Malware

Learn about the psychology that phishers use to try and fool us

Ever agree to do something and don't understand why? Perhaps, it's because someone is using the Six Weapons of Influence. Michael Kassner explains what these are and how they are being used by cybercriminals.

Ever agree to something and don't understand why? That's who we are, and cybercriminals are trying to capitalize on it. Learn what to watch  for.

--------------------------------------------------------------------------------------------------------------------------------------

Last week, a good friend of mine and marketing director for a local ISP  called. Before I had a chance to say hello, I heard some excited talk about my needing to read Dr. Robert Cialdini's book, Influence: The Psychology of Persuasion. More than somewhat baffled, I asked why.

She suggested that the professor's "Six Weapons of Influence" would be invaluable to phishers. Smelling an article, I downloaded the book to my iPhone. It was perfect timing, as my trip to the TechRepublic conference began the next day and I could read it during the flight.

Entranced by the book, I began to understand what my friend meant. I have fallen prey to one or more of Dr. Cialdini's Weapons of Influence. Once I got back home, I started checking to see if there were any existing research correlating social-engineering techniques with the professor's principles.

Social engineering and influence

I came across a post titled, "Social Engineering and Influence by Dr. Cialdini." It was written by K.K. Mookhey, founder of Network Intelligence, a company specializing in penetration testing and security audits. What makes the post appropriate is how Mr. Mookhey applies Dr. Cialdini's Six Weapons of Influence to specific pen test/ exploit techniques. I realized there and then I needed to pass this information along. Here are Dr. Cialdini's  rules and how Network Intelligence applied them:

Rule of Reciprocation: This rule says we all will try to repay, in kind, what another person has provided us. Dr. Cialdini uses the example of greeting cards. It's a pretty good bet, if you send a holiday card to someone, you will receive one back.
  • Exploit: Network Intelligence mentions that reciprocation is one of their most successful tools. They are able to obtain sensitive information about systems and the network by providing the targeted person with something they want, especially if it's considered a gift.
Commitment and Consistency: Dr. Cialdini mentions: Once we make a choice or take a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment. For example, a person betting at a race track will be much more confident about their choice after placing the bet.
  • Exploit: Network Intelligence counts on this tendency when they pose as auditors. The first step is to gain the confidence of employees they are interviewing. Once that happens, the employees will likely provide more information than they should.
The Principle of Social Proof: Dr. Cialdini states: We view a behavior to be more correct in a given situation to the degree that we see others performing it. I do this all the time. When I was in Sweden recently, I ordered the same meal that everyone else did at the restaurant.
  • Exploit: How are social-networking invites from an unknown person to be handled, especially if that person has links to people I know?Do I allow the link, even though I do not know anything about the individual? According to Dr. Cialdini, it is highly likely that I will and that's what Network Intelligence and the bad guys are counting on.
The Principle of Liking: Not a difficult principle to understand, we prefer to say yes to requests from someone we know and like. Dr. Cialdini mentions in the book that a Tupperware party makes use of all six principles, but best exemplifies the Liking Principle. People attending the party aren't buying from Tupperware. They are buying from the host of the party, because they are friends.
  • Exploit: When trying to leverage information out of people, Network Intelligence will send their most charming and personable team members because of this principle.
The Principle of Authority: Dr. Cialdini bases this rule on the Milgram experiments. Experimenters found that people were willing to inflict pain on others if given the authority. Dr. Cialdini feels this principle works because: Once we realize that obedience to authority is mostly rewarding, it is easy to allow ourselves the convenience of automatic obedience.
  • Exploit: Network Intelligence uses fake letters of authority and team members that present themselves as having every right to be there.
The Principle of Scarcity: We all understand this principle. Dr. Cialdini uses collecting as an example: Collectors of everything from baseball cards to antiques are keenly aware of the influence of the Scarcity Principle in determining the worth of an item. As a rule, if it is rare or becoming rare, it is more valuable.
  • Exploit: This is probably the most popular exploit, because time is used as the scarce commodity. Social engineers at Network Intelligence have found emphasizing that time is running out will get people to comply, even though it violates company policies or their own sensibilities.

The Real Hustle

During my research, I came across a U.K. television show called The Real Hustle. It caught my attention because I recognized that many of the principles in this article were being used. For example, one episode titled, "Extreme Social Compliance" employs several Weapons of Influence. Let me know if you recognize them.

