the actions that the target of the engineering takes
may not be in their best interest.
Going back to the idea of what I said earlier,
the human voice is the original social engineering tool.
Maybe there were some cave men wandering around looking for food, and one convinces the other one, Why don't you go in the cave and see if there's
any food left over from from that bear that just dragged in the You know it's killed from the day before?
The first person doesn't want to go there. Afraid, perhaps,
but they tricked the other person to doing it. Well, if you go in there and you find some deer meat, I'll give you, you know you can have most of it. I just want a little bit
getting something for nothing, right? These were some of the techniques
that this social engineer might try
in the modern day and age. It could be that if you help me out, I'll tell your boss you did a great job
or could be. If you don't help me out, I'm gonna complain to your boss and get you in trouble, right? That can go both ways,
so it's important to think about all the different aspects of our communication.
If we think about the psychological manipulation aspect, This is especially important
if you think about a skilled sales person or a skilled politician, for that matter.
They're trying to get information across which may not match their body language and may not match their physical,
uh, expressions on their face.
The words may not seem to match with what they're doing,
and typically a person who's paying attention notices these things.
So someone is, for instance, telling you something, which is bad news. But at the same time they're smiling,
right? That's that seems strange. That shouldn't be happening
unless that person is enjoying the fact that they're giving you bad news, which could be the case.
Or perhaps you someone is communicating with you and they're telling you something. And they are fidgeting. They're tapped, hopping from foot to foot, and their eyes are dark, darting around
that tells you that they're nervous. Maybe what they're talking about isn't something that should make them nervous, But they might be nervous anyway because perhaps they're lying. Perhaps they're trying to trick you and they can't stop their body from reacting to that stress
so they might have sweaty poems. They might be fidgeting with their clothing, touching their their lapel, playing with their ear. These air, all what are called, tells when a person might be
They're not guarantees to detect alive, but most people will notice that and think that something is not quite adding up.
Body language, facial expressions. These could be used to also help the engineer. If you're smiling when you're talking,
it's kind of comes across in your loins. You sound like you're genuinely happy person.
It helps when you smile when you talk on the phone. Most
phone telemarketers will tell you that
it helps when you're smiling. When you're talking to your target, they look at you and think, Well, that person's pretty friendly. There must like me there, smiling at me.
They might lower their guard. It might help the engineer get there, get closer to the information that they're trying to elicit from that target.
But we can also do things like misdirection.
You save one thing you do. Another
on example might be,
you know, telling someone something instead of asking them
or another common technique is
you ask someone a question
and they say, No, I don't think that's true right there, nodding their head, Yes, but they're saying, No, that's a mild form of our minor form of misdirection.
Or maybe you're shaking your head. No. Why're answering something? Yes, that tells the other person
and their mind. They're thinking the answer is no. But their words convey the answer. Yes,
that misdirection might be noticed. It might not be. It depends on how skilled
the social engineer is.
You can practice in front of the mirror.
Facial expressions, especially might require some practice, you know, knowing how to show the difference between boredom
right? All these things have their own roots deep in our human psychology.
If you can't portray the facial expression correctly to match your words and your actions,
most likely the target will detect this and become uncomfortable, become a little bit suspicious.
So it's an important
consideration to take.
We also have the concept of emotional hijacking.
This means that you are trying to manipulate
the target into a into a emotional space or an emotional corner. If you will
and then try to find a way to give them a lifeline to pull them back out.
And usually that lifeline is information. That's a social engineer wants
you could first and try the authority approach.
You know, you call the your target up. You say
I am. You know Jim Smith. I'm I'm the assistant to the vice president of the bank. I need this report
completed today, but I can't do it. And because I can't get into my computer, I need you to help me reset the password.
Oh, I'm sorry. We can't reset the password until you onto you prove your identity. No, you do understand. This has to be done right now. If you don't help me, I'm gonna have to call my boss. He's gonna call your boss. You're gonna get a lot of trouble. You're gonna You're probably gonna end up with a you know, a meeting with your boss where he's gonna be very upset because I didn't get this done on time.
So there's ah, subtle bit of intimidation there. You're trying to force the person into a corner,
and then they say, Well, you know. Okay, Well, what What if I help you, you know. What is that gonna do for me? Well, if you help me, I'll tell your boss. Or I'll tell my boss to tell your boss that you did a fantastic job helping me out of my time of need.
He's gonna give you a great recommendation that's gonna go in your file. You're gonna look good to your boss. Maybe that'll help you get a raise. Someday you could see how that could play out. I'm giving a very short example.
