Social-Engineer, Inc. loaded up cast and crew to spend the week in San Francisco for RSA 2014. We were an hour into the first day and we knew one thing; we should have brought comfortable shoes and some massive umbrellas. With the venue extending through the entire Moscone Center, there were acres of exhibitors and presentations to see.
Our team, although amazing, ended up getting soaked the first day due to some much needed rain in San Francisco.
As professional social engineers, we would like to think that we are better than average at protecting our personal information and spotting dubious scams. However, recently there is an interesting and sneaky way in which scammers are exploiting people when they least expect it.
The Help Wanted Scam
When you spot a “Help Wanted” ad, keep in mind that you could potentially be giving an identity thief the help he wants. Thieves have scammed victims by creating the illusion that they are potential employers with positions to fill. Often providing little or no reason to suspect any shady happenings, applicants eager to get a job willingly submit their personal information and in some cases undergo “background checks”, making them even more vulnerable.
Social engineers have now exploited the Super Bowl’s defense for the second year in a row. Matthew Mills, a conspiracy theorist and independent journalist, rushed the podium Sunday night during the Super Bowl XLVIII MVP speech and spoke into the microphone before an official shooed him away. Mills claims he flashed fake credentials at several security guards on his way in without being detained. Acting confidently and as if he was pressed for time, Mills obviously succeeded in fooling everyone.
To understand how scarcity works for the social engineer, lets first look the concept in social psychology. It is described as people’s tendency to place a higher value on resources that are not in great supply. Marketing often tries to exploit this phenomena by promoting the idea of scarcity in their sales and specials and a good example of this ploy’s success is the frenzy that is Black Friday. 141 million people shopped on Black Friday in 2013-the U.S. population is roughly 315 million.
Phobias are irrational fears experienced by some people when they are exposed to certain situations or objects. Unlike mental health experts, scammers want you to become numb so they can take advantage of you easier.
Mental Health Professionals
Mental health professionals sometimes employ the method of systematic desensitization, where a person is exposed to their fears until the fear reaction is diminished. The theory behind this treatment is that by consistently exposing a client to the source of their anxiety in a controlled and therapeutic environment the fear response will weaken over time allowing one to relax and react without anxiety. This therapeutic treatment is based on the very real principle that consistent exposure to any stimuli will eventually cease to have the same physiological or psychological impact on the recipient. In these instances the act of desensitization is necessary and useful; but in our daily lives it’s prudent to consider the numbing effect that our routines and technology can have on us.
In our social engineering training courses, services, and as an overall company philosophy, we stress good intent. Our motto has always been, “Leave people feeling better for having met you.”
Yes, we may use deceit as part of an engagement, but we do it for the purpose of making our clients more secure and in the spirit of partnership as opposed to an adversarial relationship. That is the basis for this post, how the intent on the part of the social engineer can make all the difference.
Validation is a powerful concept in which a person is made to feel valued, acknowledged, and connected with another. As social creatures, humans crave validation as it creates a sense of acceptance.
October proved to deliver a substantial Social Engineering trick to the former users of the file-sharing site Uploader Talk. The former operator, known only as WDF, posted an announcement last week boasting that the site had been operating as a trap for information collection in affiliation with anti-piracy groups. He was quoted as saying, ”I built a history, got the trust of some very important people in the warez scene collecting information and data all the time.” – WDF
ENTER THE HONEYPOT
Such sites are referred to as “honeypots” and are designed to encourage criminal social engineering behavior. These schemes have been used successfully before and offline variations are often employed to help curb car theft.
The same tendencies in humans that make us social creatures can also make us dishonest. Consider these people at the 2013 Coachella Music Festival that Jimmy Kimmel exposed on his late night talk show. This video (embedded below) is a great example of our innate desire to be perceived by others as knowledgeable, even if we aren’t.
On June 27th, two thieves dressed as Mormon missionaries robbed Terence Delucia’s Las Vegas residence after chatting about religion with the homeowner at his door. Robert Estall and Abraham Austin wore black pants, white shirts with white ties and black backpacks as disguises. Delucia let his guard down with the impostors and they forced their way into his home, beating and robbing him while his family hid in closets throughout the house.
In this instance, the thieves went beyond influence as they manipulated Delucia with their approach and attire to put him at ease. Dressing and behaving as missionaries enabled them to get close and stay close to Delucia while he talked with them before they forced their way into his house and took control of his environment. Once inside, Delucia had no choice but to cave under the thieves’ intimidation as he feared for his life and his family’s well-being. He did not want to comply, but he felt he had no choice.