Social Engineering: The Art of Human Hacking (2011)
Chapter 5. Mind Tricks: Psychological Principles Used in Social Engineering
It all depends on how we look at things, and not on how they are themselves.
—Carl Gustav Jung
In Hollywood movies and television shows con men and law enforcement are portrayed with almost mystical talents. They have the ability to get away with anything; they seem to be able to just look into the eyes of a person and tell if they are lying or telling the truth. It is not uncommon to see situations like this: the cop looks into the eyes of his suspect and can automatically tell whether he is lying or telling the truth, or with just the power of suggestion the con man’s targets are handing over their life’s savings. Movies might have you believing that manipulation tactics and getting people to do anything you want is plausible or even easy. Are these scenarios really fiction? Is it possible to gain such abilities that are saved for fantasy in the movies?
This chapter could be a book unto itself, but I will condense this information down to principles that will truly change the way you interact with people. Some of the topics in this chapter are based on research done by the brightest minds in their respective fields. The techniques discussed in these topics were tested and put through the paces in social engineering environments. For example, the topic of microexpressions is based on the research of the world-renowned psychologist and researcher, Dr. Paul Ekman, who used his genius to develop techniques into reading facial expressions that can literally change the way law enforcement, governments, doctors, and everyday people interact with others.
Some of the principles of Richard Brandler and John Grinder, the originators of neurolinguistic programming, changed people’s understanding about thought patterns and the power of words. These topics are subjects for much debate, and this chapter attempts to demystify this subject and explain how you can use them in social engineering.
Some of the best interrogators on the planet developed training and frameworks to help law enforcement learn how to effectively interrogate suspects. These principles have such deep psychological roots that learning the methods used can literally unlock the doors to the minds of your targets.
Using cues that people give in their speech, gestures, eyes, and faces can make you appear to be a mind reader. This chapter examines these skills and explains them in detail so they can be utilized by a professional social engineer.
Rapport is often a word used by sales trainers and salespeople, but it is a very important aspect of gaining trust and displaying confidence. Knowing how to instantly develop rapport with people is a skill that truly enhances the skill set of a social engineer, and this chapter shows you how.
This chapter finishes with my own personal research on how you can use these skills to hack the human mind. A buffer overflow is a program usually written by a hacker to execute code, of malicious intent normally, through the normal use of a host program. When executed the program does what the hacker wants. What if it were possible to run “commands” on the human mind that would cause the target to do what you ask, give over information you seek, and, in essence, prove that the human mind is able to be manipulated?
This powerful information, of course, can be used for very malicious intentions. My goal in releasing this information to the public in this way is to pull back the curtain from what the “bad guys” are doing by exposing their methods, thinking, and principles, then analyzing each one and showing what you can learn from it. Exposing these techniques makes identifying, defending, and mitigating against these attacks easier for everyone.
This chapter is truly a mind-altering collection of data and principles. Following, studying, and researching the methods will not just enhance any security endeavors but these principles can also alter the way you communicate and interact with others.
By no means, though, is this chapter a complete collection that covers all aspects of each of these skills. I provide links and tips to where you can find more information and programs to help you enhance these skills. This chapter sets a foundation as well as acts like a guide, pointing you in a direction so you can learn to enhance each skill over time.
Learning social engineering skills is not a quick process, so don’t be impatient. The methods of learning some of these skills can take years to perfect and a lot of practice to even become proficient. Of course, you may possess a skill for a certain aspect but if you do not, don’t become impatient with trying to learn it. Keep on trying harder and practicing and you will get it.
Before you get into the meat of this chapter, the following section sets the stage for why and how these principles will work. You must understand the modes of thinking that exist. After you understand more clearly how people take in and process information you can begin to understand the emotional, psychological, and physical representations of that process.
Modes of Thinking
To alter someone’s way of thinking you must understand the way people think and in what modes they think. This seems a logical first step to even attempting this aspect of social engineering.
You might think you need to be a psychologist or a neurologist to understand the many aspects of how a person can think. Although that can help, it is not necessary. With a little research and some practical application you can delve into the inner workings of the human mind.
In August of 2001 the FBI put out a law enforcement bulletin (www.social-engineer.org/wiki/archives/ModesOfThinking/MOT_FBI_3of5.htm) that made a few very profound statements on the modes in which people think:
Simply confirming your nonverbal behavior to the client, using language from the client’s preferred representational system and matching speech volume, tone, and area of speech often overcomes client reluctance to communicate.
This simple statement has a lot of depth in it. Basically it is saying that if you can first figure out the target’s dominant mode of thinking and then confirm it in subtle ways, you can unlock the doors of the target’s mind and help him actually feel at ease when telling you even intimate details. Logically you may ask then, “How do I figure out a target’s dominant mode of thinking?”
Even asking people what their mode of thinking is will not offer a clear answer, because many people do not know what mode of thinking they often reside in. Due to that, as a social engineer you must have some tools to help you determine this mode and then quickly switch gears to match that mode. A clear and easy path exists to this answer but you need to know the basics first.
The Senses
For centuries philosophers have argued the value of perception. Some go so far as to say that reality is not “real” but just what our senses build into our perceptions. Personally, I do not subscribe to that idea, but I believe that the world is brought to our brain by our senses. People interpret those senses for their perception of reality. In the traditional classification we have five senses: sight, hearing, touch, smell, and taste.
People tend to favor one of these senses and that is the one that is dominant. It is also the way people tend to remember things. As one exercise to determine your dominant sense, close your eyes and picture yourself waking up this morning—what is the very first thing you remember?
Was the feeling of the warm sun on your face? Or maybe you remember the sound of the voice of your spouse or children calling you? Do you remember clearly the smell of coffee downstairs? Or quite possibly the bad taste in your mouth, reminding you that you need to brush your teeth?
Of course, this science is not exact and realizing what your dominant sense is may take a few tries to figure out. I once talked to a couple about this concept and it was interesting to watch their expressions. The wife first remembered waking up and seeing the clock and then worrying that she was running late, whereas the husband first remembered rolling over and not feeling his wife next to him. After some more questions it became evident that the husband was a kinesthetic, or his dominant sense was his feeling, whereas his wife was very visual.
Of course, walking up to your target and saying, “Close your eyes and tell me the first thing you remember this morning,” doesn’t seem reasonable. Unless, of course, your pretext is the family shrink, you might meet with some opposition on this route.
How can you determine without going through an embarrassing interrogation about their morning rituals what a target’s dominant sense is?
The Three Main Modes of Thinking
Although we have five senses, the modes of thinking are associated with only three of them:
· Sight, or a visual thinker
· Hearing, or an auditory thinker
· Feeling, or a kinesthetic thinker
Each sense has a range within which it works, or a sub-modality. Is something too loud or too soft? Too bright or too dark? Too hot or too cold? Examples of these are as follows: staring at the sun is too bright, jet engines are too loud, and –30 degrees Fahrenheit is too cold. Ivan Pavlov ran an experiment where he rang a bell every time he fed a dog. In the end the dog would hear the sound of the bell, then salivate. What most people don’t know is that he was more interested in the physical and emotional aspects of sub-modalities. The interesting point is that the louder the bell rang the more the dog salivated. The range change of the sub-modality produced a direct physical change. Pavlov’s research and all of his lectures are discussed in much detail at www.ivanpavlov.com.
Even though people are very different from dogs, Pavlov’s research is very important in understanding how a person thinks. Many of us can think in all three modes, but we dominate in one—one “rings” the loudest. Even within our dominant mode, we might have varying degrees of depth for that dominant sense.
Following I will discuss some of the details of each of these modes in more depth.
Visual
The majority of people are usually visual thinkers, in that they usually remember what something looked like. They remember the scene clearly—the colors, the textures, the brightness or darkness. They can clearly picture a past event and even build a picture for a future event. When they are presented with material to decide upon they often need something to see because visual input is directly linked to decision making. Many times a visual thinker will make a decision based on what is visually appealing to him regardless of what is really “better” for him.
Although men tend to be visual, this does not mean that all men are always visual. That visual marketing or visual aspects normally appeal to men is true, but do not assume all men are visual.
A visual person often uses certain words in his speech, such as:
· “I see what you mean.”
· “That looks good to me.”
· “I get the picture now.”
And the range that the dominant sense works in for a visual thinker can have certain characteristics, or sub-modalities, such as:
· Light (bright or dim)
· Size (large or small)
· Color (black and white or color)
· Movement (fast or slow)
· Focus (clear or hazy)
Trying to debate, sell, negotiate, manipulate, or influence a visual thinker with no visual input is very difficult if not impossible. Visual thinkers need visual input to make decisions.
Auditory
Auditory thinkers remember the sounds of an event. They remember that the alarm was too loud or the woman whispered too low. They recall the sweetness of the child’s voice or the scary bark of the dog. Auditory people learn better from what they hear and can retain far more from being told things than being shown things.
Because an auditory thinker remembers the way something sounded, or because the sounds themselves help recall memories, he may use phrases such as:
· “Loud and clear…”
· “Something tells me…”
· “That sounds okay to me.”
And the range of this dominant sense can be within these sub-modalities:
· Volume (loud or soft)
· Tone (base or treble)
· Pitch (high or low)
· Tempo (fast or slow)
· Distance (near or far)
It is imperative to choose your words carefully with auditory thinkers. The words they hear will make or break the deal. I have seen whole encounters go from great to a disaster with one wrong word spoken to an auditory thinker.
Kinesthetic
Kinesthetic thinkers are concerned with feelings. They remember how an event made them feel—the warmth of the room, the beautiful breeze on their skin, how the movie made them jump out of their seat with fear. Often kinesthetic thinkers feel things with their hands to get the sense of the objects. Merely telling them something is soft isn’t as real as letting them touch it. But helping recall a soft item they touched before can recall emotions and feelings that are very real to a kinesthetic thinker.
The term “kinesthetic” relates to tactile, visceral, and sense-of-self sensations of the body—basically, where a person’s body is in space and the self-awareness of how something made him feel. A kinesthetic thinker uses phrases such as:
· “I can grasp that idea.”
· “How does that grab you?”
· “I’ll get in touch with you.”
· “I just wanted to touch base.”
· “How does this feel?”
And the range for this type can have the following sub-modalities:
· Intensity (strong or weak)
· Area (large or small)
· Texture (rough or smooth)
· Temperature (hot or cold)
· Weight (heavy or light)
Helping a kinesthetic thinker recall a feeling or emotion tied to something can make those emotions reappear as real as the first time they occurred. Kinesthetic thinkers are probably the most difficult for non-kinesthetic thinkers to deal with because they do not react to sights and sounds and social engineers have to get in touch with their feelings to communicate with this type of thinker.
Understanding these basic principles can go a long way toward being able to quickly discern the type of person you are talking to. Again, without asking the target to picture his morning rituals how can you discern the dominant sense? Even more so, why is this so important?
Discerning the Dominant Sense
The key to determining someone’s dominant sense is to try to introduce yourself, start a small conversation, and pay close attention to what is being said. As you walk up to the target and lean in to say good morning, maybe she barely looks at you. She might be rude, or she just may not be a visual. Visuals need to look at the person speaking to communicate properly, so this behavior would seem to lend to the fact she is not visual. Now ask a simple question such as, “Don’t you just love the feel of a beautiful day like today?” and notice her response, particularly whether she seems to light up or not.
Maybe you wear a large, shiny silver ring. As you talk you gesture; maybe you see that the ring catches her eye. Does she reach out, interested, and need to hold the ring or get close to observe it? Kinesthetics are very touchy-feely when it comes to these things. I know a woman who is a strong kinesthetic and when she sees something she thinks is soft or high quality she must touch it. She will say, “Wow, that sweater looks so soft!” From that statement one might assume she is a visual, but what happens next is what solidifies it. She then walks up to the person and touches the sweater and feels it. This shows her dominant sense is kinesthetic. The same woman must touch everything in the grocery store when she shops, whether she needs it or not. By touching the objects, she makes a connection and that connection makes it real to her. Often she cannot remember things very well that she did not come into physical contact with.
Asking questions that contain some of the key dominant words, observing a target’s reactions, and listening can reveal what dominant sense he or she uses. Listening for key words such as see, look, bright, dark can lead you to treat a target like a visual. As mentioned earlier this is not an exact science. There isn’t a general rule that states if a person says, “I can see what you are saying…” then he is always a visual. Each clue should lead you down the path toward verifying your hunch with more questions or statements. One word of caution: talking to someone in a different mode than they think in can be irritating to some. Using questions to determine a person’s mode of thinking can be off-putting. Use questions sparingly and rely more on observation.
Why Understanding the Mode Is Important
I once worked with a guy, Tony, who could sell a cup of water to a drowning man. Tony was a big believer in seeking out and then using a person’s dominant sense in sales. He had a few methods that he used that you may learn from. When he first engaged the target he had a very shiny silver-and-gold pen he would hold in his hand. He would gesture a lot and notice whether the person followed the pen with her eyes; if she did slightly Tony would continually make the gestures bigger to see whether her eyes followed. If that didn’t seem to work in the first few seconds he would click the pen open and closed. It wasn’t a loud noise, but loud enough to disrupt a thought and draw someone’s attention if she were an auditory. If he thought that was working he would click it with every important thought, causing the target to have a psychological reaction to the sound and what was being said. If that didn’t seem to work he would reach out over the table and tap her wrist or forearm, or if he was close enough touch her shoulder. He didn’t touch excessively, but enough to see whether she would shy away or seemed overly happy or disturbed by the touch.
With these subtle methods he could quickly discern what the person’s dominant sense most likely was. This whole act would take under 60 seconds. After he found the information he was looking for, he would then start to move his conversation to that dominant sense, even taking on the traits of that sense in the words he spoke and way he acted and reacted to the conversation. One thing about Tony is that he outsold any person I have ever met. People would often say about him, “It is like he knew exactly what I needed.”
Tony would talk to the person and treat the person the way they wanted to be talked to. If the person was a visual thinker, Tony would use phrases like “Can you see what I am saying?” or “How does this look to you?” He would use illustrations that involved “seeing” things or visualizing scenarios. He would put people in their comfort zone.
People feel at ease when they are in their comfort zone. The more you can do as a social engineer to put people in their comfort zone, the better chance you have at success. People gravitate towards those with whom they are comfortable; it is human nature. For example, if someone makes you feel “warm and fuzzy,” or seems to understand what you are saying, or seems to see where you are coming from, you easily open up to, trust, and let that person in your circle.
I want to reiterate this point: finding and using someone’s dominant sense is not an exact science. A social engineer should use it as a tool in the arsenal and not rely on it as something magical or scientific. Certain psychological aspects of human nature are based on proven science and can be relied upon. As a matter of fact, some of these aspects are so impressive that they can make you seem like a mind reader. Some of them have been a topic of serious debate and some accepted by psychologists, law enforcement, and social engineers for years. The next section of this chapter discusses these, starting with microexpressions.
Microexpressions
You are probably familiar with the idea of reading facial expressions. When someone is happy, sad, angry, or whatever, when someone feels it you can look at his or her face and see that emotion. What if someone tries to fake that expression, like a fake smile? We have all done it, walking through the market and bumping into someone we just don’t like that much—we put on a “smile” and say, “Hey John, nice to see you. Say hi to Sally.”
We may act very pleasant and cordial, but inside we are feeling nothing but irritation. The expressions that we show for longer periods of time on our face are called macroexpressions and are generally easier for people to see the emotion that is being conveyed. Similar to microexpressions, macroexpressions are controlled by our emotions, but are not involuntary and often can be faked.
A certain few pioneers into the study of human behavior have spent decades researching something, coined microexpressions, to understand how humans relay emotions.
Microexpressions are expressions that are not easily controllable and occur in reaction to emotions. An emotion triggers certain muscular reactions in a face and those reactions cause certain expressions to appear. Many times these expressions last for as short as one-twenty-fifth of a second. Because they are involuntary muscular movements due to an emotional response, they are nearly impossible to control.
