Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Security Awareness Content: Challenges of Using Reinforcement

Imagine that you are the head of security awareness at an organization (not a stretch for some) and have been charged with getting people to report issues to the help desk. You decide, in your infinite wisdom, to encourage them to report issues to the help desk by giving them $1 each time they report a valid problem. The week after implementing the new reward program the number of issues reported to the help desk has increased 100 fold. You program is getting great results. Not only are 99% of phishing attacks getting reported but shoulder surfing is down, you know when devices are lost, and compromised computers are being reported to the help desk rather than being discovered by them. Things are coming up roses.

See any problems here?money

Of course you do! The budget for this program is going to be INSANE! No practical business will support paying $1 for each ticket at the help desk for any longer than 6 months- MAX. This leads into the second, and biggest problem with using reinforcement. If the only reason that users are reporting issues is because of a reward, the minute that the reward is removed the desired behavior plummets. Unless you can replace the reward with something of equal subjective value their incentive is gone and the trained behavior is lost.

*Finding something of equal subjective value to cash on a large scale is damn near impossible. I only say ‘damn near’ because I’m sure there is some magical place out there that can do it but I’ve never come across it. *

Finally, lets say that instead of $1 you gave them a free lunch- because your users really like lunch. How long will that be an effective reward? My guess is that after about a month of free lunches have been accrued the value of the reward will go down dramatically and so will your behavior. Suddenly, you have to switch the reward to something else – of equal subjective value- to keep them responding.

Vicious cycle anyone?

How to Use Reinforcement to Your Advantage

As you can see, reinforcement is a tricky thing but when can we use it to change behavior.

Lets go back to the help desk problem. Instead of paying for each help desk ticket, indefinitely, you make it a charity fundraiser for the holiday.

“Every time you call the help desk, $1 will be donated to buy gifts for families in need. Weekly progress will be reported!”

Some of you might look at this and say “even if we had the budget for that, we still have the same problem of removing the reward and loosing the behavior once the fund raiser was over” but consider two very important differences.

1-    The reinforcement has a clearly defined ‘end point’ that has nothing to do with the user, the company, or their behavior but is a product of the reward. The gifts have to be bought at some point otherwise the fundraiser was pointless. Essentially you are isolating the reinforcement contingency and increasing your chances of the behavior persisting after.

-Not to mention periodic fundraisers to increase behavior –if needed- are MUCH more sustainable to the budget than constant reinforcement.

2-    The second and most important is how closely the reinforcement (e.g., $1) and behavior are paired. In our first example the employee saw the DIRECT effect of calling the help desk on their pay check therefore it was very closely paired to their behavior

Just like if Pavlov’s dogs were fed EVERY time the research assistant came in.

The minute that the user realized the reinforcement was removed, the behavior that followed stopped (i.e., calling the help desk).

Back to Pavloc: The dogs would eventually stop salivating once they knew that the assistants were never going to feed them.

In our second example, the users see the money increase but it is NOT directly related to each time they call the help desk. Instead it goes into an anonymous pool that may jump $100 a week even if they just called the help desk once. Since the reinforcement is not closely tied to each behavior they perform, the chances of the behavior persisting after the reinforcement is removed increases significantly.

*For a more detailed look at this process see my previous blog on Pavlov and his dogs.

Based on all of this, be careful when using reinforcement. While it may provide an immediate result, it’s something that needs budget and time to maintain. If used wrong, you will just be setting yourself up for an uphill battle.

Playing Nicely with Scammers … Wasting their time for giggles :)

So I am in the business of social engineering people (with authorisation of course), and depending on who you speak to this could be interpreted as scamming, conning, or generally straight up manipulation. The reason I do this is to simulate a real world threat to see how people hold up and utilise the training they have had, as well as identify those gaps that need improving. Now I see alot of examples of real scammers and phishers in action, but rarely would I rate them as being very good, but I do appreciate they dont actually have to be that good to get decent results when they play the numbers game.

So why am I telling you this, well in July someone attempted to scam / commit online fraud against me, and I have to say it was one of the best approaches I have seen to date. So the aim of this post is to give some awareness, and to share the little story of how I wasted their time for the week and perhaps bring a smile to your face :)

So my story starts on the 1st July 2012 when I put my MacBook Pro up for sale on Gumtree. I did some searching around for how much they are selling for and wanted to avoid eBay fees so Gumtree seemed like a winner. Below is a pic of the ad:

Soon after posting I received an email via Gumtree asking if the item was still for sale, and indeed it was so I replied confirming as much.

