How Social Engineering Exploits Work

[Man]

Social engineering is often used in complex pentests, and often successfully, but by understanding the principles of psychology and writing a scenario taking them into account, you can significantly increase the percentage of successful interactions. In this article, we will analyze the main tricks and the reasons why they work.
"Eternal entry point!", "So many percent of attacks start with social engineering!", "You can't underestimate the capabilities of phishing!" - these are all extremely hackneyed phrases in information security. But what is important for an effective penetration?

Opinions differ here. "The main thing is creativity, this is social!", "No, the main thing is a good payload, macros, exploits in MS Office, and someone will open the document". And someone will definitely add: "Guys, don't bother! We send out OWA, they will enter passwords, and we'll get going with accounts and mail".

Both parts are important - both "social" and "technical". In my opinion, this should be clear from the title. But if everything is usually fine with the technical side, exploits are written, workshops are running, then we have problems with the "social" side. Systemic ones.

Have you ever seen other types of pentesting approached in the same way as the social part of social work? Unsystematic and often repeating only what has already been done before by more experienced colleagues?

Just imagine: fuzzing a field, not understanding how it works and why it responds this way, we just wait for something to happen, because everyone does it.

Many hackers don't have very good social skills in everyday life, which is why they gravitate towards technology. And here you have to leave your comfort zone even more. Someone else at this point tries to brush it off and say: "Psychology is not a science!"

Disclaimer. If you think that psychology is not a science, then this article is not for you.

Everyone else is welcome!

The basis of social engineering is the psychology of influence. But although psychology is a science, there are many pseudoscientific trends around it: NLP, physiognomy, dubious techniques disguised as the psychology of sects, and much, much more. Therefore...

Disclaimer 2. The author of the article relies exclusively on theories, studies, and publications accepted and tested in the scientific community. And also analyzes his own experience of social engineering through the prism of such theories.

This base is based primarily on the research of social psychologists of the 20th and 21st centuries, as well as modern foreign and Russian studies on susceptibility to fraud.

Evolutionary Legacy​

Imagine an application with some API that has been evolving for many, many years, but no one has ever rewritten it and only added more and more new features. Developers and tasks changed, so no one fully understands what kind of legacy code is there. No one got into the old features, no review was done, they just wrote new ones when the need arose. The hardware was also not upgraded, and in order to maintain efficiency, it was necessary to add optimization by skipping some checks. A kind of "speculative execution".

This application is our brain, developed in the process of evolution.

Often the most vulnerable are the mechanisms that our ancestors used to survive at the earliest stage of the formation of human society. We cannot completely get rid of this legacy, we can only try to control ourselves, closing access to them at a higher level of thinking, but deep down, every person is vulnerable.

Who is more vulnerable?​

When you read the media, it seems that pensioners are the most vulnerable. But this is only because stories about a deceived grandmother evoke the greatest emotional response, so they are used in the media.

In fact, here are Europol statistics on victims of fraud who contacted the police:

• 18–34 years old – 27.7%;
• 35–54 years old – 23.4%;
• 55–64 years old – 21.7%;
• 65+ years old – 18.5%.

But many people don't go to the police, right? So let's look at the statistics obtained from the hard drives of the server of the former fraudulent call center in Berdyansk:

• 20–29 years old – 23%;
• 30–39 years old – 44%;
• 40–49 years old – 19%;
• 50–59 years old – 12%;
• 60+ years old – 2%.

The statistics are different, but also not in favor of young people.

Age does not increase the likelihood of fraud, but rather the opposite.

The level of cognitive abilities? It does not affect.

A joint study of several American universities with the participation of 1,220 people did not find a correlation between the level of cognitive abilities and the likelihood of becoming a victim of fraud.

Separately, it is worth recalling the case of 68-year-old particle physicist Paul Frampton, a Nobel Prize candidate. With the help of a banal fraud on a dating site, he was forced to try to smuggle a suitcase with two kilograms of cocaine across the border! Unsuccessful for him. Are

security specialists the most “resistant” to social engineering? Not quite.

On the one hand, we, who are interested in social engineering, pay attention to such techniques and it is easier for us to notice them. However, to some extent, we are “blinded” by the effect of overconfidence. We are convinced that we ourselves will definitely understand everything and it will not work on us! This is a well-known cognitive bias that manifests itself in many professions. For example, according to statistics:

• experienced drivers are more likely to have serious accidents;
• experienced swimmers drown more often;
• Experienced electricians are more likely to be injured by electric shock.

Conclusion: social engineering can be used to effectively attack any social groups, it is only important to create suitable scenarios.

We will talk about scenarios later.

Vulnerable optimization​

Our brain capacity has not changed for several thousand years. Imagine that a farmer from Ancient Greece had exactly the same brain. But the amount of information he processed daily is nothing compared to the modern workload. And thanks to progress, it is growing much faster than our “hardware” can evolutionarily adapt.