This definition is not a new understanding either; Charles Darwin wrote a book in 1872 called, The Expression of the Emotions in Man and Animals. In this book Darwin noted the universal nature of facial expressions and how muscles were used in facial expressions.
In the early 1960s two researchers, Haggard and Isaacs, first discovered what today is called microexpressions. In 1966, Haggard and Isaacs outlined how they discovered these “micromomentary” expressions in their publication titled, Micromomentary Facial Expressions as Indicators of Ego Mechanisms in Psychotherapy.
Also in the 1960s, William Condon, a pioneer who studied hours of tapes frame by frame, discovered that humans had “micro-movements.” He also heavily researched neurolinguistic programming (more on that later) and body language.
Probably one of the most influential researchers in the field of microexpressions is Dr. Paul Ekman. Dr. Ekman pioneered microexpressions into the science it is today. Dr. Ekman has been studying microexpressions for more than 40 years, receiving the Research Scientist Award as well as being labeled one of Time Magazine’s most influential people on earth in 2009.
Dr. Ekman researched facial expressions with psychologist Silvan Tomkins. His research revealed that, contrary to popular belief, emotions are not culturally determined, but are universal across cultures and biological.
Working with Dr. Maureen O’Sullivan he developed a project called the Wizards Project. He began to pioneer the use of microexpressions in lie detection. He used a base of 15,000 people from all walks of life and all cultures and found out of that large number that only 50 had the ability to spot a deception without training.
In the 1970s Dr. Ekman developed FACS (Facial Action Coding System) to label and number each conceivable human expression. His work branched out to not only include facial expressions but also how the whole body was involved in deception.
By 1972, Dr. Ekman had identified a list of expressions that were linked with basic or biologically universal emotions:
· Anger
· Disgust
· Fear
· Joy
· Sadness
· Surprise
Dr. Ekman’s work began to take on a following, and many law enforcement and corporate environments began to use this research in detecting deception. In 1990, in a paper entitled “Basic Emotions,” Dr. Ekman revised his original list to include a range of positive and negative emotions (www.paulekman.com/wp-content/uploads/2009/02/Basic-Emotions.pdf). Dr. Ekman has published many books on emotions, facial expressions, and lie detection that can help each person to understand the value in being able to decode facial expressions.
This brief history indicates that the subject of microexpressions is not some fantasy; on the contrary, real doctors, researchers, and professionals in the field of human behavior have put countless hours into understanding microexpressions. As a social engineer, understanding microexpressions can go a long way toward protecting your clients and teaching them how to notice subtle hints of deception.
If you are a social engineer, or just a person interested in learning about microexpressions, I strongly suggest reading Dr. Ekman’s books, especially Emotions Revealed and Unmasking the Face. He is truly the authority on this topic. The following sections describe the microexpressions in a simplistic format so you can see how you can use this later on as a social engineer.
As mentioned earlier, Dr. Ekman labeled six main microexpressions and later on added contempt to the list, making seven. The following sections cover these one by one.
Anger
Anger is usually easier to spot than some other expressions. In anger the lips become narrow and tense. The eyebrows slant downward and are pushed together—then comes the most noticeable characteristic of anger, the glare.
Anger is a strong emotion and can trigger many other emotions along with it. Sometimes when a person feels anger at something, what you see is a microexpression such as that shown in Figure 5-1. What makes it hard to see is that the facial movements may last only one-twenty-fifth of a second.
Figure 5-1: Notice the glare, tense lips and tightened brows.
Dr. Paul Ekman
Learning to see a specific microexpression can greatly enhance your understanding of people. To learn how to do so, Dr. Ekman recommends practicing that expression on yourself. He says follow these steps:
1. Pull your eyebrows down and together; pretend you are trying to touch your nose with the inner parts of your eyebrows.
2. While your brows are down, try to open your eyes wide, without adjusting your brow position.
3. Press your lips together tight. Do not pucker your lips, just tense them together.
4. Glare.
What emotion do you feel? The first time I did this, I was overwhelmed with anger. The following is a vital point to this chapter:
If producing the facial expression can cause the emotion, that must mean that our facial movements can affect the emotions we feel, and maybe even the emotions of those around us.
Practice this emotion in a mirror until you get it right. Figure 5-2 shows a picture of a young woman showing us exactly how anger is displayed.
Figure 5-2: Notice the definite expression of anger on her face.
Thefinalmiracle (Nikhil Gangavane) | Dreamstime.com
It is just as pronounced as in Figure 5-1 and the icy cold gaze gives it away too.
Mastering the ability to reproduce microexpressions will go a long a way toward understanding the emotion behind them. When you can successfully reproduce and decode a microexpression, you can understand the emotion that is causing it. At that point you can understand the mental state of the person you are dealing with. Not only reproducing them on yourself but also being able to see and read them in others can be helpful in controlling the outcome of your social engineering engagements.
Disgust
Disgust is a strong emotion usually in reaction to something you really do not like. This “something” does not always have to be a physical object; it can also be something that is based on a belief or feeling.
A food that you truly hate can cause the feeling of disgust, which will trigger this expression. What is amazing is even in the absence of the actual smell or sight of the food, the thought of it can cause the same emotion.
When I was a teenager, I went to Disney World with a few friends. I am not, and I mean not, a fan of roller coasters. After much prodding I went on Space Mountain, an indoor roller coaster. About halfway through I had determined that I really didn’t mind roller coasters when suddenly I was smeared with something very wet and chunky. I was then hit with an odor that I can only describe as stomach contents. Not only me, but many behind me had the same reaction and none of us could hold back our lunch, so to speak. Before you knew it, a simultaneous puking splattered the glass of the Tomorrowland Transit Authority, a slow-moving observation ride that offers a peek into the actual Space Mountain ride on part of its journey. What is amazing is that people in the Tomorrowland ride who sat there slowly going around the park saw the aftereffects hit the glass as they rode through, and saw all the other riders getting physically ill, which made them also vomit—yet they didn’t smell the odor or have physical contact with the puke from the roller coaster riders. Why?
Disgust. Bodily fluids generally bring on feelings of disgust and this is one reason that while reading this paragraph you probably started to exhibit the expressions of disgust.
Disgust is often characterized by the upper lip being raised to expose the teeth, and a wrinkling of the nose. It may also result in both cheeks being raised when the nose is wrinkled up, as if to try to block the passage of the bad smell or thought into one’s personal space.
What ever the man in Figure 5-3 just saw, it caused a very noticeable display of disgust.
Figure 5-3: Clear signs of disgust with a wrinkled nose and raised lip.
© Mightyjohn | dreamstime.com
Disgust is one of those emotions, according to Dr. Ekman’s research, that is in reaction to the sight, smell, or even thought of something distasteful. From a social engineering standpoint this emotion might not lead you down paths of success, but it can surely help you to see whether you are hitting the mark with your target or causing him or her to mentally shut down to your ideas.
The odds are that if you cause disgust for any reason in your target, you have lost. If your appearance, smell, style, breath, or other aspect of your person can make a person feel disgust, then it will most likely close the door to success. You must be aware of what is acceptable and unacceptable to your targets. For example, if your audit is for a prestigious law firm and you have many piercings or tattoos, a very strong negative emotion may rise in your target, which can close the door to your social engineering attempt. If you see a facial expression similar at all to Figure 5-4 then you know it is time to leave the scene.
Figure 5-4: If you see this expression, something is wrong.
You must seriously consider your appearance when working on your pretext. If you happen to notice the strong negative emotion of disgust in your target, then backing down and politely excusing yourself to rework your pretext or find a different path in may be a good idea.
Contempt
Contempt is a very strong emotion that is often confused with disgust because it is so closely linked. Dr. Ekman didn’t even include contempt on his first list of the base emotions.
In Dr. Ekman’s book Emotions Revealed he says, “Contempt is only experienced about people or the actions of people, but not about tastes, smells, or touches.” He then gave an example of eating calf brains, which might be disgusting to you as a thought, and will trigger disgust. Yet seeing someone eating them may trigger contempt for the person committing the act, not the act itself.
The fact that contempt is directed at a person rather than an object is crucial to understanding the microexpressions that go along with it. Being able to see whether the person you are dealing with is feeling contempt can help you to pinpoint more closely the reason for his or her emotion.
Contempt is distinguished by wrinkling the nose and raising the lip, but only on one side of the face, whereas disgust is the raising of the whole lip and the wrinkling of the whole nose. A very subtle contempt expression can be seen in Figure 5-5 whereas a more pronounced one is shown inFigure 5-6.
Try to mimic contempt, and if you are like me, you will quickly feel anger and contempt in your heart. Performing this exercise and seeing how these reactions affect you emotionally is interesting.
Figure 5-5: Notice the slight nose wrinkle and the raising of only the right side of Dr. Ekman’s face.
Dr. Paul Ekman
Figure 5-6: Notice the signs of contempt are more prominent in this picture.
Dr. Paul Ekman
Contempt is often accompanied by anger, because the things that can cause contempt in a person can also trigger strong negative emotions. Contempt is one emotion you want to avoid triggering in anyone with whom you are dealing, especially if you are in a social engineering engagement.
Fear
Fear is often confused with surprise because the two emotions cause similar muscular reactions in the face. Recently while on a plane, I was about to write the section on happiness, but something amazing happened at that time that served as the impetus for writing this section on fear instead.
I am not a short man, being 6’3”, and not a small build, either. While I sat on the plane with a few hours to kill I thought I would take advantage of the time to work. Let me add that coach seats aren’t what they used to be. As I sat with my laptop open staring off into space I pondered how to start the section I had intended to write. I soon realized I was meant to start writing about fear, because the gentlemen next to me pulled out a water bottle and took a swig, but I didn’t see him recap the bottle. Out of the corner of my eye I saw his bottle falling from his hands and toward my keyboard. My instant reaction was easily identified as fear.
My eyes opened wide, while my eyebrows crunched together inward. My lips pulled together and out towards my ears. Of course, I didn’t realize all this as it was happening but afterward I was able to analyze what had happened and I knew I had felt fear. I then analyzed the way I felt my face move and determined that if I repeated the expression I felt that same emotion all over again. I am sure I looked similar to what is seen is Figure 5-7.
Try to see whether you can generate this emotion in yourself by following these steps:
1. Raise your eyebrows as high as they will go.
2. Drop your mouth open slightly and pull the corners of your lips back.
3. If you can, pull your eyebrows together while raising them as high as you can.
How did you feel? How about in your hands and arms and your stomach? Did you notice any semblance of fear? If not, try the exercise again but think back to a time when you were in a situation (something similar to my plane experience, or a car in front of you screeching to a halt) out of your control. See how you feel then.
Figure 5-7: Clear signs of fear.
Dr. Paul Ekman
Most likely you will feel the emotion. A friend of mine sent me this picture of his daughter's first roller coaster ride (Figure 5-8). You can clearly see the raised eyebrows, eyes wide and the mouth open with lips pulled back.
From a social engineering standpoint, fear is often used to cause people to react a certain way. Malicious social engineers use fear tactics to get an unsuspecting user to click a banner or give up a valuable piece of information. For example, malicious banners might claim “Your computer is infected with a virus. Click here to get fixed now!!” These banners work against non-technical users who fear the virus and will click, only to be infected at that point.
Figure 5-8: This little girl is showing clear signs of fear on the roller coaster.
Chad Skidmor
One company I worked with was hit by a malicious social engineer who used fear to gain access to the building. Knowing that the CFO was out of town on an important business meeting and could not be disturbed, the social engineer went into the company as a tech support guy. He demanded access to the CFO’s office, which was promptly denied. He then played this line, “Mr. Smith, your CFO, called me and told me that while he was away at this meeting I better come down and fix his e-mail problem and that if it is not fixed while he is gone, heads will roll.”
The secretary feared that if it didn’t get fixed, she would be to blame. Would her boss really be angry? Could her job be at risk? Because she feared a negative outcome, the secretary let the phony tech support guy in. If he was a skilled social engineer he may have been watching her facial expressions and noticing whether she exhibited signs of worry or anxiety, which are related to fear. He then could have played on these signs more and more, getting her to cave in to her fear.
Fear can be a big motivator to do many things that you (or your target) would not normally consider doing.
Surprise
As mentioned earlier, Dr. Ekman and many other psychologists in the area of microexpressions have concurred that surprise is closely linked to fear because of certain similarities. Even so, some marked differences exist, such as the direction the lips take and the way the eyes react.
Try this exercise to show surprise:
1. Raise your eyebrows, not in fear but with the goal of widening your eyes as much as you can.
2. Let your jaw unhinge and open slightly.
3. After you get the expression down pat try doing it quickly.
I noticed I almost was forced to gasp in some air when I did it, causing me to feel something similar to surprise. You should see an expression similar to Figure 5-9.
Figure 5-9: Notice the way the eyes and lips appear similar to fear.
Dr. Paul Ekman
Surprise can be good or bad. Hearing your daughter’s first words, of course, is a good surprise. Or the surprise can be one of an event, statement, or question that you didn’t expect that causes this response.
As you can see in Figure 5-10 whatever that woman must have seen really surprised her. Maybe a gift is being presented or something one of her grandchildren said to her. Notice her eyebrows raised and her jaw is unhinged and open. This kind of surprise is easy to see because it is so pronounced and the expressions are easy to pick out.
Figure 5-10: Often confused with fear, surprise has some minor differences.
© Stylephotographs (Robert Kneschke) | Dreamstime.com
If the surprise is positive, it can often cause a smile or a jovial response after the initial shock wears off. A social engineer can sometimes use surprise to open the target’s door, so to speak; following up with quick wit or a joke can quickly put the target at ease, causing the target to lower his or her guard.
Sadness
Sadness is an overwhelming and strong emotion. Sadness is one of those emotions that we may feel ourselves when we see other people who are expressing this emotion. Some people can feel sadness just by seeing others who are sad, even to the point of crying.
To show you how easily you can feel sadness, try this exercise:
1. Drop your mouth open slightly.
2. Pull the corners of your lips down.
3. Hold your lips in place, and while doing that try to raise your cheeks as if you are squinting.
4. While maintaining that tension, look down and let your upper eyelids droop.
Most likely you will begin to feel sadness. When I first did this exercise, it was overwhelming for me. I instantly felt sad and found I had to control the length of time I performed it because it caused me to be sad for quite a while. To see how this should look, notice the expression in Figure 5-11.
Figure 5-11: Notice the lips and eyes drawn back and down, signifying sadness.
Dr. Paul Ekman
Another aspect of sadness that makes it an amazing emotion is that it does not always have to display as agony or extreme grief. Sadness can be very subtle. Sadness can also be displayed in just one part of the face. People may try to hide sadness by using a fake smile or what I call “stoic eyes,” where they stare straight ahead, almost in a daze, but you can tell they are trying to control the emotion they are feeling.
Take a look at Figure 5-12. In this case you can see an example of sadness when half the face is covered. This woman is showing definite signs of sadness which can be noticed even though her face is covered. Notice her brow is slightly furrowed as well her eyelids dropping and you can see the corners of her mouth pointing downward.
Figure 5-12: Notice the lips drawn back and down, signifying sadness.
Spectrelabs (Adrin Shamsudin) | Dreamstime.com
The eyes are one of the best indicators to reading sadness. The expression is often confused with tiredness and other emotions that can cause similar eye movements. Tying in the body language with what is read on the face can also help to determine if it is sadness or another emotion.
This can be especially true if you are dealing with other cultures. Particularly in cultures where much of the face is covered by clothing. In many Middle Eastern cultures where women cover much of their face, you may only be able to see the persons eyes. In these cases it will be very important for the social engineer to also use body language to determine if what they are seeing is genuine sadness.
