Learn Social Engineering, page 9
Human buffer overflow
In the overview, it was said that the human brain can be hacked just like a computer. The previous sections have shown that emotions can be hacked in a target. This section discusses a much stronger hacking method of the human brain. Computer programs have been hacked with this technique where they are given larger sized inputs to hold in their buffers than they typically can. Buffers are memory storage areas used to hold certain data. When data supplied exceeds the limits, it causes an overflow. This overwhelms the programs causing errors and undesired behavior. This also facilitates a hacker to give some malicious commands when the computer programs are unable to control their own execution.
Study on estimating probabilities of buffer overflow in high-speed communication networks by Izabella Lokshin, Telecommunication Systems, Volume 62, Isssue 2, pp. 289-302, 2016 available at http://dx.doi.org/10.1007/s11235-015-0055-0.
The human brain is like a computer program. It has been built with years of instructions, memories, and buffers hardcoded in it. The human brain has some space allocated to hold data temporarily. When more data than can be held is presented, a memory gap opens, allowing a social engineer to inject certain commands into the brain. For example, a human brain knows colors and can recognize individual color blocks with ease. However, if color blocks are switched with words, say a word like red is displayed in yellow font color, a buffer overflow occurs. There are two colors going back to the brain instead of one. There is the red put in writing and the yellow that is put in the coloring that are competing for processing.
It is believed that, even though humans speak 150 words on average per minute, they can think about 600 in the same minute. Therefore, humans cannot be hacked by talking to them fast since they can process more than one can talk. There are things, however, that can be hacked. Most decisions in a person's daily routine life are based on subconscious decisions which the brain does on autopilot. Driving, getting coffee, brushing teeth, and choosing clothing are some of these decisions. It is professionally believed that the subconscious brain will have made a decision before the conscious brain intervenes to either change or uphold the decision. Therefore, if the subconscious brain can be hacked, it could be easy to get people to decide in a certain way. Hacking the subconscious has already been discussed in the NLP section. All one needs to do is associate a certain decision with positive things that the target wants and, almost always, the target will make those decisions.
Buffer overflow is also facilitated by two things—fuzzing the brain and embedding commands into statements. These are discussed next.
Here is an example of a human buffer flow attack, it's really simple. Just try to read the color of the word and not the spelling. An example is as follows:
What is the color of the font? Black; regardless of the spelling, you will say, Black. Consider the next example:
Now, what is the color of the font? Green, but the spelling is, Red, try to read the color and not the font:
Was it easy or hard? Why was it harder then it sounded at first? As I previously mentioned, it's how our brain thinks. Our brain sees the color first but it's reacting to the spelling and this is how we can buffer overflow the human mind.
Fuzzing the brain
This is a method where hackers try to attack a computer program by giving it inputs of different lengths to see the length beyond which the program will crash. It might have been fixed with current programs but the human brain has not had this advantage. There is an imprinted law in the brain called the law of expectations whereby humans will comply with expectations from others. It is done through the returning of favors. Therefore, a social engineer will be ready to give a target some valuable information or resource and when the engineer requests something, later on, the target will not hesitate to grant the request.
Embedded commands
Human brains can be commanded to do some things without them realizing that they are being coerced into doing so. Marketers are famous for using phrases like Buy Now! to command potential buyers into buying a product. In social engineering, since it would be awkward to use such a phrase, padding is used. Padding is where some phrases are used to soften the command while not affecting its impact. A social engineer can say, When you do this.... or, Most people opt to.... These statements allow the injection of commands into the subconscious brain. To embed more commands, social engineers use stories and quotes, negation, and telling people to imagine something. The end result is that the message will get to the subconscious mind which, as was discussed, plays a key role in decision making.
Tips
The tips for mind hacking are as follows:
Learn how to ask the right questions
Make sure your body language is in sync with your words
Building rapport is not what you say; it's how you say it
Rapport is established by matching and mirroring
Humans are the weakest point of any organization; the more you understand humans, their behaviors, and their history, the better you can hack them
Summary
Mind tricks are the heart of a social engineering attack. They allow a social engineer to get into the target's brain and alter their decision making to follow a certain route. This chapter has gone through many ways in which a social engineer can get into a target's brain. The focus has been the subconscious brain, which plays a very important decision-making role in that it makes decisions before the conscious brain. Once some information is given to this part of the brain, it will decide in favor of it. The subconscious brain is, however, open to attacks. Emotions can be planted into it through microexpressions, thoughts can be sneaked into it, and it can suffer from buffer overflow. It is these vulnerabilities that allow social engineers to hack humans into deciding to make certain decisions. It has been discussed how all these things take time to practice and perfect. Social engineers will dedicate money and time to learn how to perfect these psychological tricks. In a similar way, a learner should practice these and at the end of it, one will be in a position to read minds, change thoughts, and change decisions.