But if the skilled social engineer might come up with a much more elaborate story to make that person feel like they've got no choice but to help
if we consider social engineering attacks, we look at the news, we follow these kinds of stories. We know that very many people in different organizations are victims of these kinds of attacks.
Look at Edward Snowden, for instance.
He was able to socially engineer his fellow employees at the N ece of all places.
Those people should have known better.
He tricked them into giving him access to information that was classified that he didn't have access to
by his own admission. That's what he said he did.
I don't know what happened to those employees that gave up the information. They probably got
into some sort of trouble,
but he was obviously very skilled at creating a level of trust.
And he probably used appropriate language and body language and facial expressions to make them think it was no big deal. Hey, you know, I used to have access to this, but it went away. Can you help me out? Can I get this document from you? Whatever the whatever the scenario might have been if you were to ask random people for information, you know, on the street,
sometimes people will tell you things that they probably shoot it
or if you take. If you perform a function where you're asking people to take a survey,
I might be able to get them to give you the first name, their last name, maybe their birth date.
Perhaps you could even trick someone into giving you their social security number, their driver's license number.
All these are little clues, little pieces of info, which could be useful for not only something like identity theft. Obviously, hackers do this,
but for social engineering. You're getting clues to help build up a profile of this individual or their organization that they work for
in order to perpetrate your social engineering contest
or a social engineering on it.
Pen testing Our social engineering contest in King can bypass physical security in many cases. As I mentioned, I use the example of a Dumpster dive
but doesn't have to be that you're physically there. You could
penetrate physical barriers because they're not stopping you from using the phone or from talking to somebody outside the building.
So some of those things might be might be useful for certain scenarios.
If you look at some categories for social engineers, we have things like your average citizen, right? Mom and Dad have to talk to their kids,
trying to convince your Children to do something and make it make them feel like it's their idea. That's the ultimate goal of any parent. Right that way. The child does the required behavior without feeling like they're being bossed around by mom and Dad.
But average people talk to their friends, their family. They might be social engineering, someone without even realizing it, because it's just a natural part of how humans communicate.
What about governments,
Recruiters in the sense of a job recruiter? Sure, but what about someone's trying to recruit you to do something that you don't necessarily want to? D'oh.
Join a club. Join, join the military, Maybe
government social engineer, their citizens. They try to sell them on a certain idea, and then really, something else happens. But their body language, their their facial expressions there, smiling. When they say these things, people believe it.
And then later they find out Well, that wasn't quite true the way it worked out.
It's just a reality of life in this country and many other countries.
Social engineering happens at the highest levels. We have scam artists and posers. These are obvious people that will try to trick you out of giving them money or doing something for them. Usually you meet these kinds of people in bars or on the street, or it's some other place where you don't expect to be scammed like the grocery store
there's there's legions of these people operating all over the world, and they have been for thousands of years. There's nothing new about this
These molds most likely would be the victims of social engineering rather than the people performing it. But they could be performing it as well.
Maybe they're upset that their boss passed him over for a promotion. So they try to learn enough information to embarrass that person.
That that could be a form of social engineering.
You're gonna quit the company anyway? They might think. Well, I'm not gonna get in trouble. I'll uncover some information about my boss that I that I don't like,
uh, put that information out into the public and then I'll quit my job. Right? That happens. Sometimes people do these things. It might be a petty form of revenge, but it does provide the social engineer with some gratification. Why did they What? Did they do it right?
Identity thieves. This is their bread and butter. Social engineering is how they find victims, how they tricked the victims and other get information in order to steal their identity, to open up
credit cards or whatever the case might be.
spies that this is also their bread and butter. Every day, they have to think about maintaining a persona, maintaining
their profile, their facts, keeping their stories straight.
It's a very stressful job, obviously, so they have to become very practiced at many of the techniques that will talk about in this course.
We also have pen testers and hackers.
This course is designed obviously, for pen testers.
You could use this information to do bad things as well. That's the case with any kind of pen testing technology,
but we'll work. Focusing on is
social engineering from a pen testing perspective.
If you use these techniques for bad purposes, eventually that may catch up with you. If you break the law, you'll have to pay the price. So be careful how you use these tools. With great power comes great responsibility.
All right, So who are natural Social engineers?
Children? Top of the list, right?
Mommy, can I go out and play? Why don't you go ask your father?
All right, that's a typical response. The child goes, asks and Dad, Mom said, It's okay if I go out and play. If you say it's okay
Now. Dad has an incentive to want to agree, doesn't want to appear to be disagreeable with Mom,
so he might agree and give the child what what they want.