Sadness is often used in social engineering because it can trigger people to take an action such as donate money or give out information. You have probably seen it used in television commercials showing a very disadvantaged child. These children may be malnourished, poverty stricken, and seemingly unloved, but for just a small donation you can bring a smile to the child’s face. The images of sad, crying, emaciated children will tug at your heartstrings. I am not suggesting that these commercials are malicious social engineering, just that they use social engineering to a degree, by using an emotional trigger to get a reaction out of the target.
Unfortunately, malicious social engineers often use this emotional trigger to obtain things from their targets. I once walked into a restaurant and overheard a young man telling a group of older folks who were leaving that he just ran out of gas on the highway and needed to get home because his wife was nine months pregnant. He had been out of work and had just walked a mile off the highway to use the phone to call his wife and wondered if they could give him $20. When I heard some of the story I slowed down and made believe I was on a phone call to observe the rest. He told his tale and then backed it up with, “Look if you give me your address, I will mail you a check for the $20,” concluding with “I swear to God.”
The story had some elements in it that could elicit compassion, especially when his face showed concern, anxiety, and sadness. He didn’t get $20—he was given $20 by each of the three people in that group. He said “God bless you” a few times and gave the group a few hugs and said he was going to go in to call his wife and tell her he was on the way home. He hugged them and they left feeling as if they had done their good deed for the week.
A few minutes later as I’m eating my meal, I see him at the bar drinking a couple of fully paid-for drinks with his buddies. Mixing a sad story with some sad facial expressions, he had been able to manipulate the emotions of those around him.
Happiness
Happiness can have many facets to it—so many that I can probably make a chapter just on it, but that is not my focus. Dr. Ekman’s books cover many excellent points about happiness and similar emotions and how they affect the person with the emotion and those around him or her.
What I want to focus on are just a couple aspects of happiness—most importantly the difference between a true smile and a fake smile. The true and the fake smile are an important aspect of human expressions to know how to read, and as a social engineer to know how to reproduce.
Has there been a time where you met someone who was very pleasant but after you parted ways your spouse or you yourself said, “That guy was a fake…”?
You might not have been able to identify the aspects of a true smile in your head but something told you the person wasn’t being “real.” In the late 1800s a French neurologist, Duchenne de Boulogne, did some fascinating research into smiling. He was able to attach electrodes to a man’s face and trigger the same “muscular” response in the face as a smile. Even though the man was using all the right muscles for smiling, de Boulogne determined that the look of the man was still a “fake smile.” Why?
When a person smiles for real, de Boulogne indicates, two muscles are triggered, the zygomaticus major muscle and the orbicularis oculi. Duchenne determined that the orbicularis oculi (muscle around the eyes) cannot be triggered voluntarily and that is what separates a real from a fake smile.
Dr. Ekman’s research concurs with Duchenne’s and although recent research indicates some can train themselves to think about triggering that muscle, more often than not a fake smile is all about the eyes. A real smile is broad with narrow eyes, raised cheeks, and pulled-up lower eyelids. It has been said that a real smile involves the whole face, from the eyes to the mouth, as seen in Figure 5-13.
Figure 5-13: Dr. Ekman demonstrates a fake smile (left) next to a real smile (right).
If you were to cover the top half of Dr. Ekman’s face you would be hard pressed to tell a real from a fake smile. It is not until you examine the eyes that it becomes clear, side by side, which smile is fake and which is real.
When a person sees a real smile on another person's face, it can trigger that same emotion inside of them and cause them to smile. Notice Figure 5-14, this man is showing genuine happiness with a real smile. Notice how his whole face is involved in this smile.
From a social engineering standpoint, knowing how to detect and also create a real smile is a valuable piece of information. A social engineer wants a target to be put at ease, so as to have the greatest positive effect on the target. Social engineers in any form, whether they are salespeople, teachers, psychologists, or any other social engineer, often start off a conversation with a smile. Quickly our brains analyze how we feel about that visual input given to us and it can affect the rest of the interaction.
A lot of information is packed into the preceding section, yet you may be wondering how social engineers can train themselves not only to see microexpressions but also how to use them.
Figure 5-14: Notice how his whole face is involved in this smile.
© Shaileshnanal (Shailesh Nanal) | Dreamstime.com
Training Yourself to See Microexpressions
Hollywood often overstates the abilities of the characters that appear in movies and television. For example, in the new hit television show Lie To Me (based on Dr. Ekman’s research) the main character, Dr. Lightman, can read microexpressions with seemingly no effort, and what is even more amazing is he usually can tell why the emotion is occurring.
Yet in real life, much of the research done by those in the field, like Dr. Ekman, meant sitting in front of prerecorded sessions and analyzing these sessions frame by frame. After many years of working on this task he is probably able to notice, pick up, and analyze microexpressions very quickly. In the 1970s he did a research project where he identified some who had a natural ability to notice and correctly analyze microexpressions.
Because many of us might not fall into that natural ability category we need a way to practice, train, and become proficient at performing, reading, and using microexpressions. I can tell you what works for me. I read the methods on how a particular microexpression is identified, then practice reproducing it using a mirror, comparing my expression to the notes from the professionals that describe how it is done. I usually have a picture that shows the emotion I am working on because having something to mimic helps me.
After I feel relatively good about reproducing the microexpression I focus on how it makes me feel, tweaking small areas until the muscular movements cause me to feel the matching emotions.
I then scour the Internet looking for pictures and try to identify the expressions in those pictures. Next, I record news or television shows and play certain parts in slow motion with the sound off to see if can determine the emotion, then listen to the story to see if I was close. All this leads up to working with live “subjects.” I watch people interact with each other and try to identify the emotions they are feeling during their discussions. I try both with being able to hear the conversation and also without being able to.
The reason I chose this path before trying to read microexpressions in my own conversations is that I found that trying to do it in a live environment without having to also focus on making good conversation is easier. I just read the facial expressions and do not get confused by other sensory input. The preceding method is the one I used before I had a chance to meet Dr. Ekman and be introduced to his training methods. Of course, he has books that contain step-by-step instructions on recreating and reading these expressions. His books also include pictures showing the emotions as well as examples in the news that show those emotions. His book Emotions Revealed does this in a very professional format that is excellent for learning.
In recent years Dr. Ekman has developed and released training specifically for microexpressions. His website, www.paulekman.com, has three different types of training that have changed the way people can learn this powerful science.
Ekman’s training gives the user a lesson on each type of microexpression via video and text. The user can replay the expression video to see how each part of the face is involved. After the user spends as much time as needed learning and watching the video sections, she can take a pretest. The pretest enables her to see how good she is at noticing microexpressions. When the user guesses at what microexpression is being displayed, she can get confirmation or correction. If correction is needed then she can take additional education and training.
After the user is confident in her abilities she can take the real test. In the final exam no correction is given. The user is shown a microexpression once for a brief one twenty-fifth of a second, and then she must select what the microexpression is and then wait to be graded at the end.
This type of training tool can take years off of your learning curve in becoming proficient at reading microexpressions. One caveat: Dr. Ekman, as well as his contemporaries, state that even though you may become proficient in reading microexpressions, a microexpression is limited. What does that mean?
One of the tricks actors use to be able to successfully show proper emotion is to remember and focus on a time when they truly felt the emotion they need to portray; for example, a moment of happiness that produced a real smile. As mentioned earlier, making a real smile is very difficult to fake if you aren’t truly feeling happy, but if you can bring up a memory when you felt that emotion your muscles will remember and react.
Therefore, although you can become proficient at reading the emotion, you cannot read the why behind it. The why is often lost to science. I had a friend who had some bad experiences as a child with a person who closely resembled a good friend of mine. Whenever my friend would come around she had strong emotional reactions. If you were to read her microexpression you would probably see fear, contempt, and then anger on her face. She did not hate my friend, but she hated the person in her memory who resembled my friend.
This is a good point to remember when you are learning how to read microexpressions. The expression is linked to an emotion, but the expression doesn’t tell you why the emotion is being displayed. I know when I first started learning about microexpressions and then became somewhat “proficient” at reading certain expressions, I felt like I was a mind reader. Although this is far from the truth, the caution is to not be assumptive. You may become very good at reading microexpressions; however, later sections discuss how to combine this skill with interrogation tactics, body language skills, and elicitation skills to not only figure out what targets are thinking, but also to lead them down the path you want.
The question you still may have is, “How can I use these skills as a social engineer?”
How Social Engineers Use Microexpressions
This whole section leads up to this: As fascinating as the research is, as amazing as the science is behind this psychology, how do you utilize microexpressions in a social engineer audit and how do malicious social engineers use them?
This section discusses two methods of how to use microexpressions in social engineering. The first method is using microexpressions (ME) to elicit or cause an emotion, and the second method is how to detect deceit.
Let me start with the first method, using your own ME to cause an emotional response in others. I recently read a research paper that changed my view of ME and opened my eyes to a new area of research. Researchers Wen Li, Richard E. Zinbarg, Stephan G. Boehm, and Ken A. Paller performed a study called “Neural and Behavioral Evidence for Affective Priming from Unconsciously Perceived Emotional Facial Expressions and the Influence of Trait Anxiety” that changes the face of microexpression usage in modern science.
The researchers connected dozens of mini-EKGs to muscle points on their subjects’ faces. The devices would register any muscular movements in their face and head. They then played videos for them that had one-twenty-fifth-second flashes of microexpressions in frames. Li et al., found that in almost every case the subject’s muscular movement would begin to mirror that which was embedded in the video. If it was fear or sadness, the subject’s facial muscles would register those emotions. When interviewed about the emotion the subject was feeling it was the emotion embedded in the video.
To me, this groundbreaking research proves that a person can manipulate another person to a certain emotional state by displaying subtle hints of that emotion. I have started conducting some research into this from a security angle and I am calling it “neurolinguistic hacking,” mainly because it takes much from microexpressions as well as neurolinguistic programming (discussed in the next section) and combines them to create these emotional states within a target.
Imagine this scenario. A social engineer wants to walk into a company with the goal of getting the receptionist to insert a malicious USB key into the computer. His pretext is that he has a meeting with the HR manager, but on the way in, he spilled coffee all over his last resume. He really needs this job and to help, would she print him out another copy of the resume?
This is a solid pretext that tugs on the receptionist’s heartstrings and has worked for me in the past. Yet, if the social engineer allows his own emotional state to run rampant he might be showing signs of fear, which is linked to nervousness. That fear can translate to an uneasy feeling in the receptionist and failure or rejection of the request. Whereas if he were to control his emotions and flash subtle hints of sad microexpressions, which is closely linked with empathy, then he might have a very good chance at his request being honored.
Recall the previous discussion of the commercials that encourage people to donate “only a dollar a day” to feed a child in need. Before requesting money, before flashing a phone number and URL, before telling you that credit cards are accepted, many long images of very sad children flash across your TV screen. Those images of children in need and children in pain put your brain in the emotional state that is needed to comply with the request.
Do those commercials work on everyone? No, of course not. But although not everyone donates, it will affect almost everyone’s emotional state. That is how a social engineer can use ME to the fullest. Learning to exhibit the subtle hints of these ME can cause the neurons in your target’s brain to mirror the emotional state they feel you are displaying, making your target more willing to comply with your request.
This usage of ME can be malicious, so I want to take a moment to talk about a mitigation (see also Chapter 9). Being aware of how ME can be used doesn’t mean you need to start training everyone in your company to be an ME expert. What it does mean is that good security awareness training does need to occur. Even when requests are designed to make you desire to help, desire to save, desire to nurture, the security policy must take precedence. A simple, “I’m sorry we cannot insert foreign USB keys into our computers. But two miles down the road is a FedEx Kinko’s shop. You can print another resume there. Should I tell Mrs. Smith you will be a few minutes late?”
In this scenario, such a statement would have squashed the social engineer’s plans as well as given the target the feeling of being helpful.
To utilize the power of ME, sometimes you have to combine it with other aspects of human behavior as well. The second method, how to detect deceit, describes how you can do this. The second method for using ME as a social engineer is in detecting deception. Wouldn’t it be nice if you could ask a question and know whether the response was truth or not? This subject has been a source of heated debate among many professionals who claim that eye patterns, body language, facial expression, or a combination of all the preceding can indicate truth or deception. While some do not believe this to be the case, others feel these can be used as an exact science.
Although some truth may exist in each of those thoughts, how can you use microexpressions to detect deception?
To answer this question you must take into account more than just microexpressions because, as identified throughout this section, microexpressions are based on emotions and reactions to emotions. Keep this in mind while reading this section, which analyzes some causes and effects.
Four things can help you detect deceit in a target:
· Contradictions
· Hesitation
· Changes in behavior
· Hand gestures
The following sections discuss these items in more detail.
Contradictions
Contradictions are particularly tricky because they often can and do occur in factual accounts. I know in my case I often forget details, and my wife will fill them in quickly. After I get a little hint here or there I often can remember the full story. This doesn’t mean that I am always lying at the beginning of a story or conversation, but I don’t always remember all the details clearly enough to comment on them at first, or I think I do remember the details but I really don’t. Even after I “remember” the details, the details may be my version of reality and not the way the story actually happened.
This inadvertent dishonesty is important to consider when evaluating contradictions as a clue to lying. What a contradiction should do is prompt you to dig more. Watching the person’s microexpressions while you question him about a contradiction is also helpful.
For example, suppose you have developed a pretext as a visiting salesperson. You are going to try to gain physical access to the CEO to deliver a CD with a special offer. You know the CEO is very partial to a certain charity so you developed the pretext around that. As you walk into the lobby the front desk person says, “Sorry, he is not in, you can just leave it with me.”
You know that if you leave the CD a greater chance exists that your “malicious” CD will never be used. You also feel he is in because you see his car in the parking lot and you know today was a normal work day for him. With those facts in mind and without wanting to embarrass the front desk person you say, “Oh, he’s really not? I called the other day and asked when I could visit and was told today was a good day. Did I mix up my days?”
If you’ve played your cards right and your expressions are genuine, this can turn out two ways:
· She may hold steady and again say, “Sorry, he’s not in.”
· She may contradict herself (which can be a clue that she is not being truthful): “Let me check whether he is in or not.”
What? She went from a stern “He is not in” to “Let me check.” That contradiction is enough to signal that you should dig more. What was her ME when she did that? Did she show shame or maybe some sadness at lying? Was she angry at being caught in a lie? Was she embarrassed that she was wrong and maybe confused? You cannot automatically assume she is lying, because maybe she really didn’t know, and when you rebutted she decided to really find out.
After she confirms whether he is in you can choose to dig a little deeper and probe more to determine truthfulness if needed. Again, playing your card of “Maybe I mixed up my days” and watching her facial expressions can be a good indicator of her truthfulness or not.
If in your first go-round you saw any hints of anger, continuing to enquire can cause her to be more angry and embarrassed and end your interaction. At this point, you may want to ask something like, “If Mr. Smith isn’t in right now and I really mixed up my days or times, when can I stop in to see him? What time is the best?”
This type of question allows her to save face, as well as gives you another opportunity to read some facial expressions. If you didn’t notice anger but maybe saw she looked a little sad or embarrassed then you might want to respond with empathy and understanding to open her up. “I could have sworn that he said today was a good time to drop it off, but you know, my memory is so bad, my wife tells me I am getting Alzheimer’s. I bought one of these smart phones, but I’ll be darned if I can figure it out. I don’t want to be a bother, but when can I just drop this off for him? I want to make sure it gets right into his hands.”
Be very observant of minor contradictions as they can be key indicators in deceit and help you get your foot in the door.
Hesitation
Similarly to contradiction, you can use someone’s hesitation to detect a potential untruth. If you ask a question and the answer should have come quickly from the person, but he hesitates beforehand, it can be an indication that he was using the time to fabricate an answer.
For example, when my wife asks me how much my new electronic gadget costs, she knows I know the answer. A hesitation can mean either I am evaluating whether I want to answer truthfully or I might just be remembering the price.