About 24 hours later the guy gets back to me saying he would like to buy the laptop and will be £20 towards delivery, and provided me a mobile number to call (

+447035920292). Now I did think this was a little odd as who in the UK tells someone else in the UK the country code, but hey I thought I would give him a call.

So I make the call and I speak to what I think was an African guy calling himself Francis Saine ([email protected]), hes English wasn’t great but I have sold things to foreign students before, and decided to set my paranoia to the side and see how it goes.

Now the next bit is the clever bit, so he asked me to send him a PayPal money request for £770 and he can then make the payment. I had never used this feature before, but as you are protected by PayPal I thought all is good.

My new friend Francis later in the day sends me an email letting me know the address the laptop will be sent to (a London address) which backed up part of the phone conversation we had. Another 24 hours later I get an email from PayPal informing me Francis has paid me, and the money will be released once I provided proof of posting. ALARM BELLS RINGING….. Fun Time :D

Now as you can see this PayPal email is set so the response will be sent to [email protected] which obviously isnt PayPal, so I decided to also check the headers and I saw this:

MIME-Version: 1.0 Received: by 10.224.184.75 with SMTP id cj11mr31753768qab.16.1341334634836; Tue, 03 Jul 2012 09:57:14 -0700 (PDT) Sender: [email protected]

Now I got a couple of emails from the fake PayPal email dude and I have to say aside from this oversight it looked really really good. The clever thing is, because you sent a payment request, if you login to your PayPal account it says pending, and the phishing emails also confirm pending status, so the average Joe is going to fall for this.

About the same time I get an email from Francis telling me he has sent me the money, and that I must send the laptop tomorrow for Next Day Delivery before 1PM tomorrow, and its going to his sister as a Birthday present. So I assume they dont want to be waiting all day to intercept the laptop.

So what would you do in this situation? Well I am a nice guy, so I wrapped up the laptop as its a Birthday present and sent it in the post!!

Well at least thats what Francis thought, and thats what Shazad and his fake PayPal thought to. It took me a while but I eventually managed to create a Royal Mail Special Delivery tracking number that showed up as valid on the Post Office tracking page :)

Then I get an email from fake PayPal confirming I have sent a valid tracking number and I will get the funds in my account in 24 hours, wooohooo.

Now during this time, just so its clear I have informed Gumtree, PayPal, London Met Police and the eCrime center, so they can utilise the information I collect to possibly catch these guys in the act.

The next day about 3PM I get another email from fake PayPal saying that my tracker number does not appear to be authentic, I also guess the laptop is now 2 hours late being delivered so they are wondering if I sent it at all? Obviously I hadn’t sent it, so how can I send them a picture of the receipt to confirm the tracking? I make one :D takes about 45 mins and I send it off, fake PayPal are happy and confirm again my money is on its way :)

So at this point I have a phone number, some email addresses and a drop off address. I thought it would be handy to get hold of Francis’s IP address then I could find out his ISP and Country to aid the Police further. So I decided to Phish him myself :)

So I continued to exchange emails with him to build some rapport with him, and get him interested in other things I might be selling. He is interested in the iPad I have for sale, and he wants to see pics and get more info. So eventually he visits the fake site I spun up and I get his user agent info from the Apache logs :) Sadly these guys are doing abit to protect themselves, looks like they are using anonymous proxies and routing traffic through a VPS in the US. Oh well it was worth a shot.

This is really the high level story, I hope it brought a smile to your face, I know it did me just for wasting 6 days of these guys time overall, and I can only assume a wasted day hanging around in London for the laptop to arrive. As far as I know they didn’t get caught, but they didn’t get my laptop, and I am still waiting for fake PayPal to send me my funds, I keep asking but now they dont want to email me any more :)

So please take this blog post as a reminder that even people in the industry like us could fall prey to the scammers, but if we ID it early we can have abit of a play. Of course be careful what you do, as you dont know who these people are, or what resources they have available to them.

Human Phishing … Playing the Odds

Happy Easter everyone, I have some spare time so I thought I would put fingers to keyboard and put a blog post out I have had on my mind for the last month. Even though I plan to post every month, life with a little one and busy at work does get in the way, and I really don’t want to post something just for the sake of it. I always want to share information that is relevant and will be of value.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not :) This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells :)

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on :D

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.