And, of course, Children at a very, very young age will figure out which parent is more likely to say yes,
and then they'll try to use that. Parents. Yes, to get a yes out of the parent, that's most likely to say No,
I'm sure I did this when I was a child. You want ice cream? You want cookies, you want to go out and play. You want a new toy.
You find a wayto maneuver around your parents, different personalities in order to make that happen. It's very common, and it's natural. It's normal
people. They're looking for jobs.
They might have to do some social engineering
in order to get the right information out of the potential employer or recruiter
or or their fellow co workers
trying to learn. What skills do you think our most valuable? What? What is it that you've been learning
to make yourself more marketable?
Are those air elicit a shin methods? Perhaps
Then we have people that are hanging around in bars. Uh, this is a good category social engineer because there's lots of parlor games, if you will. People that will make bets knowing that the game is fixed. You know, doing three card monte any number of those kinds of activities.
Our forms of social engineer because you're trying to trick somebody into doing something that they wouldn't do
by making it look fun, making it look like they might win some money. And really, what you want is the money that they're willing to bet which goes in this in the scam artist pocket.
It doesn't necessarily go to to the victim people that are in sales and marketing. They were born to social engineer. This is what they're made to dio. If they're good at it, that could become very successful sales people
because they can look at a target,
read their body language, read their attitudes, read there, there are listen to their words, read their facial expression
and they figure out how to adapt and how to modify their technique in order to enhance their chances of making that sale.
If your interrogator or someone running a polygraph machine,
maybe you're you've got some techniques that you need to use in order to get information out of the person that's being interrogated or was going through a lie detector test.
The questions that are asked, the way there ask the way they're framed,
the elicit a shin techniques. All these have their impact on the eventual result of the pen test on it.
Or, in the case of some of these people, has the end result on how they do their job.
People that are good at this could be very successful.
So in a general sense, why social engineering perform? I've been talking about pen testing reasons.
So if you're trying to find vulnerabilities in an organization, maybe their physical securities vulnerability, maybe their security awareness program is not very good.
And a social engineer can find those holes, find those gaps
get information that they shouldn't be able to access in order to prove that there's a need for improvement.
If you're defending against
social engineering, your organization in general, you've got many people defending against many
hackers or social engineers.
If you're performing it, if they're on the offense, that it's that is one too many. One engineer potentially interacting with many different individuals in order to get the information that's desired
as a human nature aspect, will always try to look for
the path of least resistance to get something They're looking for shortcuts, looking for easy way out.
impetus. If you will, to do social engineering, you might not think yourself well. I'm gonna socially engineer myself into a better
But it might work out that way. You're maneuvering. You're saying certain things. A certain people doing certain favors for other people trying to build a reputation, trying to build up a report and that could be later exploited in order to get what that person wants.
And, of course, if you're practicing
social engineering techniques because you're doing a fantastic about two, you need to work with your family and friends and just
don't tell him that you're practicing. But just do the practicing.
Talk to your mother, talked to your brother, talk to your best friend whatever it is,
and just practice a few techniques. It's harmless because maybe you already you already know that you trust this person. They trust you. You're not using the information for a bad purpose, but it gives you the advantage of having Maur experience before you attempt it on a live target.
What are the goals of social engineering? What is it you're trying to achieve? It could just be entertainment,
right? The person that's doing this, maybe they have a large ego. They want to satisfy or gratify that ego
so they do it just because it's fun for them to trick someone into doing something that they didn't want to dio. They stand back and watch their target
make a fool of themselves, Perhaps because of social engineer, made them think it was a good idea.
Some people get their kicks that way. Those are Those are not very nice people, in my opinion. But that happens
could also be that you're trying Thio,
dude, what's known as our social climbing right? People that are
maybe they come from a blue collar background, but they want the lifestyle of the rich and famous
so they might socially an engineer their way into a group that contains some wealthy people hoping to find targets within that group that they can use the leverage access to other people that have money and
a lifestyle of leisure. That might be what they're after, and they can find a way to trick
trick people into letting them into that inner circle.
That's a form of a scam artist type activity, but it it makes sense if we think about in a social engineering context.
Some people just want the knowledge and power that comes from being able to size up a situation and say the right thing or do the right thing to get something for your effort.
And that could be could feed back into the ego gratification that I mentioned earlier.
But it could just be that you want this knowledge in power because it advances your agenda to do something else. Maybe you've got, ah, social cause that you're trying to promote
and social engineering techniques can help that
or could just be there trying to make money, good old fashioned motivator of dollars and cents. That goes a long way to get people to do something that they know is wrong and know it's illegal. But it's easy for them, so they do it anyway because they can make money.
It's a good motivator