When I get a progress report from my son’s school that says he missed X number of days at school and I only know about two or three valid absences, I ask him where the rest of these missed days are from. If his answer was, “Dad, don’t you remember I had that doctor appointment and then you kept me home that day to help you with that project?” Most likely that is full-on truth because it was quick and has facts in the response. However, if he hesitates and comes back with, “Wow, I don’t know—maybe the report is wrong,” then noting his microexpression during his response is a good idea. Does it indicate anger, maybe at being caught, or sadness at the imagined punishment? Either way, it is time for me to investigate more and find out where he was those days.
Another thing to look out for is a well-known hesitation tactic of repeating the question back to you as if asking for verification that the question is correct. Doing so allows for time to fabricate a response. The use of hesitation to detect deception is not an exact science, but it can be a good indicator. Some people just think before they speak. I am from New York, so I speak fast. If someone speaks slower than me it is not an indication of deceit. You must be able to use the ME to determine if someone is just slow at speaking or trying to fabricate a response.
If the emotion does not match the question asked then it might be worth looking into.
Changes in Behavior
During a discussion the target may change his behavior every time a certain topic is brought up. Maybe you notice an expression change or a shift in the way he sits, or a marked hesitation. All of these actions can indicate deceit. Whether these actions amount to deceit is not certain, but they should cause you to probe more on the topics being discussed in a way that does not alert suspicion. These behaviors can be signs that the person is using the time delays to generate a story, recall facts, or decide whether he wants to reveal those facts.
Hand Gestures
People often paint pictures with their hands using gestures. For example, someone may use his hands to show how big something is, how fast something was going, or to show how many times something was said. Many professionals feel that when someone is being untruthful he will touch or rub his face often. Some psychological connection exists between rubbing the face and generating a fabrication. Some of the cues used by psychologists and body language experts to detect deceit are discussed here: www.examiner.com/mental-health-in-new-orleans/detecting-deception-using-body-language-and-verbal-cues-to-detect-lies.
Taking note of a change in the size, frequency, or duration of hand gestures during a conversation is important. In addition, you should watch facial expressions during gestures that can raise a flag in your mind.
When you detect deceit, having a plan for how to respond is important and a good idea. In the earlier scenario with the front desk person and her “out-of-the-office” boss, calling her out on her lie would most likely have raised all sorts of red flags, embarrassing her, and ruining any chances of success. If your pretext is someone with authority, like a manager or department supervisor, and you catch someone in a lie you can then use that to your advantage. By “forgiving” the person you are now owed a favor in return. But in the same scenario, if the position you are in is lower (someone in a non-management position such as a secretary, receptionist, or sales position) than the target, playing that card can be dangerous. The authority action would not fit the pretext of someone in a non-management position.
What it boils down to simply is that as a social engineer auditor you must learn to use a person’s microexpressions to determine whether he is presenting the truth or a lie and to determine whether you are affecting the target the way you want. In some cases you can even use certain expressions to manipulate the target into a certain state of mind.
Remember, microexpressions alone are not enough to determine why an emotion is occurring. Determining that someone is angry or sad, for instance, doesn’t tell you why that person is angry or sad. Be cautious when using microexpressions to take into consideration all factors to determine, as closely as possible, the reason for the emotion.
Malicious social engineers employ these tactics of using microexpressions discussed in this section but their goals are completely different from those of a social engineer doing an audit. They often don’t care about the residual effect on the target. If damaging a person’s belief system, psychological stability, or even job stability can lead the malicious social engineer to a payday he will take that path.
Earlier in this book you read about some scams that came up during the attacks in New York City after 9/11. People who saw an opportunity to cash in on people’s sympathy and the tragedy that occurred didn’t seem to care whether their actions hurt others. Many came out of the shadows claiming to have family who were lost in those attacks. Some of these malicious people received money, gifts, sympathy, and even media attention only for it to be discovered down the road that the stories were all false accounts.
The malicious social engineer spends a lot of time learning about people and what makes them tick. This knowledge makes locating an acceptable target to attack easier.
This section just scratched the surface of microexpressions; the work of many professionals in the field has filled volumes. Seek out training, become proficient in reading and using microexpressions, and you will see an increase in your communication abilities with others. In addition, this proficiency will enhance your ability to have success in your audits.
Neurolinguistic Programming (NLP)
Neurolinguistic programming (NLP) studies the structure of how humans think and experience the world. It is very controversial in itself because the structure of NLP does not lend itself to precise, statistical formulas. Many scientists will argue or debate the principles of NLP due to this fact, but the structure does lead to models of how the principles work. From these models, techniques for quickly and effectively changing thoughts, behaviors, and beliefs that limit people have been developed.
As stated in Wikipedia (source: Oxford English Dictionary), neurolinguistic programming is “a model of interpersonal communication chiefly concerned with the relationship between successful patterns of behavior and the subjective experiences (esp. patterns of thought) underlying them,” and “a system of alternative therapy based on this which seeks to educate people in self-awareness and effective communication, and to change their patterns of mental and emotional behavior.”
This book is far from a self-help book, so although the principles in it can assist in changing deep-seated thought patterns and habits in yourself, its focus is on how you can use NLP to understand and then manipulate those around you.
If you are unfamiliar with NLP your first instinct may be to run to a computer and type the term into Google. I want to ask you not to do that just yet. You will find that similar to social engineering, what you will often find first are many videos and demonstrations that just seem very unrealistic, such as videos of someone touching another person’s shoulder and changing that person’s brain patterns to think brown is white or somesuch. These videos make out NLP to be some form of mysticism, and for those who are leery of these things, these types of videos discredit it.
Instead the following sections break NLP down into a few parts. Up next is a very brief history of NLP, which can help you to understand that its roots are not with street magicians; instead, it has deep psychological roots.
The History of Neurolinguistic Programming
Neurolinguistic programming (NLP) was developed in the 1970s by Richard Bandler and John Grinder with the guidance of Gregory Bateson. Its roots came from Bandler and Grinder’s research into some of the most successful therapists of their time.
From this initial research they developed the “code” concepts of NLP. This early research led to the development of a meta-model, which recognizes the use of language patterns to influence change.
Both Bandler and Grinder were students at the University of California and used the principles of their research to develop a therapy model called the meta-model. After writing a few books based on this model they began to refine the core principles that would become what we call NLP today. This included things like anchoring, swish pattern, reframing, belief change, nesting loops, chaining states, and submodalities applications.
After graduating with degrees in psychology, Bandler and Grinder began hosting seminars and practice groups, which served as places for them to practice and test their newly discovered patterns while allowing them to transfer the skills to the participants. During this period, a creative group of students and psychotherapists who formed around Grinder and Bandler made valuable contributions to NLP, helping refine NLP even more.
In the recent years, NLP became the new buzzword again for managers, driving rapid growth of trainers, classes, and experts. Without any regulating body, the field grew as everybody wanted to learn to control others, lie without getting caught, or solve all their psychological problems. Practitioners were not licensed, so each group taught its own form and concept of NLP and issued its own certification as experts. All of this is what led to NLP being viewed somewhat unfavorably.
Despite its rocky history, the core foundation of NLP can enhance your abilities as a social engineer. The next section discusses some of the core codes of NLP so you can analyze them more deeply.
Codes of Neurolinguistic Programming
In the early 1970s NLP had a code comprised of the collective body of learning and investigation that generated the first books and the term neurolinguistic programming. As time went on John Grinder and others have continued to contribute to the field of NLP. The “new code of NLP” is an ethical and aesthetic framework for NLP development.
New Code of NLP
NLP’s original ideas were born in the 1970s. As time passed, John Grinder began to realize that much of the old code must change to be brought into modern times. He began working with Gregory Bateson and Judith DeLozier and produced the “new code” that focused more on what the person thinks or believes will happen and changing that belief. Learning techniques for expanding your perceptions, overcoming old thought patterns, and changing habits all help in self-change.
The new code focuses on the key concepts of states, conscious/unconscious relationships, and perceptual filters, all of these pointing to states of your mind and your perception of those mental states. These new concepts are meant to move NLP forward and help practitioners think about it in new ways. Many of the basic tenets from the new code are being taught now as part of the standard NLP courseware. This new code is best understood by reading Turtles All the Way Down by Grinder and DeLozier. It’s compiled from their seminar “Prerequisites to Personal Genius.”
In essence, the new code states that to make a change the client must involve their unconscious mind, the new behavior must satisfy their original positive intention, and the change must occur internally at the state of mind rather than at the behavioral level. This new code suggests how NLP can create serious and drastic changes to a person’s thinking.
This is a key concept for social engineers because, as you investigate and analyze the new code, you will begin to see how it can be used to manipulate others. Before doing that, though, you need to understand the scripts that the new code uses.
Scripts in the New Code
People tend to have common problems, so groups of scripts have been developed to help therapists use NLP in their practice. These scripts lead the participant through a series of thoughts that help guide the person to the desired end. Several good books on NLP scripts exist, with The Big Book of NLP Techniques: 200+ Patterns & Strategies of Neuro Linguistic Programming being highly recommended.
An example of one script is an outline of how to increase your sales by getting someone to start talking about their dreams. Once you have them talking about certain goals or aspirations, you can posit your product or service as answering one of the needs to reach those goals. By positively building on your product as fitting a need they have, you give your potential sale’s brain a way to connect your product with positive sales.
If you take time to Google much of the information included here you will see that NLP can take on a life of its own. You can take many angles and paths when studying NLP. Despite all the plethora of information out there the question remains, how can a social engineer use NLP?
How to Use NLP as a Social Engineer
Many of the scripts and principles of NLP tend to lean toward hypnosis and similar avenues. Even though you will not use hypnosis to social engineer a target, you can use many of the principles of NLP as a social engineer. For example, NLP can teach you how to use your voice, language, and choice of words to guide people down the path you want.
Voice in NLP
You can use your voice to inject commands into people just as you would use code to inject commands into a SQL database. The way you say things is where the injection occurs; this single moment of injection is framed within regular conversation. Sometimes how you say something is more important than what you say.
NLP promotes the use of embedded commands to influence a target to think a certain way or take a certain action. Also, using the tones of your voice to emphasize certain words in a sentence can cause a person’s unconscious mind to focus on those words. For example:
For instance, ask “Don’t you agree?” Instead of putting an upswing on the word “agree,” like you would normally at the end of a question, put a downswing to make the question more of a command.
Another one I have heard used effectively is, “My customers usually do the things I say. Do you want to begin?” The way that sentence is used and surrounded by other statements can make this a very commanding statement.
More on this in the next section, but this skill alone can change the way you interact with others; the principles for it are steeped in NLP.
Sentence Structure
In English, the sound of the person’s voice at the end of sentence indicates whether what is being said is a question, statement, or command. A person’s voice goes up at the end of a sentence for questions. The voice stays the same through the end of the sentence in statements, and the voice lowers at the sentence close for commands.
For the next few paragraphs, the bold font denotes to lower (deepen) your voice tone.
Try this exercise: When you ask a question such as, “Is that your dog?”your voice will rise at the end of that sentence. Yet you can embed subtle commands into sentences by just changing them to a downward point during the sentence, not at the end. Here are a few simple commands for you to practice. Notice how they have the command injected inside the sentence.
“Remember how clean your room looked last Christmas?” The embedded command is “clean your room,” which includes a time shift to a happier time. This is an example of a pleasant, painless injection.
“Buy now, you can see the benefits!” This one starts with the voice low, then up to a normal tone, then back down for benefits.
“The higher my company goes in consulting, the more nice people like you we encounter.” Implanting the higher my company with a pleasant comment has just increased your chance of being hired, partly because of the play on words (Higher sounds like hire—thus what the listener hears is hire my company).
From a social engineering standpoint you can form sentences when performing an audit over the phone to maximize the potential for success, such as:
“This is Larry from tech support; we are giving all reps new passwords. Your new password is…”
The following are tips for using your voice in successful social engineering:
· Practice. You have to practice speaking in this manner so you don’t sound like a teenage boy entering puberty. Your rising and falling tones can’t sound canned; they must be subtle.
· Have careful sentence structure. Develop sentences that maximize your ability to accomplish your tasks. Don’t go for the kill, so to speak. A command like “give me access to your server room now” is probably not going to work, but you can use these voice techniques to help a target be more open to the idea.
· Be realistic. Don’t expect to speak and have people falling at your feet to do what you ask. These techniques can put your target in a frame of mind that will make getting what you want easier.
One technique, Ultimate Voice, if mastered, does have very powerful effects. I once interviewed an NLP practitioner on a podcast who had this gift. When he spoke it was as if you could not argue with him. He spoke with such control and technique that disagreement never even entered my mind. How can one master this technique?
Using Ultimate Voice in Social Engineering
You can master the Ultimate Voice but it takes lots of practice. The ability to embed commands into normal conversation is a skill that is very useful when mastered. Ultimate voice is the ability to inject commands into people’s minds without their knowledge. It can sound very artificial when new people try it, until enough practice makes them sound natural.
Hypnotists often use this technique like so:
“You can feel yourself relaxing as you slip into calmness.”
This standard therapy phrase can be adapted to nearly any command you like. Put extra emphasis on the vowels in the words you want to accent—for example, “yooouurseeelf reelaaxiing.”
Planet NLP (www.planetnlp.com/) offers three exercises that you can use to work on mastering this technique.
1. Move your voice around. Press your hand on your nose and say “nose.” Concentrate on your nose as you repeat the word until you can feel your nose vibrating. Now do the same exercise with your hand on your throat, saying “throat.” Do the same on your chest, saying “chest.” Keep practicing until you can really feel the vibration in each place. Notice how different each one sounds.
2. Use your range. Starting from a high note, say “ar” (as in the letter r). Keeping your mouth open, allow the note to drop down until your breath runs out.
Repeat this exercise ten times.
Then, starting from a low note, say “ou” (as in you without the y), allowing the note to rise until you cannot support the sound.
Repeat this exercise ten times.
3. Resonate. To use your voice correctly, it must resonate in the mask, which is the facial area surrounding the nose and mouth.
There are two ways to practice resonating:
·Hum at whatever pitch is most comfortable for you. After you have found your pitch then hum “umm” followed immediately by the word “ready.” Do this a few times, then try the words “now,” “one,” “two,” and “three.”
·Hum and then allow your lips to vibrate. You are attempting to sound like a dove. Allow the pitch to rise and fall. This is very difficult if you have any tension in the jaw or face. Done correctly for a few minutes, your face will start to feel numb.
After a couple of minutes using these methods, you should notice that your voice sounds crisper. If you find it hard to notice, record yourself and listen back to see how it sounds to you.
The best way to improve is to spend about five minutes a day going through these exercises.
Practice can help you to learn to control this vocal technique. For example, I am generally a loud person. It seems like I don’t have the ability to whisper. For me to control my tones, pitch, and volume, I need practice. Doing simple voice exercises like these can help you to control these voice characteristics.
When you speak a sentence in which you want to include a hidden command, and you want to lower your tone, being so subtle that the target doesn’t realize it is imperative. Otherwise, you will alert that person’s subconscious to trigger that something is amiss. If that occurs he may pick up on your attempts thereby shutting down your success.
Like most things in social engineering, if a technique doesn’t come naturally, practice is essential. Try this voice technique on your family and friends before you ever attempt it in an audit.
From personal experience, when I first started working on the Ultimate Voice techniques I decided my goal was to embed commands into questions. This goal took a while to realize but I would try simplistic things like:
“Honey, what do you want to eat for dinner tonight, steak or something else?”
To conclude this section, consider three things a social engineer should focus on when studying NLP:
· Vocal tones. As stated previously, the tones of your voice as well as the emphasis you put on certain words can change the whole meaning of a sentence. Using tone and emphasis, you can embed commands inside of the subconscious mind of the target and allow the target to be more open to suggestion.
· Chose your words carefully. Learn to choose the words that have maximum impact. Match positive words with thoughts you want the target to think positively on and negative words with those you want them to not think of too highly. This technique can also help the social engineer make a target more pliable.
