Restart
Next
Back
Ethical Hacking Case 1A
Ethical Hacking Case 2A
Click here to enter
Click on a door
to open it
Click to enter
Social Engineering Psychological Tactics
Social Engineering Psychological Tactics
This material was developed with funding
from the National Science Foundation
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
User name
Main Menu
Reciprocity
Video doorbell
Password
Receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. Humans hate to feel indebted to others, so it is a natural response to want to repay a favor.
Simon frequently purchases products at Amazon. When he receives an email offering him a gift card, he is excited because now he can purchase a new video doorbell to safegard his house. Little does he know that Boris has orchestrated the whole thing.
Congratulations! You have qualified.
Please log in to your Amazon account.
Click to Continue
One of the reasons that social engineering is so effective is that it takes advantage of the social nature of people. Hackers know that our decision making is highly influenced by others. They also know that we are bombarded with a lot of information and that we look for shortcuts to save time. The Science of Persuasion describes six strategies that make people say “Yes”. Hackers use these tactics to their advantage when trying to persuade other to provide information or to take a specific action.
Hello Simon,
In order to increase productivity, there is a tool attached that you need to download and install on your system to enable you to work remotely.
Regards,
Sam Snell
General Manager
Click on attachment to continue
ABC Industries
I will take care
of this right away
Authority
Click to open email
We tend to follow the lead of credible experts such as teachers, bosses, doctors, and political leaders. When Simon receives the email from his boss, he wants to take the inititative and complete his boss’ request. Unfortunately, Simon does not realize that in the background, malware is downloading that will enable Boris to steal the company’s data.
This email is from
Sam, my boss.
Hi Simon. Thank you for helping the group stay on task. You are doing a great job.
I am stuck at home cuz I am sick. I accidently locked myself out of my account.
We are influenced by those that we like. We also like positive reinforcement. If you receive a compliment from someone, you tend to stay engaged so that you receive more positive reinforcement.
Simon is working on a group project that has a firm deadline. He thinks he is receiving a text message from one of the group members, Nora.
Liking
Thanks, Nora
Dear valued customer,
Trusted Bank has recently merged with First National Bank. To ensure that you account information is correct, click on the link below within the next 24 hours to prevent your account from being deactivated.
http://www.trustedbank.com/gen/custverify.asp
I better take care
of this right away
Scarcity
Click the link above to continue.
Scarcity is a belief that something is in short supply or almost gone. It is human nature to place a higher value on something that is in limited supply or that has a time constraint attached to it.
When Simon receives the email from his bank, he becomes very concerned that his bank account will be deactivated. Is it a common practice for a bank to contact customers by email to ask for login credentials?
Social Proof
Click key card to continue.
When people are unable to determine the appropriate behavior, social influence can lead to conformity of large groups to either make a choice. People will do things that they see other people doing. Since we are social by nature, we feel that it is important to conform to the norms of a social group. We will often look around us to see what others are doing before making up our mind. The key here is that Boris establishes a false frame of reference.
Glad I caught up with you.
Last time I was here, Jose
and William in Sales let me in.
Meet Boris. He is a member of a hacking team charged with gathering information from potential targets.
Click to continue
Meet Simon. He is starting his new job today at ABC Industries.
Simon is the unknowing target of an intelligence collection operation that Boris is conducting against ABC Industries.
Oh no.
I don’t know Nora. We’re not supposed to share our credentials.
Can I use your user name and password so I don’t miss this next deadline?
I don’t know Nora. We’re not supposed to share our credentials.
Can I use your user name and password so I don’t miss this next deadline?
I am desparate—I promise to delete this text so no one will know.
You have done such a great job on this project. I would hate to miss a deadline.
OK, as long as you delete the text. My user name is Simon.Jones and my password is 51M0n67!
We want to be consistent in our behavior, and we value consistency in others. If you make an initial, small commitment, you will have a strong desire to stand by that commitment.
Boris' goal is to try to get Simon to divulge information.
Hello. This is William Cass at Cass Industries. I am having an issue navigating your new web site. Would you be able to assist me?
Click the phone to answer it. >
Consistency
He is very confused.
Boris needs to also remain consistent with what he is asking. By starting off small, he hopes that Simon does not notice how his information gathering is escalating.
Three days later...
Hello. This is William Cass at Cass Industries again. Sorry to bother you, but I need help to reset my user name and password at your web site.
Because Simon made the initial commitment to help his customer, he has a strong desire to stand by that commitment to provide continued customer service.
This is exactly what Boris hoped for.
One week later...
This is William Cass. Your web site is #%*#* &!%^@&!! Your company collected payment and didn’t even deliver. I want to verify my account information NOW!
All right, Mr. Cass. I am not supposed
to do this over the phone, but since
you have had continued issues...