The following chapter furthers the attack by looking into influence and persuasion. It will discuss how social engineers are able to convince targets into doing things which might seem insensible at first.
Influence and Persuasion
There is no easier way to persuade someone than by appealing to their interests. Persuasion is a strong part of a social engineer's game and that is why it could not be discussed together with mind tricks. Influence and persuasion are ways of getting people to do or think exactly how you want them to. Persuasion is commonly used in day-to-day life and it is highly unlikely that you have not been subject to it. It is used by politicians, leaders, and advertisers of a variety of products to get people to subscribe to their ideas and do as they please. People can be convinced into dropping ideas they had earlier for the ones sold to them if persuasion is effectively used. This chapter will look into all of the elements of persuasion. It will cover the following topics:
Fundamentals of persuasion
Influence tactics
Reality alteration (framing)
Manipulation
Introduction
In law enforcement, there are expert interrogators that undergo special training to learn how to draw the truth out of suspects. The success of a social engineer depends on the ability to finally convince a target to do something. The most successful social engineering attacks have been as a result of targets being persuaded to do absolutely absurd things and surprisingly complying to do them. An accountant was recently persuaded to transfer millions of dollars to an overseas account that he had no knowledge of and without question he did exactly that. In many other attacks, the absurdity of the requests made by the social engineers never cease to amaze and the compliance of the victims is almost laughable. But how are social engineers able to convince people to do such things? The following sections will address this issue in depth.
Five fundamental aspects of persuasion
Persuasion is a well-crafted process with the aim of getting a target ensnared in a trap where his or her decisions are directly influenced by the attacker. Social engineers stick to the following five aspects of persuasion:
Having a clear goal: Persuasion comes from deep within and the social engineer must know at the beginning of an interaction with a target what the end goal is. In the previous chapter, NLP was discussed and the impact of the subconscious mind in the making of decisions was looked at. If the social engineer resolves to achieve something, the subconscious will also have that expectation and will assist in the attainment of that goal. With a clear outline of the goals, it is easier to plan ahead on how the interaction with a target will be controlled. It is also important for the social engineer to have a yardstick to measure progress or the achievement of the goal set. Once the end goal and its criteria for success are determined, persuasion tactics can be more successful.
Rapport: This topic was extensively discussed in Chapter 2, The Psychology of Social Engineering – Mind Tricks Used. The ways for building rapport with a target were explained in full detail and should be referred back to. Rapport means that one is able to get the attention and trust of a target mainly through the target's subconscious brain. Normal people, let alone social engineers, that have mastered the skill of rapport building end up dealing with people better in their lives. It is a powerful skill for one to have. While building rapport, the mental state of the target should be identified. Sadness, worry, suspicion, and many other states should be identified. There should be a substantial show of caring for the person in the interaction. The social engineer puts himself or herself in the shoes of the target to help understand the target's thoughts and states. An attack never begins with the social engineer's state of mind; it begins the target's brain. Convincing a human to do something requires a blend of both emotions and logic. Humility plays a key role; a social engineer is never ready to turn an interaction into a negative one. A negative conversation ruins rapport. Therefore, by presenting ideas from the perspective of a target, the social engineer is able to connect with the target and make it almost impossible for the social engineer to back out.
Being in tune with surroundings: A social engineer is always aware of what is surrounding him or her. This comes in handy in telling whether a social engineering attack is going the right way or not. A lot was discussed in Chapter 2, The Psychology of Social Engineering – Mind Tricks Used about this. To recap, it was said that body language is a good determinant of whether a target is buying in to the con. Body language and facial expressions will tell a social engineer whether his or her persuasion tactics are working on the target. Neurologists say that a brain makes billions of calculations per second and these get represented through non-verbal communication, such as facial expressions and gestures. By merely being observant of these non-verbal expressions, the social engineer is better placed to hide his or her non-verbal utterances as well as observe subtle things in others. Social engineering experts minimize the use of internal dialogue during an attack. This is because when thinking of what to say next, it becomes hard to observe non-verbal communication from the target.
Being flexible: Insanity is commonly defined as repeating the same thing whilst expecting different results. During a persuasion attempt, a path once used and failed is not used again. Inflexibility does not work and if a pre-selected tactic does not work to persuade a target, a social engineer will easily switch to another tactic. Goals also shift depending on the progress of the persuasion attempt. If the target is unyielding, a social engineer can switch goals or aim for a simpler one.
Getting in touch with oneself: Emotions can affect everything a person does. Not even a social engineer is immune from strong emotions. This is the reason why a social engineer needs to be in touch with him/herself by knowing his or her emotions. Emotions such as deep-seated hatred to a certain behavior may get in the way of persuasion. This is the reason why social engineers are always aware of the emotions certain things can evoke in them. By doing so, they can develop evasive tactics to that emotion or learn how to deal with it.