· Create a list of command sentences that you can use in person or during a phone social engineering audit. Writing out and practicing command sentences will help you be able to recall and use them when in need.
Most of all, practice. Controlling your vocal tones, the words you choose, and how you say them is not an easy task. Practice can make this become second nature.
NLP is a powerful topic, and, much like microexpressions, this section only scratched the surface. Once you start to master the techniques in NLP and the ability to read facial expressions, a next logical step is using these tools when interacting with a target. Next, this chapter analyzes the same tactics professional interrogators use.
Interview and Interrogation
Scenario 1: The door flies open and the perpetrator is noticeably nervous. Captain Bad-Mood comes over and grabs the perp by the collar and slams him up against the wall. Getting about an inch from his face he screams, “You’ll tell me what I want to know, one way or another!”
Scenario 2: The bad guy is tied to a chair, already bruised from the previous 30 minutes of beatings, and as the interrogator grabs a pair of shiny pliers he says, “You’ll be talking in no time….”
Scenario 3: The perp is sitting in a chair and two police officers enter the room. Calmly they walk over to the table and set a file labeled “Evidence” down on the table. Before they sit down they ask, “Do you need a coffee or a soda or something?”
Cracking open an ice-cold soda the first officer says, “Thanks for coming in today to help us out….”
Which one of the preceding scenarios is a real-life interrogation? If you guessed the third one, you’re right. It is how a real interrogation often goes. The first two have been portrayed in Hollywood movies and television series so much that many of us might think they are real. Outside of wartime scenarios and nations that do not ban the use of torture, the third scenario is most likely the way most interrogations begin.
Rarely will you as a social engineer be in a situation where your target is waiting in a room for you to question him. With that in mind, you might ask, how can you use the tactics of professional interrogators and interviewers as a social engineer?
Before going further you should know the differences between an interrogation and an interview. The following table presents some of these differences, but this topic has many different angles, viewpoints, and opinions, so more could exist.
Interview |
Interrogation |
Subject talks, you listen. |
You talk to subject about his statements. |
Subject leads direction of conversation; you clarify his statements and listen, then apply NLP skills. |
You lead direction. Apply NLP skills here. |
Non-accusatory. |
Accusatory. |
Soft in nature. |
Hard in nature. |
Subject’s location, subject at ease. |
Interrogation room, subject is tense. |
You gather information (who, what, when, where, why, and how). |
If you reveal certain information, you can learn details. |
Early in investigation. |
Final questioning session. |
The main difference between an interview and interrogation is that an interview is in an atmosphere where the target is comfortable both physically and psychologically, whereas in an interrogation the goal is to put some pressure on the target by creating discomfort with the location or the questions asked, with the goal of gaining a confession or some knowledge the target possesses.
Good interrogation is an art that you can master through experience. Many social engineering skills tie into to being a good interrogator. Skills like elicitation (see Chapter 3); reading people, faces, and gestures; and having insight into human behavior can all help you become a legendary interrogator.
Interviewing is a great skill to have, but as long as you can master the use of elicitation you can become great at conducting interviews.
Interrogation principles are used widely by successful social engineers. Putting a target in some psychological or physical discomfort to make gathering information from them easier is a skill most social engineers will spend a considerable time obtaining.
Professional Interrogation Tactics
Before conducting any interview or interrogation, the social engineer will need to have done thorough information gathering. You must obtain as much information about the target, the company, the situation, and details of each as possible. You must know how to approach a target and what to say, and have in mind the path you will take with the target. Be careful to observe your surroundings as well as any changes in the target during the conversation and initial approach.
One of the mistakes people new to interviewing and interrogation make is assuming every behavioral change has major meaning. A target’s crossing her arms doesn’t just mean a closed thought; she could also be cold, have underarm stink, or feel increased stress because of your questions.
Watch not for only one sign; watch for groups of signs. For example, a target crosses her arms, turns her head, and places her feet flat on the floor. This is a closed person; in other words, her body language indicates that she will divulge no more information or cooperate any longer—this door has been shut. A group of changes is the most important thing to watch for, so note the topic that was being discussed when the group of changes occurred.
When starting an interview or interrogation here are areas to observe for changes in the subject:
· Body posture: Upright, slumped, leaning away
· Skin color: Pale, red, white, changes
· Head position: Upright, tilted, forward/back
· Eyes: Direction, openness
· Hands/feet: Movement, position, color
· Mouth/lips: Position, color, turned up/down
· Primary sense: Visual, aural, kinetic, feeling
· Voice: Pitch, rate, changes
· Words: Short, long, number of syllables, dysfunctions, pauses
Changes can indicate a question or line of questioning that needs more attention. For example, if the body posture is very relaxed when you ask, “Is Mr. CEO in? I would like to leave this information packet for his review,” and then the body posture changes to a defensive posture—the torso pointing away and the eyes averting from looking at you—it may be a good indication that there is some untruth coming up and further questioning might reveal the truth on this topic.
Especially be sure to pay attention to the words a target uses. During the interview or interrogation process, pay particular attention to the subject’s voice and how she answers questions. When you ask a question, how long does it take for her to answer? Blurting out answers quickly is believed to be a sign of practicing the answer. If she takes too long, maybe she was thinking up the answer. Response time depends on each person, though, because you have to determine what is “natural” for each person.
Determining what is natural in a target (that is, the baseline) is not a small matter in a social engineering gig and must be done very fast. Being very observant is the key to success with this skill. One method of creating a baseline involves asking questions that cause the suspect to access different parts of his brain. The interrogator asks nonthreatening questions that require simple memory and questions that require creative thinking. Then look for outward manifestation of his brain activating the memory center, such as microexpressions or body language cues.
Another area to listen for is changes in verb tense and pronoun use. These shifts from past tense to future tense show areas you might want to investigate further. Switching tense can indicate deception. When a target switches tense they may be fabricating an answer or thinking of a past statement to fabricate an answer. Further questioning can reveal the truth here also. Other areas of change you should listen to are the pitch of the voice (is it going up with stress?) and the speed of speaking.
You don’t have to learn how to do all this at the same time. The more practice you get actively listening and observing people the easier it becomes for you to do it without thinking.
Professional interrogation is comprised of a number of parts. The following sections discuss each one, in the context of how it pertains to a social engineer.
Positive Confrontation
In law enforcement positive confrontation doesn’t mean anything positive and good; on the contrary, it means the officer is telling the suspect he is the one who committed the crime; in other words, the officer is making a strong accusation. In a social engineering audit, though, you already have identified the “target” you want and now you are going to tell (maybe using the NLP tactics previously mentioned) that target that he will do what you are asking of him.
You confront the target with the objective of starting him on the path to doing what you want. For example, a social engineer may approach the receptionist and ask, “Is Mr. CEO in? I have a meeting with him.” Or, to use a positive-confrontation angle, “I am here for my meeting with Mr. CEO at 11 am.” Notice the second example positively states the meeting as being set, expected, and in such a way that you are sure it is happening.
Theme Development
Theme development in police interrogations is when the interrogator develops a story to postulate why the suspect may have committed a crime. Many times that story is relayed to the suspect during the interrogation. “So he insulted you and you got so mad, you grabbed the pipe and began hitting his windshield with it.” While the officer is telling the story, he or his partner is watching the body language and microexpressions of the suspect to see if there are any clues that would constitute agreement.
Although social engineers can use this method, I also like to state that from a social engineering viewpoint, theme development needs to be seeing your pretext from the eyes of the target. What would a “tech support rep,” “manager,” or “fellow employee” look like, say, and do? How would he act?
Theme development for social engineers is when your supporting evidence that is displayed feeds directly into the theme of who you are portraying. Your approach to a target, whether on the phone or in person, often involves a pretext of some sort. The pretext, of course, supports your storyline or theme. This part of the interrogation is where you offer reasons or support for the pretext (see Chapter 4 for a refresher on pretexting).
For example, in one audit my pretext was very simple—I was just an employee who belonged. Armed with a trade publication I found in the trash, I followed a few employees through the door and past the security guard. As we approached the security guard I began a very simple conversation with one of the employees about an article in the journal. All of my actions contributed to theme development. Your goal is to give the people who would normally stop you justification for not doing their job.
The more you fit in, the less you stand out, and the easier it is for security guards and the like to justify not stopping you and letting you in.
Handling Denials and Overcoming Objections
Whether on the phone or in person, what is the plan of action if you are denied access to the place or information you are seeking? I like to call these conversation stoppers. People use them with salespeople all the time, “I’m not interested.” “I don’t have time right now.” “I was just leaving….”
Whatever flavor of stopper targets throw out, you must have a plan to overcome it and handle the denial of access. I like to preemptively dismiss objections if I feel the situation warrants.
When I was in sales, I worked with a man named Tony who had a tactic that involved knocking on a door and introducing himself, and without pausing saying, “I know you might want to say you are not interested, but before you do, can you answer this one question: Is five minutes of your time worth $500?”
At this point, the person was much less likely say, “I’m not interested.” By diminishing the possibility of denial and following up with a question, Tony was able to get the target to think about something else besides her objection.
In a social engineering engagement you can’t walk up to the security guard and say, “I know you don’t want to let strange people in the door but…” because it would raise way too much suspicion. Using this methodology to overcome objections is much more complex for social engineers.
You have to think about what objections might arise and organize your theme, story, dress, and person to pre-empt those objections. Yet you still have to have a good answer to give for when objections come up. You can’t just run out the door or hang up the phone. A good exit strategy enables you to come back to attack later on.
An exit strategy can be as simple as, “Well, ma’am, I’m sorry you won’t let me in to see Mr. Smith. I know he will be greatly disappointed because he was expecting me, but I will give him a call later and set up another appointment.”
Keeping the Target’s Attention
If you handled your social engineering move correctly up to this point and you are in front of the target, then the target may start to think about what would happen if she does not allow access, take the file, or do what you are asking. You need to feed off of that inherent fear and use it to continue to move the target to your goal.
A few short statements like, “Thank you for your help. I was so nervous about this interview that I obviously put the wrong date down in the calendar. I hope that Mrs. HR Manager is some place warmer than here?” Allow for a response then continue, “I want to thank you for your help. When will she be back so I can call to make another appointment?”
Presenting an Alternate Route
When you are interrogating the target in a social engineering audit, the possibility exists that your first path will not be greeted with smiles, so having a lesser but just as effective path of action ready is a good idea.
Maybe you have used all these tactics to try to get Sally, the receptionist, to let you in to see Mr. Smith. The tactics are all failing and you are being shut down. You should have an alternative path prepared, such as, “Sally, I appreciate you have to make sure things are done by appointment only. I am just not sure when I will be back through the area. Can I leave you with this CD of information for Mr. Smith and then I can follow up with a phone call tomorrow to see whether he will set up an appointment?”
Having a few CDs prepared with some maliciously encoded PDFs can help to make this path a reality, as well as having practiced and then using interrogation tactics quickly.
A contact I have sent me a document, entitled “Interview and Interrogation,” that is used by the Department of Defense to train its staff in passing the polygraph. It outlines the different approaches that professional interrogators use, and I have provided them here. Looking at these different approaches one can learn a lot about different methods that might make sense for a social engineer.
·Direct approach: The interrogator assumes an air of confidence in this approach. The attitude and manner of the interrogator rules out that the suspect is innocent at all. Without threatening, the interrogator disarms the suspect by telling him anyone else would have done the same thing.
As a social engineer, you can utilize this approach depending on your pretext. Maybe you are management, a consultant, or another person who has power over the target. This means you must have an air of confidence and assume that the target “owes” you the response you seek.
·Indirect approach: The suspect is allowed to tell his side of the story in detail and the interrogator looks for omissions, discrepancies, and distortions. The interrogator’s job is to let the suspect know that the best course of action is to tell the truth.
As a social engineer you can use this approach by not approaching the target in any role, but maybe as an elicitation, a question designed to elicit information from the target. The social engineer can gather information from the target by letting him do most of the talking.
·Sympathetic approach: The DOD manual offers some excellent thoughts on this approach. The interrogator drops his voice and talks in a lower, quieter tone that gives the impression he is an understanding person. He sits close to the suspect and maybe puts his hand on the suspect’s shoulder or pats him on the arm. Physical contact at the right time is very effective.
The social engineer can use this approach in the very same manner as the interrogator. Maybe you overhear some employees complaining about the boss as you are waiting to tailgate in the door. Or maybe you have followed the target to the local bar and get into a conversation where you can show empathy to a situation. You can use this approach all around, and it is very effective.
·Emotional approach: This approach plays on the morals or emotions of the suspect. Questions such as, “What will your wife or kids think about this?” are used in this interrogation tactic. The thoughts that are aroused emotionally upset him and make him nervous; as these emotions manifest themselves, the interrogator can capitalize on them.
You can use this approach in a similar manner to the preceding, in which you play on a weakness identified in the target. In one engagement, I knew the target was partial to charities for children who suffer from cancer. Playing on those emotions I was able to get the target to take an action he should not have taken, and it compromised his operation.
·Logical approach: This non-emotional approach presents strong evidence of guilt. The interrogator should sit erectly and be business-like, displaying confidence.
You can use this matter-of-fact approach when presenting evidence of your legitimate reasons for being present—for example, such as being dressed and armed as an IT repairman and having the air of confidence that you belong there.
·Aggressive approach: For an interrogator, a fine line exists between gathering information and infringing on the target’s rights that must not be crossed. The voice should be raised, and the look and act should be aggressive, but the suspect’s civil rights should never be violated.
The social engineer auditor needs to keep this fine line in mind. As in the case of Hewlett-Packard, discussed in Chapter 4, being hired to social engineer a company does not give you the right to break civil laws. Most of the time the company hiring you has no right to allow you to tap home phones, read personal e-mails, or invade people’s privacy.
·Combination approach: One interrogator may combine two approaches to have maximum effect. This would be decided upon based on the suspect’s personality.
As a social engineer you may use the same technique—combine your attacks and approaches for maximum effect. For instance, after you discover some personal details about a target—such as their favorite local bar—you can approach the target and start a conversation. Such a tactic, especially when employed in a relaxed atmosphere, can go a long way toward opening people up.
·Indifferent approach: This approach is very interesting because the interrogator acts as if he does not need the confession because the case is solved. At that point the interrogator may try manipulating the suspect into giving his side of the story.
As a social engineer you may not be able to use this approach unless caught. If you’re caught in an area or situation you should not be in, you can act indifferent instead of afraid that you are caught. Acting indifferent can cause the person who caught you to not be alarmed as much and afford you an opportunity to dispel any worries. Kevin Mitnick (see Chapter 8 for more on Mitnick) was great at this technique. He had the ability to think quickly on his feet. Also, acting indifferent when he was in a precarious situation allowed him to get away with a lot.
·Face-saving approach: The interrogator should rationalize the offense, giving the suspect a way out and an excuse to confess and save face. An interrogator should not make the excuse so good, however, that the suspect can use it in court as a defense.
A social engineer can really utilize this approach. An interrogator does not want to give someone too good an excuse, but a social engineer does. You want the excuse to be so good the target doesn’t even need to think before rationalizing it as an excuse for complying with you.
One approach is to say a higher-level person asked you to be there. You can follow this up by saying, “I can understand how you might feel now, but I don’t even want to imagine how upset Mr. Smith will be if I don’t fix that massive e-mail blunder before he returns on Monday.” This approach gives the target the ability to save face and comply.
·Egotistical approach: This approach is all about pride. For it to work you need a suspect who is very proud of an accomplishment. Bragging on good looks, intelligence, or the way the crime was performed may stroke his ego enough that he wants to confess to show that, indeed, he was that smart.
In social engineering gigs this method is often used. Playing up someone’s accomplishments gets them to spill their deepest secrets. In the case of the U.S. nuclear engineer in China (refer to Chapter 3), social engineers loaded the man with compliments, and he spilled the beans and divulged information he shouldn’t have.