Final thoughts

The Six Weapons of Influence are somewhat obvious, but it doesn't hurt to reinforce how effective they are. Then, when you get that suspicious email, look and see which principle they are trying to fool you with.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

65 comments
mark.holman
mark.holman

Great Info. will see if it can be useable for future reference. price is right also. Thank You Mark Holman

NEDDOT
NEDDOT

Hi Michael, Great post! From my own experience at least these "fishers" will pass our ways: 1. Fishing on the street: - Money(change or begging) for a train ticket or whatever by trying to be likable. Could be scam - simple test: a best standard reply "Sorry I don't have a single dime" could provide you suddenly with a 5 Dollar bill depending on how your clothes and shoes look like so we have to be honest sometimes by returning such "gifts". - Religion, "safe our sole" members of "The Watch Tower" or other sects lure by trying to be likable and... time is running out - the end of times nearby! The always kind people who try to lure usually come to understanding from me that the Nature of Nature helps us forward or blocks us in life. Preferably this should not be taken out of control by the "authorities" of religion. There has to be space for the unknown unknown. 2. Fishing by phone (and using social network details from services like LinkedIn etc.) e.g. Investment opportunities: - Time is scarce, have to take opportunity within limited time - authority (fancy portfolio, web page, present themselves in nice suits) e.g. ICT services (cheaper and better than the competitor again presenting themselves in nice suits and fancy portfolio, webpage etc.) Be aware of possibly hidden costs and (more) limited services. 3. Fishing by email: - Lottery scams looking for the dumb victim, time is scarce react within today! - The typical Nigerian money laundering scam These are from all continents nowadays with authority claims and time limitation. - Medicine scams (viagra etc.) No recognizable influence just finding weak victims who want to easy purchase the stuf for their weakness. - Bank details fishing ( Paypal, Citibank etc.) - masking the fake web-page with the real Banks web-page info (authority disguise). 4. Subscription feeds "presents" from "sponsors" (technical networks etc.) - Download attractive software or documents after you have submitted certain details ( the fields with the *-asterix are mandatory ). This is tricky since you already subscribed maybe as a "real person" - read the small letters on "Privacy". Use a free trash mail-account for these kind of things (but still more private than gmail or hotmail!). 5. Etc. too much fishing out there. Only 5-10% of incoming emails to corporate mail-servers are legitimate direct business emails rest is bounced for 99% by anti spy-spam/scamware blocking systems. This is reality of the open internet about 95% is used to attempt, to fool, to influence or to cheat other people.

sboverie
sboverie

Most con jobs are based on the inherent dishonesty of people. The Nigerian scams are a good example of this. The movie "The Sting" shows how an earnest looking fellow can con a stranger into "helping" him hide cash by sticking a bundle in his pants and meet later at a known location. This scam used trust to get the victim to add his money to the bundle. Whether the victim goes to the meeting point or not is no longer important to the con after switching the bundles. Diogenes was said to walk around with a lit lantern seeking an honest man and failing to find an honest man. An honest man would not fall for any con jobs that depend on the victim's dishonesty. In the case of the Nigerian plea to help take money out of the country to save the loss of the money; an honest man would ask why is it necessary to break that country's law to circumvent the loss of the money.

jkameleon
jkameleon

Before all, it doesn't cover the curiosity, the old "click here to see the dancing bunnies" stuff. A lot of the phishing spam I'm getting contains some sort of fake invoice, statement of fees, tax notification, UPS/DHL delivery problem notification, etc. Things that make you say "goddamed red tape, they screwed it up again, what they want from me this time?", and open the attachment. I think Dr. Cialdini?s rules don't cover that either.

