Last week, a good friend of mine and marketing director for a local ISP called. Before I had a chance to say hello, I heard some excited talk about my needing to read Dr. Robert Cialdini's book, Influence: The Psychology of Persuasion. More than somewhat baffled, I asked why.
She suggested that the professor's "Six Weapons of Influence" would be invaluable to phishers. Smelling an article, I downloaded the book to my iPhone. It was perfect timing, as my trip to the TechRepublic conference began the next day and I could read it during the flight.
Entranced by the book, I began to understand what my friend meant. I have fallen prey to one or more of Dr. Cialdini's Weapons of Influence. Once I got back home, I started checking to see if there were any existing research correlating social-engineering techniques with the professor's principles.
Social engineering and influence
I came across a post titled, "Social Engineering and Influence by Dr. Cialdini." It was written by K.K. Mookhey, founder of Network Intelligence, a company specializing in penetration testing and security audits. What makes the post appropriate is how Mr. Mookhey applies Dr. Cialdini's Six Weapons of Influence to specific pen test/ exploit techniques. I realized there and then I needed to pass this information along. Here are Dr. Cialdini's rules and how Network Intelligence applied them:
Rule of Reciprocation: This rule says we all will try to repay, in kind, what another person has provided us. Dr. Cialdini uses the example of greeting cards. It's a pretty good bet, if you send a holiday card to someone, you will receive one back.
- Exploit: Network Intelligence mentions that reciprocation is one of their most successful tools. They are able to obtain sensitive information about systems and the network by providing the targeted person with something they want, especially if it's considered a gift.
Commitment and Consistency: Dr. Cialdini mentions: Once we make a choice or take a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment. For example, a person betting at a race track will be much more confident about their choice after placing the bet.
- Exploit: Network Intelligence counts on this tendency when they pose as auditors. The first step is to gain the confidence of employees they are interviewing. Once that happens, the employees will likely provide more information than they should.
The Principle of Social Proof: Dr. Cialdini states: We view a behavior to be more correct in a given situation to the degree that we see others performing it. I do this all the time. When I was in Sweden recently, I ordered the same meal that everyone else did at the restaurant.
- Exploit: How are social-networking invites from an unknown person to be handled, especially if that person has links to people I know?Do I allow the link, even though I do not know anything about the individual? According to Dr. Cialdini, it is highly likely that I will and that's what Network Intelligence and the bad guys are counting on.
The Principle of Liking: Not a difficult principle to understand, we prefer to say yes to requests from someone we know and like. Dr. Cialdini mentions in the book that a Tupperware party makes use of all six principles, but best exemplifies the Liking Principle. People attending the party aren't buying from Tupperware. They are buying from the host of the party, because they are friends.
- Exploit: When trying to leverage information out of people, Network Intelligence will send their most charming and personable team members because of this principle.
The Principle of Authority: Dr. Cialdini bases this rule on the Milgram experiments. Experimenters found that people were willing to inflict pain on others if given the authority. Dr. Cialdini feels this principle works because: Once we realize that obedience to authority is mostly rewarding, it is easy to allow ourselves the convenience of automatic obedience.
- Exploit: Network Intelligence uses fake letters of authority and team members that present themselves as having every right to be there.
The Principle of Scarcity: We all understand this principle. Dr. Cialdini uses collecting as an example: Collectors of everything from baseball cards to antiques are keenly aware of the influence of the Scarcity Principle in determining the worth of an item. As a rule, if it is rare or becoming rare, it is more valuable.
- Exploit: This is probably the most popular exploit, because time is used as the scarce commodity. Social engineers at Network Intelligence have found emphasizing that time is running out will get people to comply, even though it violates company policies or their own sensibilities.
The Real Hustle
During my research, I came across a U.K. television show called The Real Hustle. It caught my attention because I recognized that many of the principles in this article were being used. For example, one episode titled, "Extreme Social Compliance" employs several Weapons of Influence. Let me know if you recognize them.
Final thoughts
The Six Weapons of Influence are somewhat obvious, but it doesn't hurt to reinforce how effective they are. Then, when you get that suspicious email, look and see which principle they are trying to fool you with.
No comments:
Post a Comment