·Exaggeration approach: If an interrogator overexaggerates the case facts, the suspect may admit to what was real. One example would be if an interrogator accuses a thief of wanting to commit rape and saying, “Why else would someone break into a bedroom in the middle of the night?” This often causes the suspect to admit to only wanting to steal and not commit rape.
You can also use this approach by overexaggerating the task you are there to perform. By overexaggerating the reason for being there you can give the target a reason for providing you lesser access. For example, you can say, “I know Mr. Smith wanted me to fix his computer personally because he lost a lot of data, but if you don’t feel comfortable with that, I can potentially fix his problem from another computer in the office.”
·Wedging the alibi: A suspect seldom confesses his transgressions all at once. Getting him to make minor admissions, such as he was on the site, owned the weapon in question, or owned a similar car, can move him toward admitting more and more, eventually leading to a complete confession.
Maybe you get stopped at the door during a social engineering gig and the gatekeeper refuses you access to the building. See whether you can “gain access” by using a line like this: “I understand Mr. Smith is busy and can’t meet with me. Would you mind giving him this CD of information about our products and I will follow up with a phone call later on today or tomorrow?”
It is a lesser admission, but nevertheless would get if not you, then one of your tools in the door.
The End Goal
To prepare to use proper interview or interrogation tactics, as a social engineer you may want to answer a few questions of your own. I encourage you to write these down in a notepad because doing so can help you prepare for your encounter with the target. Plus, writing down your answers makes them real and gives you a path to work on during the preparation for your interrogation.
Answer these questions:
· Who: With whom is the interrogation or encounter being conducted? What role does he play? List names, titles, and other information about him that is relevant to the interrogation.
· What: Exactly what preparation has been done and what is going to be your goal during the interrogation? You must have a definite aim.
· When: What is the timeframe of the interrogation? What time of day or night? What are the circumstances at the business that lead to this decision about when to make your move? Is there a party you overheard about? Is it a time when a large portion of the employees are on vacation? Is it during lunch time? Is it during the changing of the security staff?
· Where: What is the location of the interrogation? Are you going to be at the target’s location? Are you tracking the person to his or her gym, local bar, or daycare? Where is the best place to try to obtain the information you need from the target?
· Why: People hear this question often enough from their kids, but it must be asked. What is the purpose of this interrogation? To make the target admit to the location of something? To make him give out information he should not? For you to gain access to a room or a server?
· How: What methods will you use in this interrogation? NLP? Embedded commands? Human buffer overflow (discussed at the end of this chapter)? Microexpressions?
Of course, in a criminal interrogation the goal is confession to a crime. With interrogation as a social engineer the goal is a confession of a different sort. You want people to feel comfortable giving you information, and using the interrogation tactics discussed earlier you can make that easier to do. In the end, your social engineering interrogations should be like smooth interviews. However, a social engineer can use some other techniques to help while using interview and interrogation tactics on a target.
Gesturing
Gestures have a wide variation due to the fact that they are very much culturally dependent. Unlike microexpressions, which are universal, gestures from the United States can actually be insulting in other parts of the world, or have no meaning at all.
Here is an exercise to help you better understand gesturing differences. If you want you can write down your answers to refer to in a few minutes. Depending on what culture you’re from, the answers will be interesting to see.
Write down what you think this gesture means and whether it is rude in each case:
1. Holding your palm facing upward, point at someone with your index finger and beckon to him.
2. Make a “V” sign with your index and middle fingers.
3. Sit with the soles of your feet showing.
4. Make the “ok” symbol with your fingers.
5. Wave a hand with your palm facing outward.
6. Nod your head up and down.
If you wrote down your answers, compare them to some of the following interesting cultural differences:
1. In the U.S. this gesture simply means “Come here,” but in the Middle or Far East, Portugal, Spain, Latin America, Japan, Indonesia, and Hong Kong, beckoning someone this way is considered rude or insulting. Beckoning someone with the palms facing down and using all the fingers to beckon is more acceptable.
2. In the U.S. this gesture is a “peace sign,” but in Europe it means “victory.” If you put the palm toward your face it actually means, “Shove it.”
3. In the U.S. this is a comfortable way of sitting and doesn’t denote any bad intent. Yet in other countries, such as Thailand, Japan, and France, as well as countries of the Middle and Near East, showing the soles of the feet demonstrates disrespect. Exposing the lowest and dirtiest part of your body is insulting.
4. In the U.S. this gesture means everything is okay. But in other parts of the world it has much different meaning. In Brazil and Germany it is an obscene gesture, in Japan it means “money,” and in France it means “worthless.”
5. In the U.S. this is a greeting, a way to say hello or good-bye. In Europe it can mean “no,” and in Nigeria it is a serious insult.
6. In the U.S. nodding your head is a way of saying “yes.” The same is true for many places, but in some areas, such as Bulgaria or Greece, it is a way of saying “no.”
These are just a few examples of gestures that can have varying meanings depending on where you are or who you are talking to. Understanding the different meanings of gestures is important because communication is often much more than what is said.
This section is intended to show that, during an interaction with a target, not only can these principles be observed but they can also be utilized to manipulate the target into a path of least resistance. Understanding the culture of the targets you approach will also keep you from performing a gesture that can have undesirable results.
Anchoring
Gestures can have some powerful effects when used properly. Some of these principles come from the study of NLP but can have a lot of power when you’re trying to set your target’s mind on a path you control.
One such method is anchoring, which is a method of linking statements of a like kind with a certain gesture. For example, if you are talking to a target and he describes something positive and good, you can repeat it back while gesturing with your right hand only. If it is something bad you can gesture with your left hand only. After doing this gesture a few times you begin to “anchor” in your target’s mind that right-handed gestures are linked to good things.
Salespeople use this method to further solidify that “their product” or “their service” is excellent and the competitor’s is not. Some politicians use this method to anchor positive thoughts or thoughts they want their audience to think of as positive with certain gestures. Bill Clinton was a great example of someone who understood this. To see this in action (albeit not former President Clinton) visit www.youtube.com/watch?v=c1v4n3LKDto&feature=player_embedded.
Mirroring
Another tactic when it comes to gestures is called mirroring, where you try to match your gestures to the personality of the target. Of course, this is not as easy as it sounds. But what can you discern about the target from just observation? Is she timid? Is he loud and outgoing? If you approach a timid person with large, loud gestures you will surely scare her off and potentially ruin your chances of making your social engineering attempt. By the same token, if you are more timid you will need to mirror “louder” gestures when dealing with “louder” people. Mirroring not only involves mimicking a target’s body language but also using gestures that make it easy for a person to listen to you.
You can take this principle to another level. Seeing gestures a target is familiar with can be comforting to him or her. However, you must strike a careful balance, because if your target has a particular gesture he seems to be using a lot and you use it exactly the same way, then you run the risk of irritating him. You want to mirror him, but not exactly. If the target ends a thought by placing his hand on his chin you can end a thought by placing your hand on another part of your face or raise a finger to tap your chin a couple times.
The following section analyzes the topic of gesturing a bit further by discussing the importance of the position and placement of a target’s arms and hands.
Arm and Hand Placement
Law enforcement officers are trained to notice the placement and position of the arms and hands during both interviews and interrogations. An increase in movement or “fidgeting” during an interrogation can show an increase in stress levels, signifying that the interrogation is having the desired effect. This is, of course, in a law enforcement setting; in a social engineering setting you would watch for these same signs, but signs of stress in the target might indicate you need to back off (unless your goal is to stress him or her out).
Certain law enforcement officers are taught to pay attention to a couple of signs:
· Elbows generally hang free next to the body when a person is relaxed. When you feel threatened or scared your body’s natural reaction is to pull the elbows in towards the rib cage. In essence this position serves as a layer of protection to one’s internal organs that might be threatened.
· Hand gestures often can be very revealing, too. A target may describe something with his hands that he doesn’t say. For example, in a crime interrogation suspects may make a gesture that describes the activity (that is, strangling, shooting, stabbing, and so on) but just say the word crimeor incident. Watching for the subtle hand gestures your target may use is important.
Taking note of signs that the target is feeling threatened or scared can help you to adjust and put them back at ease. When you approach a target, much can be said with body language and arm and hand gestures before the first word is even spoken.
Other gestures to take notice of include:
· An open palm might indicate sincerity.
· Steepled fingers could indicate the person feels authoritative.
· Tapping or drumming fingers can indicate anxiety.
· Touching the face can indicate thought; touching hair can indicate insecurity; and touching ears can indicate indecisiveness.
Taking note of these gestures in your target can tell you a lot about his mindset. On the other hand, performing these gestures can help you to portray one of these images if this is your pretext.
From a social engineering standpoint here are a few key points about gestures, which can be imperative if you are a “big” gesturer like me:
· No one should remember the gesture, but only the message attached to it. If people tend to say, “Wow, that guy gestures a lot” you need to calm down a bit. The message is important, not the gesture.
· Avoid monotony. Even in gestures you can be so bland, boring, and repetitive that the gesture can adjust the target’s perception of you to be negative.
· Be very concerned about exhibiting anxiety, such as tapping or drumming your fingers or making jerky movements. They tell the target you are nervous and detract from your message.
· Too much is too bad. Overgesturing can also detract from your message.
Remember that using facial expressions, gestures, and posture is a package deal. They must all blend together, be balanced, and support your pretext.
As good as all this information is, one tool in the interrogation arsenal can make or break the way you use this knowledge in your social engineering skills.
Listening Your Way to Success
Probably not one skill exists that can be as encompassing as listening. Listening is a major part of being a social engineer. What you have to realize is a major difference exists between hearing and listening.
It is commonly believed that people retain much less than 50% of what they hear. That means if you are talking to a person for ten minutes he will remember only a few minutes of what you said. Although people eke through life this way, it is not acceptable for a social engineer.
Often the little things that are said can make or break how successful you are in a social engineering endeavor. This area is where massively improving your listening skills comes in, and not just listening to what is said, but how it is said, when it is said, and with what emotion. All of these factors contribute to your perception of the information relayed.
Being a good listener might sound easy, but when you are in the heat of the moment, your end goal is to gain access to the server room, and you are listening to a story by a few employees out for a smoke break who you plan on following into the building, truly listening can be hard.
Yet it is during these times you might want to really listen. Maybe Susan starts to complain about her manager in HR, Mr. Jones. She tells a story about how short he has been with her lately and how she is fed up with it. Then her fellow smoker, Beth, says, “Well you should come over to the paradise of accounting. It is filled with jerks there, too.”
Maybe this just sounds like the complaining chatter of two tired and ticked-off employees. Or is it more? You have both of their names, the name of a manager, the names of their departments, and some idea of the general demeanor of some of the employees. This information can be very valuable later on if you need to provide proof of your validity for being inside the building.
Often the way someone says something can tell you a lot about the person, but applying this will require a lot of listening. Is the person angry, sad, or happy? Did she speed up or slow down in her delivery? Did he get emotional or did his emotion trail off? Paying attention to these types of things can tell you a lot more than the words at times.
So how can you become a great listener?
The following steps can help you perfect your listening skills. These tips can assist you not only in social engineering but also in life, and when applied to a social engineering audit can make a world of difference.
1. Pay attention. Give your target your undue attention. Do not fiddle with your phone or other gadget. Do not drum or tap your fingers. Try to focus intently on what is being said, looking at the person speaking. Do this in a very inquisitive way, not in a scary, “I want to stalk you” way.
Try hard not to think ahead and plan your next response. If you are planning your next response or rebuttal you will not be focused, and you may miss something important or give the target the impression you don’t really care. This can be very hard to control, so perfecting this tendency will take some serious work for most people.
Also try to not be distracted by environmental factors. Noise in the background or a small group laughing about something can shift your focus; do not allow that to happen.
Finally, pay close attention to what the speaker is not saying, too. The body language, facial cues, and other aspects of communication should be “listened” to intently.
2. Provide proof that you are listening. Be open and inviting with your body language and facial expressions. Nod once in a while, not too often, but often enough to let the target know you are there. You don’t want to look like a bobble head doll, but you want to let the target know you are “with him.”
Don’t forget the all-important smile. Smiling can tell the target you are with him mentally and you understand what he’s saying. As with paying attention mentioned earlier, add small smiles when appropriate. If the person is telling you her dog just died, nodding and smiling will most likely get you nowhere.
3. Provide valuable feedback. Letting your personal beliefs and experiences filter the message coming your way is all too common. If you do that you may not truly “hear” what the speaker is saying.
Be sure to ask relevant questions. If she is telling you about the blue sky then you say, “So how blue was the sky?” will not be effective. Your questions must show you have been actively listening and have the desire to gain a deeper understanding.
Every now and then mirroring or summarizing what you have heard can work well, too. Don’t recite the conversation like a book report, but recapping some of the main thoughts can help the target see you are in tune with the message.
4. Do not interrupt. Not much more needs to be said on this tip. Interrupting your target shows a lack of concern for his feelings and stops the flow of thoughts. Letting him finish and then speaking is better.
However, circumstances do exist where interrupting can be useful or even a tactic. If you want to see an example, watch the movie Sneakers. When Robert Redford is trying to gain access to a locked door that he must be buzzed into, he interrupts the doorman in a heated dispute over some delivery items. He does so a few times, eventually frustrating the doorman and causing him to unlock the door with no authorization. If you think it will get you somewhere, interrupting might be a good idea. Most of the time however, it is not.
5. Respond appropriately. This is the pinnacle of good or bad listening skills. If you were focused on your rebuttal or next statement, or you were thinking about the very attractive blonde that just walked by, you might put your foot in your mouth.
I was once training a group of people and was telling them some aspects of very detailed manipulation tactics. I could tell two guys were not listening. I put in a random thought like, “So then you bake the lion at 350 degrees for 15 minutes til crispy.” The rest of the group broke out in laughter and I turned to one of the two and said, “What do you think, John?” He responded with a blank stare and a stuttered, “Um, yah, sounds perfect.”
Do not ever do that to a target. It is a death blow to rapport (discussed later in this chapter). Be respectful, keep your emotions in check, and respond appropriately at all times when conversing with a target.
Paying attention, providing proof, giving positive feedback, being careful to never interrupt, and responding appropriately can make or break you when it comes to listening. They especially come into play during extended social engineering engagements, such as when I had to interact with the gentlemen at the Chamber of Commerce social gathering by “meeting” him at the bar and then talking to him about his business. Much of the information I was seeking would have been divulged in normal, mundane conversation. Make sure you practice these tips at home or the office before the time comes for the conversation to take place. You want good listening to become second nature as part of your arsenal of talents, not something you have to think about.
Your own emotions are another aspect of listening you must take into account. For example, I was raised in a strict, religious Italian family. I was taught that you didn’t disrespect women, and I shudder to tell you of the one time I called my mom a disparaging name. I will tell you that it did not end too well for me. One day many years after that incident, I was working an engagement and was talking with a guy from whom I was trying to obtain some information. I approached him in a social setting and we started a conversation. He started to talk about a woman he worked with, in a very inappropriate way. Being raised the way I was, I found a lot of anger boiling up inside me. I had a hard time containing those feelings and it must have shown on my face and in my body language, leading to that particular vector being blown. In that failure I learned a very valuable lesson—when it comes to listening during social engineering engagements, you must try your hardest to not let the built-in filters you have get in the way.
Also, remember to react to the message, not the person. If you don’t agree with a person’s beliefs or stance, affording him or her dignity will go a long way in making that person feel comfortable with you. Even in situations where you might not agree you can find something empathic to say. For example:
Target: “This job stinks. They make me work this horrible shift and for low pay, too.”
SE: “It sounds to me like you are overwhelmed by your situation here.”
Although you might be thinking “Try Harder,”™ by responding this way you let the target know you were listening, as well as empathizing with her plight in life.
This technique is known as reflective responding. Reflective responding has some basic principles to it:
· Listen actively, as described earlier.