Ocie3
Ocie3

http://www.youtube.com/watch?v=bhCA9Dx5Pbw&NR=1&feature=fvwp [i]Note: Impersonation of a police officer is a felony in every state in the US, and probably in the UK as well. So is carjacking. (They're all actors, folks!)[/i] That is one interesting TV series, with several videos on YouTube. The Laptop Theft Scam is a classic.* Last night I was effecting a purchase at the checkout counter of a local store. I heard a sound behind me and turned my head enough to see, out of the corner of my eye, a young man open the door of a cooler, which was stocked with bottles of soft drinks, on the other side of the aisle. After I turned back to face the cashier, a young couple in line behind me said "That guy just stole a soda!" as I heard the automatic exit door closing. The cashier and another woman who was counting the contents of a cash register nearer the door were surprised! Neither one noticed the young man at all, perhaps because they were busy at their respective tasks. [i]All[/i] of us were surprised when less than a minute later the same guy returned to the shop without a soda in hand. Distinctly muttering "that one was frozen solid!" he was apparently returning to the cooler for another, when he was interrupted by the woman nearest the door. She told him that he should pay for it before he took another one. Since I paid for my purchase, gathered the merchandise, and left the store, I don't know what happened afterward. A full bottle of soda, apparently the one that he had taken first, was sitting atop the garbage can cover, just outside the front door. He did not leave the store while I could see the front. When you act as though you are doing what you are entitled to do, are tasked with doing, or are on a mission to do, how likely is it that anyone will stop you?? __________ [b]*[/b] It has been a while since I went through an airport screening with a laptop. Do they actually put them through the X-ray examination screening? It seems to me that would likely harm the electronics.

JamesRL
JamesRL

A got a call from a person perporting to be with one of the telecom companies that provide us local service across Canada. Except the area code was from the US, and this company has no US offices. The person only gave her first name. She didn't refer to exactly what services her company provides to my company, or refer to a sales rep (someone I could verify). So she started in asking a question about the number of agents in our call centre. Not how we feel about level of service etc. I replied that I didn't think I cared to share that information at this time. I would have had I initiated contact looking for a quote. But out of the blue, it just felt wrong. Her reaction was even more curious, she quickly ended the call. A decent salesperson would have graciously ended the call and found a way to keep the door open. The only technique she used was flattery - she was "told" I was the guy to talk to about this kind of important info. I'm not that easy. My last course in Social Engineering was conducted by the RCMP. James

CHerley
CHerley

Coincidentally I just ordered this (also on the emphatic insistence of a friend). A very interesting read that looks at how Cialdini's work (and other stuff) applies to systems security is by Frank Stajano and Paul Wilson (a real live scammer): http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf Cormac Herley

Michael Kassner
Michael Kassner

I saw several Weapons of Influence being discussed. Thanks for bringing that web site to my attention.

Ocie3
Ocie3

are based upon the victim's greed, which can predispose them to agreeing to action, or inaction, which is dishonest. But simple greed alone is sufficient. The classic exploitation of greed is the Ponzi Scheme, most notably and recently known to have been perpetrated by Bernard Madoff. The perpetrator uses the money that is most recently "invested" in an enterprise, such as a "mutual fund", to pay "returns" to other investors -- returns on investment which are exceptional. People don't question exceptional profits and returns on investment. They celebrate them! They will ask questions about any degree of loss or an imminent risk of loss. When someone receives exceptional profits or ROI, they inform their friends and colleagues (with various motivations to do so). Such "news", of course, appeals to the greed of many people who aren't yet investors, and they will do almost anything to give the Ponzi Scheme operator their money. [b]Addendum:[/b] The crowd's rush to give the Ponzi Scheme operator their money is The Social Proof principle at work, because the decisions to invest are motivated by learning that others have profited well by investing in the scheme.

JackOfAllTech
JackOfAllTech

Yes, The Sting is good, so is Paper Moon and The FlimFlam Man. and let us remember the classic: You can't cheat an honest man.

seanferd
seanferd

Appealing to people's greed, stupidity, willingness to help, need for attention, or credulity are always good.

Ocie3
Ocie3

people who will do something simply because it is the wrong thing to do, even if they expect to suffer for doing it. Is there a Principle of Rebellion for decision making and influencing decisions? "We're mad as hell and we're not going to take it any more!!!" Go start a riot!

seanferd
seanferd

f fake invoice, statement of fees, tax notification, UPS/DHL delivery problem notification, all fit under Principal of Authority. But you are correct, I don't see curiosity fitting under any category. Appealing to people's interests or vices may not, either, but they could fit under jkameleon's Rule of Curiosity.

Michael Kassner
Michael Kassner

Curiosity seems like it would be a factor and I don't see it fitting under any of the other principles.

AnsuGisalas
AnsuGisalas

And when he was in Copenhagen, where'd he go? The Hotel D'angleterre's restaurant, popular with SS brass, right under the wanted poster with his picture and others... A stomach full of ice is better protection than almost anything else.

