are you’ve probably heard someone say something like “words are only 7% of the communication.”  Dr. Albert Mehrabian was the one who did the study that is often quoted, and in many cases, misinterpreted.  His book, Silent Messages, explains what the widespread misrepresentation of the Mehrabian Myth.

 

Emotions RevealedEmotions Revealed

By: Dr. Paul Ekman

If you’ve seen the TV show Lie to Me* then you’re familiar with the work of Dr. Paul Ekman.  Unfortunately watching the TV show won’t help you become better at assessing deception.  Although if you want to learn the science behind facial expressions, while getting better at recognizing expressions of emotion, then add this to your list of summer reading.

 

What Every Body is SayingWhat Every Body is Saying

By: Joe Navarro

Joe has written one of (if not) the most popular books on body language.  Whenever I have a friend or family member who asks me how to start learning body language this is the first book I give them.  Joe’s background and experience in the field give him insights that you don’t find many other places.

 

Persuasion and Influence

What would a reading list be without a couple of books that talk about persuasion and influence?  Below are the two books that people in the industry reference the most.

Influence: Science and PracticeInfluence: Science and Practice

By: Robert Cialdini

This is without a doubt the most referenced book when it comes to the field of persuasion.  If you haven’t already read this book you need to make it the next thing you read.  Stop reading this post and get this book now! :)

 

Yes!: 50 Scientifically Proven Ways to Be PersuasiveYes!: 50 Scientifically Proven Ways to be Persuasive

By: Noah Goldstein, Steve Martin, and Robert Cialdini

This book makes an excellent companion to the previous book (Influence: Science and Practice).  Where the previous book is more theoretical and academic, this book is all about application.  If you want to see how to apply the principles of persuasion, look no further.

 

Cognition and Thinking

The better you understand how the human mind works, the better you will be as a social engineer.  Here are a few books to help unlock the mysteries of the mind.

Sources of Power: How People Make DecisionsSources of Power: How People Make Decisions

By: Gary Klein

This book explains how experts make decisions in time-sensitive situations. Beyond applications for becoming an expert, it also provides a good model for decision making in general.

 

Memory-Enhancing Techniques for Investigative Interviewing: The Cognitive InterviewMemory-Enhancing Techniques for Investigative Interviewing: The Cognitive Interview

By: Dr. R Edward Geiselman, and Ronald Fisher

The cognitive interview is one of the best methods to enhance memory recall, and makes for a great introduction to the techniques of elicitation. I’ve had the opportunity to take training from Dr. Geiselman himself, and can attest to the utility of what he teaches. Unlike the television show Criminal Minds, this is the real stuff.

 

Your Brain at Work: Strategies for Overcoming Distraction, Regaining Focus, and Working Smarter All Day LongYour Brain at Work

By: David Rock

One of the biggest problems with academic work is how it applies in the field. This book fixes that by taking the science of the brain and showing how it affects our everyday lives. Plus it gives you some strategies for dealing with the biases and limitations we encounter.

 

Fingerprint: 7110FD6845FBF93F90A6DB01675196CB

No related posts.


Human Phishing … Playing the Odds

Happy Easter everyone, I have some spare time so I thought I would put fingers to keyboard and put a blog post out I have had on my mind for the last month. Even though I plan to post every month, life with a little one and busy at work does get in the way, and I really don’t want to post something just for the sake of it. I always want to share information that is relevant and will be of value.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not :) This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells :)

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on :D

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.

Successful Introductions … Getting Results

Happy New Year Everybody. Sorry I have been slack with blog posts this year, family and work are keeping me busy at the moment.

So less about the excuses and more about the doing :) When I speak to people about Social Engineering there are many common themes, most common being how to handle failure and how to go about being the person / group you are impersonating. The other one is how you make that initial introduction, and start getting your manipulation fu on. Its a good question, and one I used to struggle with when I first got started.

I would say its pretty common to be nervous when approaching someone, especially when you have some form of manipulation planned. I don’t want to offend anyone, but this is what dating is initially right? You want that person of interest to be spell bound by you, so how do you make that first step without totally destroying any chance of success? Well my clue is in the aspect of dating.

When I was researching Hypnosis, NLP and the wonderful world of Mentalism I came across the work of PUA (Pick Up Artist) Ross Jeffries. Now I am no huge fan, and I think some of this stuff from the PUA community is border line on the ethical and moral front for me, but I am sure it works and gets the results if thats your thing. Anyway, one of the things they talk about is how to introduce yourself to that person of interest. This technique applies for the dating game, if your looking to try out some magic and mentalism, as well as engaging in some social engineering. Obviously its important to have context, and timing and the place is crucial, but the approach is to Compliment, Introduce, Question (CIQ).

A simple example could be as follows: You look like a helpful set of guys, my name is Dale and I started here today. I left my badge inside, would you help me get back in please?

Its simple, concise and does the job. It is also useful to use language that implies compliance. Phrases that include, could you, would you, can you etc have a form that implies of course we all know you can meet our request, but its not very often you get a smart Alec that doesn’t want to comply.

Short but sweet post, but something for you to try out in any situation where you need to introduce yourself, remember never miss an opportunity to use the power of persuasion.