· When it’s time to respond, be aware of your emotions. Knowing what you feel as the target is speaking can help you to react properly.
· Repeat the content, not like a parrot, but in your words.
· Start your response with a non-committal phrase such as, “It sounds like,” “It seems like,” or “It appears that.” These phrases ease the message you are trying to deliver. If you need proof of this, the next time you get into an argument with your mate, boss, parents, or whomever say, “You are mad at me because…” and compare the person’s reaction with what you get when you say “It appears you are mad because of…” instead. You will see which one is taken better.
Reflective responding used with active listening is a very deadly force in the trust and rapport-building skills arena.
As you learn to listen better and it becomes part of your nature you will enhance your ability to react to the message you hear. A social engineer’s goal is to gather information, gain access to someplace or something you should not have access to, or cause the target to take an action he should not take. Thinking that you must be perfect at manipulation often stops people from learning and practicing great listening skills, but this is the exact reason you need to be a great listener.
Consider these two scenarios:
· One of your neighbors comes over and asks whether you have time to help him with a project in his garage for about an hour. This neighbor has a dog that has gotten into your garbage a few times and tends to like to use your yard as a bathroom. You are just about to sit down to relax at the end of a long day and watch some TV or read a book.
· Your childhood friend comes over and tells you that he needs some help moving some furniture. He just got a place about five miles from you and he can’t get the couch up the stairs. You are just about to sit down to relax a bit.
For which scenario are you more likely to put aside relaxing? Most people will put aside relaxing for the second scenario, but will come up with an excuse or reason to not help out in the first scenario or at least try to postpone it to another day when they are not “busy.”
Why? People are very open and free with friends. When you feel comfortable with someone, you have no boundaries and will put aside your own wants and needs at times to help them out. One naturally trusts the message coming from a friend, whereas with the stranger one might start to double-guess what’s being said, trying to determine whether it is truthful or not. In the case of the relationship with the friend, this connection is called rapport.
For years rapport has only been talked about when it comes to salespeople, negotiators, and the like. Rapport isn’t just for salespeople; it is a tool that anyone can use, especially the social engineer. If you are wondering how to build rapport instantly, then read on.
Building Instant Rapport
My former coworker, Tony, used to say that building rapport was more important than breathing. I don’t really believe that to be true, but it does have a ring of truth in that rapport building is vital.
Wikipedia defines rapport as, “One of the most important features or characteristics of unconscious human interaction. It is commonality of perspective: being ‘in sync’ with, or being ‘on the same wavelength’ as the person with whom you are talking.”
Why is rapport discussed in this chapter? It is a key element in developing a relationship with any person. Without rapport you are at an impasse. Within the psychological principles behind social engineering, rapport is one of the pillars.
Before getting into the aspects of how to use rapport as a social engineer you must know how to build rapport. Building rapport is an important tool in a social engineer’s arsenal.
Imagine that you could make people you meet want to talk to you, want to tell you their life story, and want to confide in you. Have you ever met someone like that, someone you met recently but feel totally at ease telling him or her very personal things? Many psychological reasons may play into why that may be the case, but the case may be that you and that person just had good rapport.
The following sections outline important points about building rapport and how to use rapport in social engineering.
Be Genuine about Wanting to Get to Know People
How important are people to you? Do you enjoy meeting new people? It is a mindset about life, not something that can be taught. The prerequisite to building rapport is liking people. People can see through a fake interest.
To be a good social engineer and to be able to use rapport, people need to be important to you. You must like people and enjoy interacting with them. You have to want to learn about people. People can see through fake smiles and fake interest. Developing a genuine interest in your target can go a long way toward building rapport.
Take Care with Your Appearance
You cannot change some things that may affect your interaction with others. Unfortunately, people can still hold your skin color, gender, or age against you before you facilitate any interaction. You can’t control those things, but you can control aspects of your appearance such as clothing, body odor, and cleanliness, as well as your eye contact, body movements, and facial expressions. I read a statement once that I have seen proven true too many times to ignore: “If a person is not comfortable with himself, others will not be comfortable with him either.”
Be aware of your pretext and your target. If your pretext is the janitor, make sure your demeanor, dress, attitude, and words reflect someone in that position. If your pretext is a manager of a business, then make sure you act and dress appropriately. This takes research but nothing kills rapport easier than not looking the part. Your goal in some instances is to keep people in the autopilot mode that will let them not question you. Having your dress, grooming, or demeanor out of place removes the target from autopilot and hurts your chances at success.
Be a Good Listener
See the earlier section for more details. The importance of good listening can’t be overstated.
Whether you are trying to make a friend or make a social engineering move, listening is a skill you need to master.
Be Aware of How You Affect People
One time I saw an older woman drop an item as she left a grocery store. I picked it up and followed her out to the parking lot. By the time I caught up with her she had her trunk open and was loading groceries into her car. I came up behind this short, little elderly woman and with all 6’ 3” of me looming over her said, “Excuse me, ma’am.” I was obviously too close for her comfort and when she turned around she screamed out, “Help! He’s trying to mug me. Help!”
I obviously needed to think about how my presence might affect this woman during my interaction with her. I should have realized that an elderly woman all alone in a parking lot who was not expecting a huge man to walk up behind her might freak out. I should have come around and approached her from a different angle.
Be aware of how your appearance and other personal aspects might affect those you will be in contact with. Do you need a breath mint? Make sure no food is on your face or in your teeth. Try to be relatively sure that nothing is glaring in your personal appearance that will turn the person off.
UCLA Professor of Psychology Albert Mehrabian is known for the 7-38-55 Rule, which states that statistics show that only 7% of normal communication is the words we say, whereas much more lies in the body language and vocal tones. Try to be aware of yourself, but also pay attention to the first few seconds of interaction with a person. His or her reaction to your approach can tell you whether you possibly missed something, or whether you need to change something to be more effective.
As a social engineer, be aware of how you affect people. If your end goal is all that is on your mind you will affect the people you come into contact with negatively. Think about how your appearance, words, and body language may affect your target. You want to appear open and inviting.
Keep the Conversation off Yourself
We all love to talk about ourselves and even more so if we feel we have a great story or account to share—it is human nature. Talking about yourself is one way to kill rapport. Let the other person talk about himself until he gets tired of it; you will be deemed an “amazing friend,” a “perfect husband,” “great listener,” “perfect sales guy,” or whatever other title you are seeking. People feel good when they can talk about themselves; I guess we are all a little narcissistic, but by letting the other person do the talking you will leave that interaction with his liking you a lot more.
Keep the conversation off yourself. This point is especially cogent for social engineers. You have a definite goal in mind and sometimes your judgment and direction can be clouded by what “you” want. Taking that focus off of the target is dangerous as far as success goes. Let targets talk about their jobs, roles, and projects, and be amazed at how much information they release.
Remember That Empathy Is Key to Rapport
Empathy—defined by Random House Dictionary as “the intellectual identification with or vicarious experiencing of the feelings, thoughts, or attitudes of another”— is lacking in many people today and is especially hard to feel if you think you have the solution to someone’s problem. However, really listening to what someone is saying, trying to identify and understand the underlying emotions, and then using reflection skills can make a person feel as if you are really in tune with him.
I felt it necessary to provide the definition of empathy because understanding what it is you have to do is important. Notice that you must “intellectually identify” with and then experience “the feelings, thoughts, or attitudes” of someone else.
These aren’t always serious, depressing, or extreme emotions. Even understanding why someone is irritated, tired, or not in the best mood can go a long way. Imagine you go to the bank drive through and the teller lady gives you a monster attitude because you forgot to sign your check and she now has to send it back. You also forgot a pen and need to ask her for yet another favor. Your reaction might be similar to mine, especially if she gave you the eye roll and the irritated glance—you want to tell her that she is here to serve you. Instead, try saying this, “It appears you might be a little irritated. I understand that; I get irritated when I have to deal with my forgetful clients, too. I hate to ask this, but could I please get a pen?”
It’s important to not be patronizing when attempting to show empathy. If your empathy seems to come off haughty or arrogant, you can make the target feel like you are patronizing them.
You acknowledged her being upset but without accusation, showed that you have the same feelings, and then made a request. Empathy can go a long way toward building rapport; one caveat is that rapport cannot be faked. People need to feel you are genuinely concerned to build that trust relationship. If you are not a natural at displaying empathy, then practice. Practice with your family, friends, coworkers, teachers, or classmates. However and wherever you do it, practicing being empathetic will greatly improve your relationship-building skills.
Empathy is a tool of the social engineer. Unfortunately, it is also used often in malicious social engineering. When a catastrophe hits somewhere in the world a malicious social engineer is often there to “empathize” with you. The thing that probably makes this tool so easy for malicious social engineers to use in many cases is because they truly are from bad, poor, or impoverished places. Being in bad straits themselves makes appearing empathetic to others’ plights in life easy and therefore creates rapport automatically.
Nothing builds rapport more when people feel like you “get them.” This is proven very true when someone is a victim of disaster. It’s a scary thought, but those who have been victims of abuse, crime, rape, natural disasters, war, or other atrocities on earth often can “understand” the feelings of those who are experiencing them. This opens victims up to trusting the wrong type of people if that rapport is built.
As mentioned before, when the 9/11 attacks happened in New York City, many people claimed to have lost family or friends in terrorist attacks. That made people empathize and therefore these “victims” were given money, fame, or whatever they were seeking.
As a social engineering auditor, you must be able to have a broad range of emotions that you can tap. Being closed in your emotions makes being empathetic very hard. This point goes along with really liking people. If you do, you won’t have a hard time getting to know them and their stories and empathizing with them.
Be Well Rounded in Your General Knowledge
Knowledge is power. You don’t have to know everything about everything, but having some knowledge about some things is a good idea. It makes you interesting and gives you something to base a conversation on.
Knowledge is power. The old hacker mantra comes back to you as a social engineer. A social engineer should be a reader and a studier. If you fill your head with knowledge then you will have something to talk about when you approach a target. Don’t neglect reading, researching, and studying about the topic of the target’s occupation or hobbies. Your goal is not to be a “know-it-all” and become an expert on every topic, but rather to have enough knowledge that you don’t look at the target with a blank stare when she asks, “Did you bring an RJ-45 connector with you to fix the server’s network connection issues?”
Develop Your Curious Side
People normally feel a little self-righteous when it comes to their beliefs or thoughts on the way things should be done. That self-righteousness or judgmental attitude can change the way a person reacts to something being said. Even if you don’t say anything you may start to think it, which can show in your body language or facial expressions. Instead of being self-righteous, develop a curiosity about how other people think and do things. Being curious keeps you from making rash judgments. This can be applied by being humble enough to ask for help or ask for more information. Be open minded enough to look into and accept another’s thoughts on a topic, even if those thoughts differ from yours.
Curiosity did not kill the social engineer. This point doesn’t change much from a non–social engineer perspective. When you become curious about others’ lifestyles, cultures, and languages you begin to understand what makes people tick. Being curious also keeps you from being rigid and unbending in your personal judgments. You may not personally agree with certain topics, beliefs, or actions but if you can remain curious and nonjudgmental then you can approach a person by trying to understand why he is, acts, or portrays a certain way, instead of judging him.
Find Ways to Meet People’s Needs
This point is the pinnacle of the list and is one of the most powerful points in this book. Dr. William Glasser wrote a book called Choice Theory in which he identified four fundamental psychological needs for humans:
· Belonging/connecting/love
· Power/significance/competence
· Freedom/responsibility
· Fun/learning
The principle behind this point is that creating ways for people to get these needs met by conversing with you builds instant rapport. If you can create an environment to provide those needs for people, you can create bonds that are unbreakable.
Let me tell you a brief story about how powerful meeting people’s needs can be. I was in a minor car accident. A young driver pulled out in front of me and then decided to stop. I had a split second to decide between hitting him going 55 mph or veering off away from him then launching my car over a small ditch into the side of a mountain. I chose in a second to not kill the three young people in the car. My car went airborne until it was stopped by solid rock. I watched my beautiful little customized Jetta crumple under the weight, and my face smacked off the windshield. I barely nicked the other driver’s rear bumper but I was moving fast enough that his car was sideways in the highway. When I was able to get my bearings we called the cops and an ambulance.
The young man had a different insurance company than I did. The next morning I got a call from his agent, who politely asked me questions. He told me that an adjuster would come out to see my now-crumpled Jetta, and within 48 hours I was handed a check and a letter stating they would cover all medical costs for my recovery.
I was then given a follow-up call from his insurance agent to see whether I was okay. How many calls from my insurance company do you think I got? I got one, just to tell me how to answer questions.
I understand that caring about each person is not the job of these large companies. But the other agent called me just see whether I was okay. I fought no battles to get paid and I was given a very fair price for my car.
Two days after that I cancelled my insurance and went to see Eric, the insurance agent who called me, from the young man’s company. I told him I was so impressed that I wanted what he was selling. It has been 12 years now and I use Eric for every insurance need I have. About two years ago I got a call from an insurance company offering me rates that were substantially lower than what Eric and his company offer. I couldn’t even think about doing that to Eric. Why? Rapport—plain and simple. Eric is my friend, my helper, someone I can call about questions on insurance, and someone who will always give me the best advice. He cares, he knows my family, and he never tries to hard-sell me. He doesn’t have to, because I will buy whatever he has, because I trust him.
This is the power of rapport. I don’t know, maybe Eric’s end game in checking on me was to get me to move to his insurance practice, although I doubt it. Knowing him, he actually cares and anyone who knows him says the same thing. His brother and he run a solid business. Rapport can create bonds between people that transcend cost or loss.
Filling a need for the person you are talking to drastically increases the chances of building rapport. Do it without appearing to have an end game, do it with a genuine desire to help, and be amazed at the results. Perhaps no other avenue is more valuable for social engineers than being able to meet these needs. Learning how to create an environment that allows the target to feel comfortable and get one of the basic four fundamental needs met is a sure way to ensure unbreakable rapport.
Spies use this principle of filling a need or desire often. In a recent trip to a South American country I was told that its government is infiltrated all the time via fulfilling the basic need of “connecting or love.” A beautiful woman will be sent to seduce a man, but this is no one-night stand. She will seduce him for days, weeks, months, or even years. As time continues she will get bolder with her requests for where they are intimate, eventually making their way to his office, where she gains access to plant bugs, Trojans, or clone drives. This method is devastating, but it works.
Social engineers fill desires through phishing emails also. In one test 125 employees of a very reputable company were sent fake image files labeled BritneyNaked.jpg, MileyCyrusShowering.jpg, and other such names, and each image was encoded with malicious code that would give the social engineer access on the user’s computer. The results were that more than 75 percent of the images were clicked. What was found was the younger the star mentioned in the picture, the higher the click ratio.
These disgusting and devastating facts show how well fulfilling people’s desires can work. In person, too, it is no different. Police interrogators use this tactic for building rapport all the time.
One time I interviewed a law enforcement agent for a podcast I did at social-engineer.org (www.social-engineer.org/framework/Podcast/001_-_Interrogation_and_Interview_Tactics). The guest told a story that proves this point about the power of rapport to make people comply with requests. The officers had arrested a man who was a peeping tom. He had a fetish where he loved to invade the privacy of women who wore pink cowboy boots. The agent, instead of judging him for the freak he is, used phrases like, “I like the red ones myself,” and “I saw this girl the other day wearing short shorts and high cowboy boots, wow!”
After just a short time he began to relax. Why? He was among like-minded people. He felt connected, part of the crowd. Their comments put him at ease and he began to spill his guts about his “habits.”
The preceding is a nice example of how to develop and build rapport, but how can you use it as a social engineer?
You can build rapport in a matter of seconds by applying the principles of building rapport discussed earlier. To prove this, imagine you need to grab some cash, you don’t have your ATM card on you, and you forgot your account number, so you have to go in and ask someone for some help. Maybe you feel a little embarrassed about having to ask for your account number. You walk into a local branch of your bank you have never been into. No one is in the bank and you have your choice of tellers. Maybe you don’t think about it, most people don’t, but you will look over all the open lanes and choose the person who makes you feel the most comfortable. You will get the same results from each lane, but you will choose the one that makes you feel okay.