Michael Kassner
Michael Kassner

But, the metal detectors would. The difference is electromagnetic energy versus magnetic energy.

santeewelding
santeewelding

You play with epiphany, don't you? My. How outspoken you become.

NickNielsen
NickNielsen

A recorded voice from Tucson, AZ calling about upgrading my [corporate] phone plan. Hung up.

Michael Kassner
Michael Kassner

Thanks for sharing, James. You are not going to get off that easy. You have to tell us about the class that you took with the RCMP.

JackOfAllTech
JackOfAllTech

Did you check to see how long CHerley has been a member? Did you use ANY means to determine if the target was safe? Then don't criticize people who fall for phishers.

Michael Kassner
Michael Kassner

I would love to hear your comments after reading it. I am still working on that report you gave me and thanks for the link. I have not heard of that paper.

seanferd
seanferd

Way to be, grand uncle! This is one of those manipulations I would fail at completely, because I don't feel like I belong anywhere, and can't fake it very often.

Michael Kassner
Michael Kassner

I also like your analogy of a stomach full of ice. Thanks for sharing.

Ocie3
Ocie3

X-rays are high frequency, high energy photons. Electromagnetic energy is produced by flows of electrons; magnetism originates from their spin. So, a metal detector would mess with any magnetic storage media, for sure. X-rays would probably affect optical storage media, and light sensors such as those on cameras.

Michael Kassner
Michael Kassner

I have had several people mention the same thing. Hopefully, no one gets caught.

Ocie3
Ocie3

Michael's article about "The Rational Rejection of Security Advice"?? (That may be an approximation of the title.) IIRC, it was based on research by Cormac Herley, who participated in the discussion, too. BTW, I use Firefox with NoScript and Perspectives, among other security extensions. Also, I have the Firefox options "Warn me when sites try to install add-ons", "Block reported attack sites", and "Block reported web forgeries" enabled on the Tools > Options > Security tab. Last but not least, Firefox is running in a Sandboxie sandbox. All of these measures don't necessarily prevent someone from effecting a "phishing attack" against me, since such an attack is essentially a work of "social engineering". But when the initial aim is to persuade me to use Firefox to fetch a page from a specific web site, two of its native Security options might alert me to the fact that the web site itself is suspect. Also, NoScript stops Firefox from executing a JavaScript script on a web page that it is rendering, unless and until I permit it to do so. Since most data input activities such as log-in dialogs will not work without JavaScript, I must consciously make a choice to enable it on that web site, which is an opportunity to stop and evaluate what has been going on and why I am there. The other native Security option and the security extensions, and Sandboxie, can help me deal with some potential consequences. I don't criticize anyone who is victimized by a phishing attack. I've been "hustled" a couple of times, without any serious or lasting consequences, fortunately, but not phished. The real challenge is recognizing that what is going on is a situation and a sequence of events which has been planned and organized in advance by a hostile person(s). If you do something that does not allow them to continue with their "script" then the hustle is likely to fall apart. In some cases, though, that could be more dangerous, with worse consequences than those that would be inflicted by allowing the hustle to continue. So sometimes the wisest choice is to allow it to proceed to its conclusion.

CHerley
CHerley

BTW, I think Paul Wilson (one of the authors of the report I linked to) is the host of that UK series the Real Hustle.

Michael Kassner
Michael Kassner

It actually a common expression in the fly-over zone.

seanferd
seanferd

And I understand why you might find it a clumsy or inaccurate phrasing. I mean it like, "appealing to someone's sense of fair play." Perhaps you and others are more comfortable reading "appeal" when the object is perceived as either more "positive" or more "active". I'll buy it, though, for whatever reason. And obviously, I did not originally take the right part of you comment for the critical part. :^0 <facepalm> :p

Ocie3
Ocie3

What you wrote begins: [i]"Appealing to people's greed, stupidity, willingness to help, ...."[/i] I'm not sure what "appealing to people's stupidity" means. Maybe "Taking advantage of people's greed, stupidity, willingness to help, ...." would be a better way to say it.

seanferd
seanferd

Are you asserting that stupidity is not real? That there are not people who, at least in some things, are willfully, sometimes proudly, ignorant in the face of overwhelming facts to the contrary? This is a totally usable avenue for manipulating people. The best one, I think. With some of these people, you can use the same scam two or more times. They are that stupid. And I don't know what else you would call that phenomenon, other than stupidity.

