Post

The Matrix Has You! A Guide to Corporate Social Engineering

Posted
Preview Image
By Kaiju Security
9 min read

“You have the look of a man that accepts what he sees because he is expecting to wake up” – Morpheus

Social Engineering is everywhere…. it’s all around you, even in this very article. From the gas station to your television set, your drive to work or checking your email… When you go to work, when you go to church, yes.. even when you do your taxes. These are the “other” parts of the hack, human hacking …

The “other” parts of a hack are the ones that most companies never actually pay attention too, defend against or ever show up in the after action report. It’s the subtle random phone calls that seem innocent enough or the short conversations at the coffee shop a block from campus that are just a little too loud. We’ve all heard someone on the cell phone right? Do they seem at all worried about people listening? Half the time it almost seems as if they want people to hear them talking, so many times I oblige. Social security numbers, place of employment, home address… it is amazing what you can learn sitting in a coffee shop all day long.

When these techniques are used by a professional, to attack a company, or even an individual, they can lead to some devastating outcomes. A quick search on LinkedIn will show you thousands of peoples work ID’s, what OS they are using on their computers, what AV they have running, the list is nearly endless. Red Teams exist because we typically think differently, as I’ve said so many times, we’re terrible, horrible, manipulative people that exist for one reason… to lie, cheat, scam and steal, only to turn it off, hand it all back and let you know how and why it worked and how to defend against it.

But this article isn’t really about “real” criminals, it’s about daily life. It’s about the techniques used and perfected for hundreds of years by people and companies… to get you to perform a certain action. Forms you fill out, online web pages, TV commercials and music, barcodes, alcohol, soft drinks. You can not interact with the consumer driven world and NOT suffer some form of manipulation.

In the words of Jay Z “I sell ice in the winter, I sell fire in hell I am a hustler baby, I’ll sell water to a well”. Some of the common everyday techniques used to get you to interact, click, buy, look, whatever… are all around you. The Grifters? We use these techniques that have been honed for centuries by companies … on YOU to get what we want. So thank you PepsiCo, thank you Instagram, thank you add agencies, your due diligence and professionalism in manipulation has made my job as a grifter, so much easier.

A recent article I was reading was entitled “How to Overcome Sales Manipulation and sell without Deceit.” o.O Let’s break that title down a little…

Manipulation - a type of social influence that aims to change the behavior or perception of others through indirect, deceptive, or underhanded tactics.

Deceit - the action or practice of deceiving someone by concealing or misrepresenting the truth.

Humm, by its very definition manipulation is “deceitful” and misrepresenting the truth sure is a large gray area is it not? “Well, I know we said we could perform that pentest in Dec, I really thought we would have a tester available by then!” Then we have the following:

Persuasion - a deliberate attempt to influence others. Here we are deliberately trying to influence others into doing something we want them to do. You can argue the semantics all you want, these are all the same, typically the intent is what separates them, but the “attempt” is the same across all three. So now that we got that out of the way, yes.. damn near every company is trying to manipulate you. Even now, am I not trying to pull back the curtain so you might trust me and hire me to train your employees the right way? Oh 100%. I just try not to hide it like the others :)

The top “Cons” companies run in an attempt to get you to take some action (usually buying something or interacting with a platform that makes them money):

Reciprocity – giving you a flower, you can keep it for free, but will you please give me a donation If you like it? This plays on peoples guilt, I did something kind and unexpected for you, are you such a bad person that you wouldn’t return the favor? Or sign up for free, cancel any time! Yet half the people don’t ever cancel… oops.

“The Guarantee” Try it out. If you’re not happy with it, I will personally come back next week to pick it up. And it won’t cost you a dime! People are lazy, even if half return the garbage product, we still sold half.. SUCKERS!