Setting up the environment
In order to get a target to a vulnerable point of easily being persuaded, it is necessary to create a suitable environment. A suitable environment is one where the target feels obligated to do something for the social engineer. There are four tactics used to create this environment.
Influence tactics
Social engineers dedicate time to practice their persuasion skills until it is almost natural to them. They go to the point of trying to persuade almost everyone on everything just to prove their skills. This is because persuasion plays the ultimate move in a social engineering attack. There are eight techniques used to influence people. The government, scammers, politicians, and media personnel employ these tactics to get people to buy their ideas and not rely on their own knowledge.
Reciprocation
Humans mostly respond in kind when treated well and this is an exploitable reaction by social engineers. When rushing to a closing lift, if someone inside holds the doors so that you can get in, there is an almost unconscious reaction of at least a thank you. The show of gratitude is a simple example of reciprocity. There are very many other examples of manufacturers, politicians, and even employees using reciprocity. Pharmaceutical companies spend huge amounts on free items that are given to hospital staff as gifts and in return, the hospital will tend to recommend or give patients medicine from the gifting company. Politicians decide to be more charitable in electioneering periods. An employee may pay for a colleague's meal and later on request a favor which will almost always be honored. Reciprocity is based on two rules, a person will help one who has helped him or her before, and secondly, a person will avoid injuring a person that once helped him or her. If reciprocity is used effectively, it is almost impossible for a request to be turned down. It is important to look out for this in order to avoid social engineering attacks.
The following diagram shows the reciprocity process:
When giving something away, it is important that it should have value to the target. It could be a physical item, secret information, or some services valuable to the target. After the target consumes the free item or service, he or she gets the sense of indebtedness. The social engineer does not refer to the free item or service at all; it should be seen to be completely free.
At times, information could be very valuable to a target. For example, if the target is into stock trading, some insights shared to the client could be perceived to be of great value and immediately the client will have the sense of being indebted. After this, the social engineer requests a favor. The indebted feeling will cause the target to reciprocate by granting the favor requested. Social engineers are always on the lookout for opportunities they can exploit reciprocity through. It could be holding doors, being polite, or helping out just a little bit. Reciprocity is a very effective persuasion tactic and it has one of the highest success rates.
Obligation
This is a little bit related to reciprocity. A target feels the need to take some actions out of moral, legal, contractual, duty, or religious requirements. It is commonly used against customer care personnel who are obligated to help clients out while stomaching insults and appreciating their lack of knowledge on some things. Away from that, a social engineer can create an obligation on a target even when one never existed. A sense of obligation can surprisingly be created by small things such as mere compliments. The American Disabled Veterans organization is able to get a 35% blood appeal success by sending custom-made address labels to the recipients. Without the address labels, they only get an 18% success rate. To target a receptionist with a malware, all a social engineer needs to do is to give a small gift of a thumb drive that contains a product catalog. The instructions should just be as simple as, accept this gift and all we ask is for you to go through the catalog and call to order anything that interests you. Since the thumb drive is a gift, the recipient will feel obligated to plug it in and go through the said attached catalog.
Concession
Concession is admission or acceptance. It is used in the same way that reciprocation is; it is just that it is the target that makes the first request. The social engineer accepts to do something for another person but in the long run, the social engineer knows that he or she will be best placed to request a favor from the target. Humans are programmed in such a way that they expect when someone does a favor, they need to return the favor eventually. A social engineer will therefore not be resistant to requests made to them by people that they may eventually require favors from. However, as is with reciprocity, a social engineer never agrees to something that will not have any value to them. Not giving concession to some people might lead to a loss of rapport or position in an attack. Just like reciprocation, concession holds a lot of potential in a social engineering attack.
Scarcity
Objects and opportunities are found to be more attractive if they are hard to get. Scarcity is a commonly used marketing tool and adverts never stop using phrases such as limited offer, 1-day sale, or stock clearance offer. The essence of using these words is to create a perception of scarcity and make buyers believe that they might not get similar offers anytime soon. Such adverts are likely to attract more attention than those emphasizing on the premium quality of some products since buyers are not stimulated to act at that time. Scarcity seemingly adds some special value to a product that makes buyers want to purchase it at their earliest convenience. This is because of the human natural instinct of economic allocation of resources one has. This rule is not applied when trying to get items that are scarce. In social engineering, scarcity is created by introducing a sense of urgency. When people believe that they have time to do something, they will not prioritize it. However, if they are made to believe that they have no time, they focus on completing what is being required of them in the shortest possible time. Urgency is a common manipulation technique that is used to disrupt the decision-making process of a target. Scarcity complements this, making it hard for a target to refuse to do something.
