Social Engineering: Captain Hindsight

"Do you have any idea what a curse it is to have perfect 20/20 hindsight? As soon as something bad happens, I immediately know how it could have been avoided. I can't take it anymore!" ~ Captain Hindsight, South Park.

To me, humans fall into two categories: Those who want to help and those who don't want to be bothered. Now, when I use the words "want to help," that doesn't mean they are good people. No, in fact, that could indicate the exact opposite.

Think of it in the context of a Zelda video game. In the game, Link, the protagonist, wants to save Zelda from the clutches of Ganon, the antagonist. Now, the perspective is forced in the game; we only view things from one side - that's how we can identify who the protagonist is and who the antagonist is. It's just one narrative.

Now, picture the game from the opposite viewpoint: Ganon, the protagonist, is trying to keep Zelda away from Link, the antagonist. Here, the labels (protagonist and antagonist) have switched; the story, and therefore the perspective, has as well.

Where does Zelda stand in all of this? She's the one that doesn't want to be bothered. From either perspective (Ganon's or Link's), Zelda is the one who is ultimately inconvenienced by the whole thing. She was trying to rule a kingdom and didn't want to deal with any of this.

Why Social Engineering Works

So why is this important? It's important because to be good at social engineering, you need to be not only able to identify what type of person the target is, but also their motivation.

Social engineering works because people allow it to work. If everyone fell into the category of “doesn't want to be bothered,” then all social engineering attempts would drop into (in the context of email) the spam folder. We’d inevitably tune it out and never think twice about it.

Let me give you a real-world example, and at the time I'll be honest this didn't even occur to me and I wasn't trying to scam anyone.

One day I was driving in Tyson's Corner, Virginia, and was making a left off Route 7 onto Gallows Road. The traffic (which is always horrible in that area) started to back up, and there wasn't much space between the cars on Gallows Road.

To my right was the Capital Grille, and I could see someone desperately trying to make a right turn from the parking lot onto Gallows Road. Me, being a person who falls into the category of "wanting to help," waved them in. The car started to make the right turn onto Gallows Road… and the person behind me ran into me.

I have to admit I was a little stunned and shaken up. The person who ran into me got out of their car and started to yell at me about how I shouldn't have let that person in, and how the accident was somehow my fault.

Now, in most cases when someone runs into you, it's not your fault, it's theirs. As this person continued to berate me, the driver I allowed in got out of their car and admitted to seeing the whole thing. He gave me his card and told me to contact him should I need a witness. Also, the driver of the car to my left (it was a two-lane road) got out of their car and gave me their contact information as well since they also saw I was trying to help someone out, and told me they could also be a witness should I need one, and then called the police.

The person who rear-ended me continued to yell at me until the police showed up and ticketed them and collected their information for me. Because I had all the witnesses contact information, I did not receive a ticket, and my insurance covered the repairs.

The Gift of Hindsight

What's the point of this story? Well, given the gift of hindsight, I could (metaphorically speaking) use this chain of events to my favor should I need to in the future. Assume for a second that I want to get someone's information. How could I do that? I could replace any of the people in this chain of events with my target. That individual could be the person I waved in, the witness to my left or the driver who rear-ended me. All options are viable in this scenario.

Another thing to consider is the mindset of the target: if I choose option A, the person I wave in, they would probably be in a more positive mindset and be friendlier should I reach out in the future (because I was being polite and waving them in and in return, they would "want to help" me in the future).

Then there is option B, the witness to my left - that individual would probably be more or less neutral to me – I could follow back up with them for more information because this person falls into the category of "wants to help.” 

Finally, option C, the person who rear-ended me, would probably be the least kind to me following up with them (because this person falls into the category of "wanting to help" even though it's just themselves).

If my target is option A or B, I risk them not providing me with their information because they could be the type of person who doesn't want to be bothered and could drive off. Hell, even if my target is option C, they could drive off leaving me with a dent in the back of my vehicle.

Bottom line, there are always variables, so this is something to take into account when performing any form of social engineering.

Setup and Payoff

So, what do I do with that information? Well, that's up to the engineer. Say I want to follow up  this chain of events by physically going to that person's office (person A or B from the scenario previously listed). I can bring a basket of cookies to thank them for being so kind as to stop and help me. During the visit I can get the lay of the land (casing the joint), assuming my goal is to ultimately get something or learn something from that office visit. I also could email them with some malicious payload, provided I collected their email address during the incident.

Another option is to text them some form of link asking them to verify something from the accident. Anything is possible with the bare minimum of information.

What about the option C person? That one is a little tougher, but I could probably still leverage the last two referenced areas (email and text).

Ultimately, it's the experiences of the engineer that help drive possible outcomes of a scenario. Social engineers are not static in their behaviors: their tendencies and tactics change over time based on what they learned from previous events.