How does our brain cope with this? It uses an optimization mechanism that was developed several thousand years ago - stereotypical sequential behavior (SSB) . SSB allows us to make decisions without analyzing the situation based on past experience and some provoking factor. This significantly saves resources, moves routine processes into the “background mode” and allows you to think about something at the same time. This is a short path to information processing, while analysis is a long one. Such optimization repeatedly helped our ancestors and saved lives in situations where there was no time for analysis. Evolutionarily, this is beneficial!

Automatic, stereotypical behavior prevails over all other behaviors because it is energy-saving and the most effective in most cases. It allows you to save the limited resources of the brain.

You can’t expect it to have time to analyze and think over all aspects of life, all events, situations, contacts even within the framework of one day of any of us. It quickly classifies an event by key details (provoking factors) and reacts.

But when does this behavior fail us? In those situations when our optimized brain chooses an incorrect behavior model based on a provoking factor. Classification error.

Example. Harvard social psychologist Ellen Langer conducted the “Xerox Queue” experiment. According to it, a person tried to get to the copy machine without waiting in line, using three types of requests:

• Without explanation (“Can I skip the line?”) – 60% of positive responses.
• With a logical explanation (“Can I skip the line? Because I’m in a hurry and I only have a couple of pages”) — 94% of positive responses.
• With the illusion of explanation (“Can I skip the line? Because I need to make copies”) - 93% positive answers!

The trigger in this situation was not the explanation itself and its validity, but merely the presence of the explanation – the conjunction “because”. We are vulnerable to ultra-normal signals – triggers, and this vulnerability can be exploited, even to elicit behavior that is contrary to common sense.

DoS of the brain​

The easiest way to turn on the "energy saving mode" is to emotionally or sensorily overload the human brain.

Emotional overload is based on the strongest emotions that cause stress or euphoria. Frighten, put into an anxious state - and the victim will be much worse at resisting and thinking, will work automatically in accordance with their automatic-stereotypical reactions. Of course, you can make them very happy, but it is usually more difficult to achieve this and maintain the effect.

Sensory overload works differently, and it can be used in conjunction with emotional overload. It is based on an overload of information from different sources, which becomes too much to process. The head thinks very poorly when you are writing a document, a colleague distracts you with questions, and somewhere in the background there are also notifications from Telegram. The brain will plug up some of the channels using the SPP. In this state, it is easy to click on a link, and enter data in the wrong place, and trust the person calling you on the phone.

This method is often used by gypsy groups. Using a combination of emotional and sensory overload is their classic. A crowd circles around the victim, children grab their hands and tug at their bags, speak in several voices, especially emphasizing the scary words "you're in trouble." This is called "gypsy hypnosis," but in fact their task is to induce SPP and then maintain the effect. Getting out of such a state on your own can be difficult, and the best defense is not to let yourself be overwhelmed in the first place.

In both cases, critical thinking, as an extremely energy-consuming process for the brain, will be significantly reduced or completely disabled.

Most Applicable Psychological Exploits​

The psychology of influence describes many principles that are used everywhere: in marketing and advertising, sales, political technologies, psychology and therapy and many other areas. But for a hacker composing a text of a mailing or a script for a phone phishing, only three of them will be applicable:

• principle of authority;
• the principle of scarcity;
• principle of consistency.

The principle of authority​

People tend to focus on experts in areas in which they themselves are not competent. We automatically trust those who, in our opinion, are more qualified, rich or successful. But how can we check authority? This is where the main vulnerability lies.

Fake authority can be supported by external signs. People in white coats on TV pretend to be dentists and advertise toothpaste, info gypsies sell “successful success”, posing in Dubai skyscrapers and expensive cars, which are often rented for only an hour for a photo shoot. One well-known restaurant chain used an actor who played a chef in the popular TV series “Kitchen” for advertising. After all, for most people, he is a “chef” and not an actor, which means he will not recommend a bad restaurant!

A good example of demonstrating this principle is the Milgram experiment. It was conducted in 1963 at Yale University, and was carried out in several stages, changing the conditions. It clearly showed that subjects, regardless of the conditions, in most cases obey authority, even violating their own moral principles.

Evolutionarily, we have distinguished types of work and are accustomed to trusting experts.

The principle of scarcity​

Here we are talking about the desire for what is unavailable, the fear of missing out or losing something. People always value more what they can’t buy. It seems that things that are quickly sold out and hard to find are more useful.

In the USSR, goods in short supply, and especially goods from abroad, seemed more valuable and useful, even if they were inferior in properties to affordable Soviet ones. “Only three left” promotions on marketplaces exploit the same effect.

