Ever agree to something and don't understand why? That's who we are, and cybercriminals are trying to capitalize on it. Learn what to watch for.
Last week, a good friend of mine and marketing director for a local ISP called. Before I had a chance to say hello, I heard some excited talk about my needing to read Dr. Robert Cialdini's book, Influence: The Psychology of Persuasion. More than somewhat baffled, I asked why.
She suggested that the professor's "Six Weapons of Influence" would be invaluable to phishers. Smelling an article, I downloaded the book to my iPhone. It was perfect timing, as my trip to the TechRepublic conference began the next day and I could read it during the flight.
Entranced by the book, I began to understand what my friend meant. I have fallen prey to one or more of Dr. Cialdini's Weapons of Influence. Once I got back home, I started checking to see if there were any existing research correlating social-engineering techniques with the professor's principles.
Social engineering and influence
I came across a post titled, "Social Engineering and Influence by Dr. Cialdini." It was written by K.K. Mookhey, founder of Network Intelligence, a company specializing in penetration testing and security audits. What makes the post appropriate is how Mr. Mookhey applies Dr. Cialdini's Six Weapons of Influence to specific pen test/ exploit techniques. I realized there and then I needed to pass this information along. Here are Dr. Cialdini's rules and how Network Intelligence applied them:Rule of Reciprocation: This rule says we all will try to repay, in kind, what another person has provided us. Dr. Cialdini uses the example of greeting cards. It's a pretty good bet, if you send a holiday card to someone, you will receive one back.
- Exploit: Network Intelligence mentions that reciprocation is one of their most successful tools. They are able to obtain sensitive information about systems and the network by providing the targeted person with something they want, especially if it's considered a gift.
- Exploit: Network Intelligence counts on this tendency when they pose as auditors. The first step is to gain the confidence of employees they are interviewing. Once that happens, the employees will likely provide more information than they should.
- Exploit: How are social-networking invites from an unknown person to be handled, especially if that person has links to people I know?Do I allow the link, even though I do not know anything about the individual? According to Dr. Cialdini, it is highly likely that I will and that's what Network Intelligence and the bad guys are counting on.
- Exploit: When trying to leverage information out of people, Network Intelligence will send their most charming and personable team members because of this principle.
- Exploit: Network Intelligence uses fake letters of authority and team members that present themselves as having every right to be there.
- Exploit: This is probably the most popular exploit, because time is used as the scarce commodity. Social engineers at Network Intelligence have found emphasizing that time is running out will get people to comply, even though it violates company policies or their own sensibilities.
The Real Hustle
During my research, I came across a U.K. television show called The Real Hustle. It caught my attention because I recognized that many of the principles in this article were being used. For example, one episode titled, "Extreme Social Compliance" employs several Weapons of Influence. Let me know if you recognize them.
The Six Weapons of Influence are somewhat obvious, but it doesn't hurt to reinforce how effective they are. Then, when you get that suspicious email, look and see which principle they are trying to fool you with.
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");