Maybe you choose the most attractive person, or the one with the biggest smile, or the one who greets you first—whomever you choose and however you choose them you make the choice either consciously or unconsciously, but a lot of it has to do with rapport. The same principle will prove true when it comes to you and your target. As you walk up to a target she will make instantaneous snap judgments of you based on your personal appearance, demeanor, facial expressions, and, of course, her mood. Most of these factors you can control, so take pre-emptive action on them to ensure success.
Building rapport properly creates a bond like strong glue that can withstand minor inconvenience and even some misunderstanding.
Rapport allows a person to say and do things that only close friends can do, because he or she is brought into that inner circle of trust. It is a powerful force without which salespeople, friendships, employment, and many other situations are much more difficult.
Remember Chapter 4 on pretexting? You learned that pretexting is more than just playing a part, it is living, being, and becoming the person you are portraying to the target. Having a strong pretext is imperative to building the right kind of rapport. In many social engineering engagements you will not have the time to build a storyline and use long-term seduction or rapport techniques, so your success will be based on many of the non-verbal things you will need to do.
Using Other Rapport-Building Techniques
Other rapport-building techniques exist that are based in NLP research. As you now know, rapport is basically connecting with someone and putting him or her at ease; some NLP techniques used by hypnotists and NLP practitioners can put people at ease instantly, as discussed next.
Breathing at the Same Rate as Your Target
Breathing at the same rate as someone doesn’t mean you closely listen to every breath and try to breathe in and out when your target does. But some people have very defined breathing patterns: Some have fast and short breathing, and some have long and deep breathing. Notice how the target breathes and mirror that pattern, but without parroting (that is, doing it at the same exact time).
Matching Your Target’s Vocal Tone and Speech Pattern
I was born in New York and raised in an Italian family. I talk fast, loud, and with my hands. In addition to being 75 percent Italian, I am 25 percent Hungarian. I am big, tall, and loud and gesture like a professional sign language translator on speed. If I approach a timid, shy, slow-talking southerner I can kill rapport if I do not slow down, put the hands away, and change my communication style. Listen to your target’s vocal tone and match yours to his, whether he is a slow, fast, loud, quiet, or soft speaker. As for accents, a good rule is: Don’t try. Unless you can do it very well don’t even attempt it. A poorly done accent is a rapport killer.
Along these same lines, you can also try to listen for key phrases. People use terms like “okie dokie” or “yepper.” Listen for any key phrases, and even if they are out there, you might be able to work them into a sentence.
Once I was talking with a target who would say things like, “It’s six of one and half dozen of another.” I don’t use that phrase a lot and didn’t want to screw it up, because that would create a lack of rapport. Instead, I would mix in some of the key words of that phrase and say things like, “I must have done that a half dozen times.”
How someone talks is also an area where you should restrict your personal judgments. Some people are close talkers, some are whisperers, some are touchers—if you are not, you need to allow a person freedom to talk the way he or she is comfortable and then mirror it.
Matching Your Target’s Body Language
Matching body language is a very interesting avenue of rapport building mainly because it can work to create very strong bonds but at the same time it can kill all your rapport in a matter of seconds in the case of a mismatch.
If you notice someone standing a certain way, maybe with both arms crossed, don’t assume she is shutting you out—maybe she’s just cold. Can you cross one arm across your body to mirror her stance, or fold your hands into a steeple?
When sitting across from someone who is eating a meal you can take a few sips from your drink while he eats to mirror him. Don’t do everything he does, but make similar actions.
People like people who are like themselves. That is just human nature. It makes them feel comfortable. Bill Philips was the genius behind the Body-for-Life program that changed the way workout programs were developed. He promoted something that was heavily tied to the mirroring principle. If you are fat and you only hang out with fat people, the chance of your changing is slim to none. Why? The answer is that you are comfortable with being fat and with people who are also comfortable with it. If you want to change, then hang out with skinny people and a mental change will quickly happen.
This principle is the same in social engineering. You don’t want your targets to make a change, so you need to be like them. You want them to feel good with you.
Testing Rapport
Using these alternative rapport-building techniques as well as matching energy levels, facial expressions, and the like can build strong rapport on a subliminal level.
After trying some of these tactics you can test your rapport by making a movement, like scratching your head or rubbing your ear, and if in the next minute or two you see your target make a similar movement you probably have developed some strong rapport.
These techniques can work wonders in many parts of your life when developing, building, and starting relationships with others. Learning how to use the psychological principles included in this chapter can make a huge difference in your social engineering practice.
For years, there has been a myth that the human mind can be overwritten like a program. Is it just a myth? Can the human mind be mastered?
The next section reveals some of the most mind-blowing information in this book.
The Human Buffer Overflow
A glass can only hold so much liquid. If you have an 8-ounce glass and you try to pour 10 ounces of liquid into it, what will happen? It will overflow and spill all over the place. If you try to force the container to hold more liquid than it is meant to you can eventually break the glass due to pressure.
Computer programs work in a similar manner. Imagine you have a small program that has only one purpose and two fields: User Name and Password.
When the program opens you see a little screen where you type in admin in the User Name field and password in the Password field. A little box appears that says “OK,” signifying all is good.
The developer allocated a certain amount of memory space for the User Name field, enough to hold the word admin a couple times. What happens if you put 20 A’s in that field and click OK?
The program crashes and gives you an error message. Why? The input entered is longer than the allocated space and without proper error handling the program throws an exception and crashes.
The goal of software hackers is to find the address that the program will call upon in a crash and insert malicious code into that address. By controlling the execution flow the hacker can tell the program to “execute” any program he desires. He can inject commands of any type into the memory space of that program because he now controls it. As a penetration tester few things are more exciting than seeing a program execute commands you tell it to.
The human mind runs “software” and over the years you build instruction sets, buffers, and memory lengths into your “software package.”
Before applying this to the human mind, definitions of a few technical terms are necessary. A buffer is an area of space that is given for something to happen or to hold data. As in the simplistic glass-of-water example, the password field is given a buffer, which is the number of characters that it is allowed to have. If a larger number than the buffer is entered the programmer needs to tell the program to do something with the larger than necessary data set.
If he doesn’t, the computer crashes and your program shuts down. Often what happens in the background is the program didn’t know what to do with all the data so it overflowed the allocated space, crashed the program, and exited. Hence the term buffer overflow.
The human mind works in a similar way. Space is allocated for certain datasets. If a certain dataset does not fit the space we have for it, what happens? Unlike a computer, your brain doesn’t crash, but it does open up a momentary gap that allows for a command to be injected so the brain can be told what to do with the extra data.
A human buffer overflow is basically the same principle. The goal is to identify a running “program” and insert codes into that program that will allow you to inject commands and in essence control the movement of thought to a certain direction.
To test this concept, take a look at a very simplistic example (see Figure 5-15).
Because the picture in this book is black and white, I have put a color copy up on the website at www.social-engineer.org/resources/book/HumanBufferOverflow1.jpg.
Here is the gist. Open that URL, and then as fast as you can try to read the color of the word, not what the word spells.
Figure 5-15: Human buffer overflow experiment 1.
This game is not as easy as it looks. If you successfully get through it, then try to do the exercise faster and faster. What will happen to most, if not all, of us, is that at least once you will read the word and not the color, or find yourself struggling through it.
Why do we have such a hard time with this exercise? It is because of injected commands. Our brains want to read the words not the colors. It is the way the human mind is wired. Our brain sees the color but it reacts to the word being spelled first. Therefore, the thought in our minds is theword not the color. This exercise shows that having “code” execute in the human brain that might be the opposite of what the person is thinking or seeing is possible.
Setting the Ground Rules
In a paper entitled “Modification of Audible and Visual Speech” (www.prometheus-inc.com/asi/multimedia1998/papers/covell.pdf) researchers Michele Covell, Malcolm Slaney, Cristoph Bregler, and Margaret Withgott state that scientists have proven that people speak 150 words per minute but think at 500–600 words per minute. This means that most people you talk to can jump around your conversations in their heads. So overflowing the brain through fast speech seems almost impossible.
You must also understand how people make decisions in life. People make most of their decisions subconsciously, including how to drive to work, get coffee, brush their teeth, and what clothes to wear without really thinking about it.
Have you ever driven all the way to work and when you get there, you can’t remember what billboards you passed, what route you took or that traffic accident on the news? You were in a state of mind where your subconscious took over and did what you always do without you consciously thinking about every turn.
Most decisions people make are like this. Some scientists even believe people make decisions up to seven seconds earlier in their subconscious before making them in the real world. When people finally do make a decision consciously they do it from more than just what they hear—sight, feelings, and emotions become involved in the decision.
Understanding how humans work and think can be the quickest way to creating a buffer overflow, or an overflow of the natural programs of the human mind so you can inject commands.
Fuzzing the Human OS
In actual software hacking, a method called fuzzing is used to find errors that can be overwritten and give control to a malicious hacker. Fuzzing is where the hacker throws random data at the program in differing lengths to see what makes it crash, because it cannot handle the data. That gives the hacker a path to inject malicious code.
Just like fuzzing a program, you must understand how the human mind reacts to certain types of data. Presenting people with different sets of decisions or different sets of data, then seeing how they react can tell us the “programs” they are running. Certain laws in the human mind seem to be inherent that everyone follows.
For example, if you approach a building with two sets of doors (one outer and one inner) and you hold the first set open for a complete stranger, what do you think he will do next? He will either hold the next set open for you or make sure that set stays open until you get inside.
If you are in a line of merging traffic and you let a complete stranger merge in front of you, most likely if you needed to merge later on he would let you in without even thinking. Why?
The reason has to do with the law of expectations, which states that people usually comply with an expectation. Decisions are usually made based on what that person feels the requestor expects him or her to do. One way you can start sending your malicious “data” to the brain program is called presupposition.
By giving the target something first, the request you make next will be “expected” to be followed. A simple example for you to test is with the doors. Hold a door for someone and most likely that person will at least make an attempt to ensure the next set of doors is open for you. A social engineer can do this by first giving the target a compliment or a piece of information they deem valuable, before the request is made. Giving that over first creates in them the need to comply with a future request as it is expected.
Presupposition can be described best via an example:
“Did you know my next door neighbor, Ralph, always drives a green Ford Escort?”
In this sentence you presuppose:
· I know my neighbor.
· His name is Ralph.
· He has a driver’s license.
· He drives a green car.
To use presupposition effectively you ask a question using words, body language, and a facial expression that indicates what you are asking is already accepted. The basic gist of this method is to bypass the “firewall” (the conscious mind) and gain access directly to the “root of the system” (the subconscious). The quickest way to inject your own “code” is through embedded commands, discussed next.
The Rules of Embedded Commands
Some basic principles of embedded commands make them work:
· Usually the commands are short: three to four words.
· Slight emphasis is needed to make them effective.
· Hiding them in normal sentences is the most effective use.
· Your facial and body language must support the commands.
Embedded commands are popular in marketing with things like:
· “Buy now!”
· “Act now!”
· “Follow me!”
In a real buffer overflow, exploit writers use padding, which is a method of adding some characters that do not interrupt the execution but allow a nice little “landing pad” that leads to the malicious code. Social engineers can utilize phrases that are like padding, to help the next command have a soft place to land when it is injected, such as:
· “When you…”
· “How do you feel when you…”
· “A person can…”
· “As you…”
All of these statements create an emotion or a thought that allows you to inject code into the subconscious.
Many examples of embedded commands exist, but here are a few to ponder:
· Using quotes or stories: The brain tends to process stories differently than other information. Some of the greatest teachers who have ever lived—Aristotle, Plato, Gamaliel, Jesus—all used stories and illustrations to teach those listening to them. Why?
The unconscious mind processes stories as direct instructions. Bandler, one of the fathers of NLP, taught that NLP practioners need to learn to use quotes. He knew the power of stories or quotes would give the speaker power over the thinking of his listeners. Reading quotes, using quotes, and then embedding commands into quotes can be a powerful use of this technique.
For example, in one situation I needed to manipulate a target to give me an old password so I could “change” it to a more secure password. My pretext was a support rep and they automatically questioned why there was a need to change old passwords. I used something like, “A recent study by Xavier Research Inc. stated that 74% of the people use weak passwords in corporate America. That is the reason we launched a program to change the passwords corporate-wide. I will perform that password change for you; I need for you to give me your old Windows password and then I will make that change now.” By quoting a research facility it added weight to my words about why this change had to occur.
·Using negation: Negation is much like reverse psychology. By telling the target to not do something too much, you can embed a command into the sentence. For example, if I tell you “Don’t spend too much time practicing the use of embedded commands,” I can slip the command “practice the use of embedded commands” into my sentence. I also can presuppose that you will practice it to some extent, and if you are stubborn you might say, “You can’t tell me what to do, I will practice all I want.”
Telling a person that something is not important or relevant makes his unconscious pay extra attention so he can determine whether it is relevant or not. You can embed commands in negative sentences like the earlier example that will leave the listener no option but to take action.
·Forcing the listener to use his imagination: This method works when you ask the listener a question, using phrases such as “What happens…” or “How do you feel when…,” for which he must imagine something to answer it. If you ask, “What happens when you become rich and famous?” The listener has to internally imagine the time he might be rich and famous to answer that question. If I ask you, “What happens when you master the use of embedded commands?” I am forcing you to imagine becoming a master and how you will feel when that happens. Think of it this way: If I tell you, “Do not imagine a red cow,” you have to picture a red cow first to tell yourself to not think about it. Your unconscious mind is responsible for interpreting each word in a set of commands into something it can represent and then give meaning to.
By the time your brain has understood the sentence, your unconscious has imagined it. The unconscious mind processes statements directly, with no regard to the context. The other great part is that the unconscious can track body language, facial expressions, voice tones, and gestures, and then connect each of them to the message being spoken. While it is connecting the dots, so to speak, the unconscious mind has little option but to comply if an embedded command exists.
What’s important when using embedded commands is to not mess up your tones. If you overemphasize the words then you will sound odd and scare the person off instead of embed commands. As with a software buffer overflow, the information must match the command you are trying to overflow.
Summary
As you probably have already imagined, embedding commands is a vast field with a lot of room for error. You must practice to be very successful at it. Although I do not promote using this information for seduction some decent videos exist about seduction that show how embedded commands can work.
Using these principles can create an environment where the target is very receptive to your suggestions.
Just because you tell the person, “You will purchase from me” does not mean he always will. So why use these commands?
It creates a platform to make social engineering easier. Using these types of commands is also a good lesson for companies you work with to educate them about what to look for and how to spot someone who may be trying to use this type of social engineering tactic against them.
If you were to write out this principle of embedded commands as an equation, you could write it this way:
Human Buffer Overflow = Law of Expectations + Mental Padding + Embedded Codes.
Start a conversation with a target using phrases, body language, and assumptive speech. Presume the things you ask for are already as good as accomplished.
Next, pad the human mind with some statements that make embedding commands easier, while at the same time embedding the command. In essence this is the equation for the human buffer overflow. Use this equation sparingly, but practice a lot before you attempt it. Try it at work or home. Pick a target at work that might not normally comply with simple requests and try to see whether you can get him to serve you coffee: “Tom, I see you are heading to the kitchen, will you get me a cup of coffee with two creams please?”
Escalate your commands to larger tasks to see how far you can get. Try to use this equation to get commitment from people. Eventually use this equation to see how much information you can get and how many commands you can inject.
This chapter covered some of the deepest and most amazing psychology principles in social engineering. This chapter alone can change your life, as well as your ability as a social engineer. Understanding how people think, why they think a certain way, and how to change their thoughts is a powerful aspect to being a social engineer. Next on the docket: how to influence your target.