AnsuGisalas
AnsuGisalas

I fooled myself so well, in fact, that I was puzzled when the people I was with thought I'd been reckless, and when the barkeep thought I'd been brave. After all, I had done something perfectly normal. And in the least dangerous way imaginable, avoiding a fight and sending the brawler home without grudges. I'm not so sure I could pull it off again. But my point was that some people fool themselves to fool others. It proves that they're basically honest, that they can't lie well. But they can tell the truth well, such as they make themselves believe the truth to be. In contrast, some simply fail to see that there are other people involved at all. They aren't lying at all, because it's not lying if you're talking to thin air, or to fixtures. They aren't doing anything wrong to anybody, either, since there are no humans involved; no humans, at least, that they recognize as such. Both are effective, but the latter kind is dangerous. I think they're sociopaths. They can be charming, but since they lack the peer-instinct, no-one can trust them.

Michael Kassner
Michael Kassner

I have attempted this, but never in such a dire situation as you described.

AnsuGisalas
AnsuGisalas

The way I've done something similar, it had more to do with fooling myself than with fooling others. I tricked myself into thinking "what I'm about to do is perfectly normal", at the same time visualizing what I would do, how, what timings would be involved. A bit like scripting myself - "if that guy comes this way, I get up, casual, and happen to intercept him at that point there. then I talk to him like he's not half-again my size and a seasoned brawler... he's just a normal guy, and I talk to him like he's maybe lost his way" Ok. Time to go. Worked great. The other mindset is the "why wouldn't I do this, nobody's going to catch me". Some people have this as a basic mode of thinking, and they make great agents, but sadly, also great double-agents and embezzlers.

Michael Kassner
Michael Kassner

This certainly has been an interesting string in the comments.

AnsuGisalas
AnsuGisalas

...having been shot midflight on a starless night. :p If you have a reason to doubt my eye, you should show me something that you see me not seeing. It's part of the deal, look it up in the EULA.

santeewelding
santeewelding

You know not what you say. But, you are felicitously on the mark.

AnsuGisalas
AnsuGisalas

We walk in the seedy parts of town with our bristles bristling. On the wide sunny boulevards, not so much. We transfer the same kinds of landscaping upon social situations and upon information channels.

seanferd
seanferd

He's a bodhisattva. I've noted this before. ;)

santeewelding
santeewelding

Michael is a manipulator, in spite of what he may have you believe. He cannot be successful in what he does, otherwise.

seanferd
seanferd

Regardless of patents and national security laws, even. I think humans mostly behave that way, with manipulators being the exception. What i always find odd is: Given a situation with an agent using the reciprocation principle as a manipulation, a given person may be suspicious in some environments or media, but not in others, all other things being equal. It baffles me sometimes.

Michael Kassner
Michael Kassner

Thanks for sharing that. It was really interesting and appropriate for this post.

AnsuGisalas
AnsuGisalas

One of these, the principle of reciprocation, immediately reminded of advice given me by my granddad (on my mother's side, the abovementioned great uncle was on my fathers side). He said that if you're going somewhere to learn something (he was a professor emeritus of biophysics), then you should bring something with you to exchange. He referred to an ancient term "mandsjaevning" which when translated with english cognates becomes mansevening ("even" as in "we're even") - I believe he in turn had been told of it by his father who was a history professor. He said, that if you let people in on something of your own, they will let you in on theirs. It's something he used to get into the circles of various US research institutions he visited/worked at during his career, to become a peer, rather than an outsider. We're like that. Social creatures. We have open protocols, with all the potential for abuse that entails. EDIT: This one went in the wrong place, so the great uncle is actually mentioned below. Doh!

Michael Kassner
Michael Kassner

But, everything I have read states there is no problem. Or at least not to the extent where we would know it. My notebook and camera have been through countless X-ray scanners and seem to be none the worse.

seanferd
seanferd

this paper is very interesting.

Michael Kassner
Michael Kassner

References in the paper, verified it's validity with me.

seanferd
seanferd

Street cred? Sounds like positioning for Argument from Authority. Dr. Cialdini and The Real hustle are manipulating you. OK, I'm not being entirely serious. ;)

Michael Kassner
Michael Kassner

I am about half way through the paper and they mention that. That lends a bunch of street-cred to the show.