SBN

The Visher and the Magician

As a child, I was obsessed with card tricks, sleight of hand, you name it. I enjoyed watching street magicians and how they could captivate an audience; how they could fool someone right under their noses with the simplest of gimmicks, yet leaving their spectator with only the imagination to figure out how they pulled it off. You could tell they had been doing this their entire life. I would spend hours practicing tricks and watching tutorials late into the night. I’d study the techniques and then proceed to present them in front of family and friends. Always carrying a deck of cards in my pocket…I was very popular as you can imagine.

Of course, as a lot of childhood passions do, that hobby of mine faded away as I got older. I have since moved on to much nerdier things. But very recently, I’ve found myself going back to some of those old techniques I’d spend sleepless nights learning. Believe it or not, in my time working as a social engineer, I’ve come to find a lot of similarities between my job now, and my childhood obsession! Hopefully this article can also shed some light on the work we carry out in this field.

The Visher and the Magician

Setting the Stage

As a human risk analyst, part of our job is to perform vishing simulations for our clients and test their internal security. We put on the best performance possible to try and get their staff to give us sensitive information they shouldn’t. Often, this involves us masquerading as someone internal, that can hopefully get our target to drop their defenses. Essentially, we present the illusion of being Doug from IT or Kaylee from HR, perhaps calling them about an outstanding ticket in their name, or a brief company survey.

Whatever the case, careful planning goes into setting the stage for whatever engagement we’re working on. Concocting the perfect alias and pretext to “fool” our target takes a lot of work! It also requires us to be familiar with techniques that can be used to obtain information from them. Here are some of the tricks up my sleeve that I personally like to use.

The Magician’s Force

In an engagement, our goal is to capture the “flags” that a client has approved we can pursue. These flags correlate to sensitive data that ranges from ID numbers to manager names…even social security numbers!

There are different approaches we can take to obtain these kinds of flags. Often the success we have hinges on the questions we use. It can be very off-putting if we don’t phrase ourselves correctly or if our request appears unnatural. I personally like to give my target a sense of control in the conversation, essentially having them pick which flag they want to give me. How is this possible? By utilizing what is known as The Magician’s Force. This is a verbal technique that gives the illusion of free choice. The idea is to set up multiple paths that all lead to the same endpoint.

In Performance

The simplest way for a magician to use this force is by dealing two cards in front of his spectator and requesting them to “Choose one card.” If they choose the card he wants to force, he simply says “Okay that will be yours.” However, if the spectator chooses the other card, he eliminates it by saying “Okay we’ll put this one off to the side.” The magician uses ambiguity in the word “choose” so that either way, the spectator winds up with the same pre-determined card.

On the Job

In a similar fashion, a version of this force can also be applied to speaking to our target. Here is an example:

  • (Not Using the Magician’s Force) “So to close out the ticket, can you confirm your SSN?”
  • (Using the Magician’s Force) “So to close out the ticket, it’s asking you to confirm either SSN or DOB, whichever you prefer of course!”

In our second scenario, either flag is valuable data that can help us compromise our target. Presenting them with “options” however, gives the target a sense of control and choice in the situation. This technique may seem very transparent or elementary but, in the right hands, it can be incredibly deceptive. For a split second, we shift their mindset from a “Yes or No” decision, to an “Option A or Option B” choice. We use this brief mental lapse to our advantage and raise the odds of our target divulging sensitive information.

The Art of Misdirection

Being able to control someone’s attention is a powerful skill that opens the doors to many possibilities. A magician uses misdirection to pull his spectator’s focus away just enough to distract from what’s really happening outside their focus. Of course, in vishing engagements we cannot physically see our target, nor can they see us. However, there are still subtle ways to misdirect them internally as opposed to externally. How so?

For me, I like to use misdirection to split my target’s attention and constantly keep their mind moving and occupied. This buys me time and prevents my target from becoming suspicious of me. I’ve found the use of questions to be a great way to distract. Here are some ways this can be done on the job.

  • Access Memories – Keeping your target busy by having them access a “memory” is a great distraction while on the phone. The memory doesn’t even have to be real. For example, if I was pretending to call from HR about conducting a survey, I could say, “This is similar to the survey we conducted this time last year; do you remember that one?”Of course, there may not actually be a survey for them to recall. But chances are this can distract them just enough to get past their initial “suspicion defenses” at the start of a call. I usually follow this up with, “Ahh no problem, I know we send out a lot of those; this one only takes 2 minutes.”
  • False Statements – Many people like to correct inaccurate information, which is why using false statements can be a very powerful form of misdirection. For example, I could say to my target, “So I just wanted to confirm your ID number is XXXXXX right?” This is a deliberately false statement, but it prompts my target to correct me. For a split second, they become distracted in correcting me with accurate information, and they may just forget about their security protocols. This can be more effective and less suspicious than outright asking for their ID number

Closing the Curtain

So, when it comes to the work of a social engineer/human risk analyst, there are many more techniques we can use. There are different cards up our sleeves that we save for the right occasion and circumstance. Just as a magician adapts to the audience he’s performing for, so we must adapt to the people we speak to on the phone. However, simply compromising our target is not our ultimate end goal. We do not seek to deceive our targets with malicious intent.

Rather, our goal is to assess the security posture of the company and provide remediation through education. All the while following our motto, “Leaving others feeling better for having met you.” In that same vein, when a magician fools his audience, he still leaves them feeling entertained for having been part of the show. Though we cannot speak for our targets being “entertained” by our engagements, it is still our goal to leave them feeling better for having met us. We would never want to treat them unethically or make them feel foolish if they were to be compromised. Only through proper training can a company strengthen its defenses for when a real attack occurs.

Hopefully this has given some insight into the work we do at Social-Engineer, and even the techniques we use while in an engagement. If you’re anything like me, you may find the psychological principles behind influence tactics, elicitation, and even pretexting to be fascinating. You can find references, research, and concepts about several of these in our Social-Engineering Framework.

Written by: Josten Pena

Sources:
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.org/framework/influencing-others/pretexting/
https://www.discovermagazine.com/mind/use-the-force-how-magicians-can-control-your-decisions

Image:
https://images.unsplash.com/photo-1571235479512-36bb46e1c587?ixlib=rb-1.2.1&ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&auto=format&fit=crop&w=2070&q=80

*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by Social-Engineer. Read the original post at: https://www.social-engineer.org/social-engineering/the-visher-and-the-magician/