When I worked as a pentester at a well-known integrator in Moscow, I would leave the Savelovskaya metro station every day and pass by a clothing store. And every day there were banners about “liquidation”, loudspeakers shouted that today was “the last day the store was closing”. But this “today” dragged on for a whole year, after which the store simply rebranded. Who was the advertising aimed at? At those who saw the sign for the first time, and judging by the steady flow of customers, the trick worked.

The "you might lose" manipulations also relate to the scarcity principle. Life taught our ancestors not to miss an opportunity to get something while it is available, and to stock up.

The principle of consistency​

This is one of the most non-obvious and effective principles of manipulation. Evolutionarily, we strive to be consistent more than to be right. It seems like nonsense, but society greatly encourages consistency in views. A person who constantly changes his behavior, his views, or, as they often say now, "changes his shoes", is considered unreliable, two-faced, frivolous. Such behavior was and is condemned by society to this day. A consistent person is associated with reliability, predictability, they are more sympathetic, even if he ultimately turns out to be wrong.

Sticking to one line of behavior is extremely tempting for a person, because it allows you not to be disappointed or doubt yourself, on the contrary, it strengthens confidence. And undoubtedly, it allows you to think much less! After all, this path is much more economical, which means that stereotypically consistent behavior pushes us to this behavior. Morally, it is easier to go all the way and go for broke, and, by the way, it is this principle that poker players try to fight first of all!

Many experiments confirm the influence of the principle of consistency. For example, social psychologist Patricia Pliner conducted an experiment in which she first asked subjects to wear a "Support the Cancer Society" badge and then make a donation to the fund of the same name. Among those who wore the badge, there were twice as many people willing to make a donation as in the group that was not asked to wear the badge.

Moreover, after negative feedback, the likelihood and desire to "go all the way" increases. For example, researchers once attended a pseudoscientific seminar where the audience was promised the fulfillment of their desires and a cure for all diseases if they bought a certain course. At the end of the seminar, the researchers began actively asking questions that emphasized the inconsistency of all the arguments of the scammers, but thereby caused a completely different reaction than they expected.

With each subsequent question, the audience of the seminar became more and more active and gave their money! People began to feel that their dreams and illusions were collapsing, they were afraid of losing their chance and went all the way. Fear of disappointment gave rise to stress, the SPP was activated, and the desire for consistency replaced critical thinking - including in relation to one’s own actions!

Operation​

How can these principles, SPPs and triggers be used for manipulation in the context of social engineering?

Obviously, such techniques are most effective in phishing calls, because a call allows you to fully build a sequence of actions and communicate with the victim in several stages.

In email phishing, these techniques help to compose a phishing letter more subtly. Then its conversion has a chance to exceed the indicators of standard scenarios.

Letters and the 7% Rule​

During numerous projects on social engineering penetration testing, my colleagues and I have repeatedly noticed that at volumes of more than 1000 letters, at least 70 recipients will definitely open the letter and perform the target action.

The percentage could be higher, but even if the company was actively training employees to counter phishing, with training mailings and retraining of those caught, the percentage did not fall below seven. No matter what training activities and organizational measures the company introduced, it was not possible to achieve a decrease. Why?

Because 7% of users were in a vulnerable state at the time of the mailing, they were in a sensory or emotional overload! SPT turned off their critical thinking, and the brain simply did not get to analyzing the letter, and without analysis, all training and education do not help.

But, as you understand, the percentage could be raised higher if such states were provoked by the letter itself. Letters that provoke stress or euphoria are always the most effective.

The Dark Side of Phone Phishing​

The best, albeit negative, example of effective telephone phishing is fraudulent call centers. They have existed since 2014 and have perfected their scenarios and techniques with a focus on mass attacks. A certain percentage of their victims, being in a vulnerable state at the moment of picking up the phone, is a guaranteed income. Their schemes seem simple and funny to us, but they are not designed for critical thinking and analysis. They target a certain percentage of people for whom the SPP will work.

Let's use their example to analyze the most effective techniques and methods for phishing calls. Here's how scammers activate the SPP:

• With the help of stress and fear. Scenarios with a "bank employee" and especially with a "law enforcement officer" automatically cause stress.
• They don't let you hang up, they call you back immediately. They wear you out with the call itself, they can keep you on the phone for hours.
• They increase the pressure as the call progresses, they rush you.

The most recent scenarios involve a SPP using a message from a fake management account, without time to double-check.

Fraudsters also actively use the principle of scarcity, for example, talking about the possibility of losing money if you do not help. Sometimes they even offer some kind of reward for "assisting the investigation".

They use the principle of authority:

• They speak in the most complicated formulations and terms, and then ask: "Do you understand everything?", emphasizing their expertise and loading the victim's brain. An example from a real call: "After your voice refusal, we formed a protocol that requires updating the data on security systems at the legal level and providing you with a complete replacement of your account details for safer use of funds in our bank's system. Do you understand this?"
• They introduce themselves as employees of the most powerful agencies (FSB, Investigative Committee of the Russian Federation, Central Bank of the Russian Federation), and provide unverifiable full names and ranks.