Sunday, Sunday, Sunday! One day only! – scarcity, a sense of urgency. Black Friday. Scarce items feel exclusive, appear more valuable, make people feel powerful (access to things others don’t have)

Low Ball versus High Ball - This one is pretty easy, we see this in department stores everywhere, it’s the “sale” when you mark that blouse up to $300 and the sale tag says $98, a person will see this and say WOW, and is significantly more likely to buy it. So much so, that this one tactic almost single handedly took down J.C. Penny. Ron Johnson, former head of Apple’s retail stores, tried to remove sales, and discounts to offer customers a simple low price on the same items other department stores were having sales on. You could go to JC Penny’s and buy a pair of Levis anytime, for $50, while you had to wait for other store like Nordstrom to have a sale in order to buy them at the same price. Well, we all know JC Penny’s isn’t doing that well, so what happened? People feel better and prefer to buy an item on sale, because they feel like they “found treasure”. It is more appealing to a person to find a discount, than to just go somewhere and buy it for the same price. It makes them feel like they have somehow fought back against the man. Great daily example, go to a furniture store, they ALWAYS have a sale, and it’s always ending.. SUNDAY, SUNDAY, SUNDAY, one day only!

Because - There was a study done in the 1970s by Harvard University psychologist Ellen Langer. In a nutshell the study went like this:

There was a line of people waiting to make photocopies, the participants were engaged by someone that asked if they could cut in front of them.

Version 1 (request only): “Excuse me, I have 5 pages. May I use the Xerox machine?”

Version 2 (request with a real reason): “Excuse me, I have 5 pages. May I use the xerox machine, because I’m in a rush?”

Version 3 (request with a fake reason): “Excuse me, I have 5 pages. May I use the xerox machine, because I have to make copies?”

Now, those last two.. I’ve highlight because .. and you’ll see why below, as the rate at which people allowed someone to cut in front of them increased dramatically when one single word was added, Because.

Version 1: 60 percent of people let the researcher skip the line.

Version 2: 94 percent of people let the researcher skip ahead in line.

Version 3: 93 percent of people let the researcher skip ahead in line.

Hundreds of attempts, with hundreds of different reasons, the one constant was because. This is “because” people hear that word (because) and they fill in the rest as a reason that should be plausible. One of the CORE tenets of Social Engineering is people see and hear what they expect NOT what is really happening. People want to believe in the honesty and goodness of others because they believe they wouldn’t lie, why would someone else? Therefore, when someones says excuse me Im so sorry, could I cut in front of you because I ……. you have most people right here, because they will fill in whatever you say with a reason that’s ok. This is used to manipulate people in media, advertising, articles, selling cars, you name it.

The last thing we will go into today is Daniel Kahneman’s Loss Aversion Theory, otherwise known as buyers remorse. My wife and I went into the coach store, where my beautiful wife saw a purse she liked, there was only one and she wasn’t sure if it was exactly what she wanted or maybe there was something else she might fancy just a little bit more. Well you can probably guess what happened next. Someone else swooped in and grabbed the purse and she turned from being indecisive, to devastated “OH GOD NOOOOOOOOOOOO! I knew I should have grabbed it and held onto it!” The theory states that losing something is 2 times more powerful than gaining it. This is what a good portion of sales techniques play off of, the thought of losing the deal, or missing out, not getting what someone else got.

Many of these are fairly common sales techniques that are taught in sales courses (typically not called out like this of course). Some of the really juicy manipulative things you can watch in documentaries like “The Social Dilemma” on Netflix. If you haven’t watched this, I HIGHLY recommend it, as it shows just how invasive, manipulative and controlling and down right evil companies can be with their attempts.

Here is the kicker…. If companies are manipulating and deceiving people with every single interaction with the drive to do more sales and interaction, what are the bad guys doing armed with not only this same knowledge, but more sinister f&#ed up ways to take advantage? The exception? “We” the bad guys… we operate in the shadows, picking and choosing when and how we do what we do. We have all the time in the world to play you and your company, because regardless of what Nordstrom says… Our deceit doesn’t end on Sunday.

Security
security-awareness opsec threat-modeling security-culture
This post is licensed under CC BY 4.0 by the author.