Thursday, October 27, 2016

A $17 Social Engineering Lesson From a Blind Man


Today I fell for a scam.

I often walk around the Texas Capitol complex during lunch, or when I need to mull over something. Today as I was walking, a blind man stopped me and asked if I could direct him to Lamar Street. I stopped to talk with him for a moment, and he explained he was trying to get to the Texas School for the Blind. 

Texas School for the Blind is a solid 4 miles from downtown, so I offered to get my car and give him a lift. He appeared grateful - and then said he wanted to call ahead and make sure it wouldn't be a wasted trip. See, he was living in a halfway house and his rent was due; if he couldn't come up with seventeen dollars to make rent, he would be out on the street tonight. He thought Texas School for the Blind offered emergency assistance.

I let him borrow my phone to make a call. From his side of the supposed conversation, it was obvious he did not get the answer he was hoping for. I gladly gave him what I had in my wallet, shook his hand, and wished him well.

Being the skeptical soul that my profession makes me though, when I got back to my office I redialed the number he had called. Surprise, surprise - the number was not in service.

Working downtown I frequently encounter people asking for a handout. I have my own ideas that influence my decisions to give or not to give, but it is not my intent to turn this into a philosophical or political discussion. What makes this event stand out in my mind though is how his pitch was so polished, rehearsed - and phish-like.

It was a veritable lesson in social engineering.

A few years back, I wrote a piece on social engineering, after reading several eye-opening blog posts Robin Dreeke wrote for social-engineer.org. In the series, Dreeke called attention to several common tactics used by a good con artist or social engineer.

1. Non-threatening behavior - the social engineer goes out of his or her way to appear non-threatening. In this case, the man did not have to try very hard. I mean this in a respectful way, but a blind person poses little physical threat. In our conversation, he never asked for anything except directions - he kept the conversation safe.

2. Gifts or a reward. Many common scams rely on a tangible reward - the classic example is the so-called Nigerian Prince scam, in which the victim is promised a windfall in exchange for an upfront investment. In this case however, there was no tangible gift offered or expected. No reciprocation was even mentioned. Rather, the reward was implicit in the felling of having helped a fellow human out of a bind.

3. Confidence. A good penetration tester might pretend to be a UPS delivery driver, or a cable repair technician, or an EMC hardware engineer. By acting as though they are supposed to be there, they engender a perception that yes, they do in fact belong. In this man's case, he was not pretending to be someone, but he was confident in his story. It was well rehearsed, well practiced. He knew his goal, he knew how his story played, and he very smoothly guided the implicit ask from directions to cash.

Two more characteristics in this man's story are not mentioned in the Social-Engineer blog series, but mimic traits used in ransomware and business email compromise.

The first is a sense of urgency: many scams come with a "limited time" trait. An offer may only be good for a short duration, or a request "from the boss" may demand immediate action. A scam email circulating this week threatens legal action if not complied with in 48 hours. This man's pitch indicated he would be out on the street if he didn't come up with rent today.

Lastly, the price was right. Ransomware has become lucrative to criminals because the ransom is low enough to be manageable for many victims, while still enough that the adversaries profit handsomely off a large population. Using "rent" and "seventeen dollars" in the same sentence creates a cognitive dissonance in which $17 seems a tiny amount to meet the need.


What does this mean to you or to me?


I don't feel too bad about being scammed out of a few dollars. I'm sure this man genuinely was in a hard place, and perhaps "can you spare a dollar for a cup of coffee" fell on many deaf ears. The same principles though are used by professional criminals and social engineers to far more damaging and costly ends. 

The best defense against social engineering is a healthy level of skepticism.

  • Be suspicious of an unexpected email or phone call making an unusual request.
  • Familiarize yourself with common scams and social engineering techniques.
  • Recognize that any ask of you may be entirely sincere - or it may be a step toward malicious gain. Stop long enough to ask yourself, is what is being asked appropriate?
  • Train your staff to say "no" politely. Instead of holding the door for a delivery person, escort them to the security desk, or to the person they wish to meet.
  • Ensure there is a clear, two-person, non-email process for handling high-value transactions or high-value data (Leslie Carhart's excellent post on business email compromise suggests this).