The principle of consistency is actively used:

• At the beginning, they ask only questions that are safe for the victim. "Have you lost your passport recently?" and others.
• Then they move on to questions without monosyllabic answers, but still safe for the victim. "What other banks have you used?", "Where have you provided your passport data recently?"
• Next to more dangerous questions and safe actions. "Look at what plastic cards you have in your hands now", "Take a pen and write down my full name, I am an investigator... Department No. 7 of the Internal Affairs Directorate of the... district".
• The victim gets used to answering questions and doing something on command, the degree of danger of actions and answers increases. The victim is always informed only about the next action, the entire plan is not revealed. Even in seemingly obvious situations.
• When attempts are made to resist, the sequence is strengthened with a greater number of questions and actions, in addition to increasing emotional pressure.
• It is the sequence that allows the victim to be led to such dangerous actions as arson (more than 30 cases in 2022 and 2023).

By the way, such groups operate not only in Europe and the CIS, they also call citizens of South Korea no less. This is a global trend.

Trigger Bypass Techniques​

Most users have a similar set of triggers that work even with SPP. These are usually the simplest instructions that cause an automatic reaction. But these triggers can be bypassed:

1. The "don't tell anyone your password" rule is easily bypassed: a pentester can, for example, send a link to generate a "secure" password (the page at the link will contain a logger). Or ask the victim to execute a command line command that will not be understood by the victim, but will lead to a password change.
2. The rule to always check who is writing or calling is done with a signature on the letter or an introduction at the very beginning of the call. Only a few will check the full name themselves.
3. The effect of the first or unexpected call always causes caution, but if you make such a call short and as safe as possible, and then promise to call back if necessary, then on the second call the effect will pass in 10-15 minutes. This technique is called "double tap".
4. Strict company rules can be circumvented by taking the victim outside the work context. For example, during a pentest, my colleagues and I sent flowers to the customer's female employees in the office with a personal gift "from a fan" in the form of a flash drive tied with a ribbon. The curiosity was so great, and the gift was so unrelated to work, that 100% of the recipients did not bring it home and inserted it into their work computer. The same is true for communication in instant messengers and social networks: they are perceived exclusively as personal, outside the work context.

Protection​

For companies, the best way to protect against social engineering is to use both organizational and technical measures simultaneously, and supplement them with prompt response.

Organizational measures can reduce the percentage of users who fall for the trick to about 7%. Effective technical measures can prevent further actions by users who fall for the mailing or calls. However, with the right “work” with the user, a social engineer can bypass many technical measures. In this case, prompt response to the incident comes into play.

But how can an ordinary person protect himself from something like this?

• Don't be afraid to be awkward when talking on the phone. It's safer to be rude and refuse.
• Train yourself to track your immersion in stress and stereotypical behavior. Stress is always noticeable, you need to try not to make any decisions under stress, only after a break.
• Follow the sequence of actions, do not get involved in questionable communications.
• Pay attention to the manipulations we discussed, learn to notice them in everyday life.
• Hang up on suspicious calls and don't try to check the caller! If you hang up, the chance of being scammed becomes zero, but if you troll or check the caller, it becomes non-zero.

Conclusions​

A pentester should keep the following key points in mind during any phishing project:

• Consistency is your friend, with each action the victim will find it harder to stop. This is the strongest form of manipulation, but it takes time and patience!
• You don't have to go through all the victim tests and create a perfect scenario! If they start testing you, it means you've already lost.
• Putting the victim into a state of stereotypically consistent behavior is the best way to turn off critical thinking and prevent “checks”.
• Bypassing the most common triggers makes it easier to achieve your goal.
• Use the principle of authority, it is better to appear as a not entirely clear professional.
• Use the scarcity principle if it is appropriate in the scenario.
• To provoke a SPP, stress is much easier to maintain than euphoria. But the Criminal Code of the Russian Federation also applies during a pentest, and some methods (for example, blackmail) cross the line. Remember this!
• It is worth sending out mailings on the busiest days and times, then the sensory overload of employees will play into your hands.
• Creativity is important if you understand what exactly is in your "sociopayload".

Targeted attacks, unfortunately, are beyond the scope of this article. By studying a specific person in advance, you can significantly increase your chances of success. But in my experience, such services are ordered quite rarely, and for mass attacks, our individuality is too insignificant.

There is no technique or scenario that would guarantee success, but there is no guaranteed protection against such attacks. We will all remain vulnerable, evolution has embedded this too deeply in us.

And I cannot help but remind you that great power comes with great responsibility! Do not use the material in the article for harm.