1 00:00:00,320 --> 00:00:02,090 Motivation factors. 2 00:00:02,090 --> 00:00:04,010 So the backbone of social engineering 3 00:00:04,010 --> 00:00:05,690 is being able to trick a user 4 00:00:05,690 --> 00:00:07,340 into doing something for you. 5 00:00:07,340 --> 00:00:10,390 Well, what motivates the user to fall for those things? 6 00:00:10,390 --> 00:00:12,030 That's what this lesson is going to talk about 7 00:00:12,030 --> 00:00:14,510 because you need to know these for the exam. 8 00:00:14,510 --> 00:00:16,810 Now, the first one is authority. 9 00:00:16,810 --> 00:00:19,010 People are much more willing to comply 10 00:00:19,010 --> 00:00:20,790 and do what you tell them to, 11 00:00:20,790 --> 00:00:23,340 if they think it's coming from somebody who's in authority. 12 00:00:23,340 --> 00:00:26,510 So pretending to be a boss or the boss's boss 13 00:00:26,510 --> 00:00:28,920 or the CEO or some high level manager 14 00:00:28,920 --> 00:00:32,300 can get some lower level employee to do what is needed. 15 00:00:32,300 --> 00:00:34,570 You might also pretend to be an important client. 16 00:00:34,570 --> 00:00:37,470 And hey, I need you to do this because I'm the client, 17 00:00:37,470 --> 00:00:39,460 you need to do what I say, right? 18 00:00:39,460 --> 00:00:41,380 You can pretend to be a government agency. 19 00:00:41,380 --> 00:00:43,630 I get voicemails all the time 20 00:00:43,630 --> 00:00:45,800 from somebody pretending to be the IRS saying, 21 00:00:45,800 --> 00:00:47,930 if you don't call us in the next 24 hours, 22 00:00:47,930 --> 00:00:49,490 we're going to come arrest you, right? 23 00:00:49,490 --> 00:00:51,550 They're using that government authority 24 00:00:51,550 --> 00:00:53,690 and that government agency trying to scare me 25 00:00:53,690 --> 00:00:55,160 into making that phone call, 26 00:00:55,160 --> 00:00:57,480 when really, the IRS never calls you 27 00:00:57,480 --> 00:00:58,930 and leaves a voicemail that way, right? 28 00:00:58,930 --> 00:01:01,320 This is just a scam attempt that somebody is using. 29 00:01:01,320 --> 00:01:03,160 The other thing is financial institutions right? 30 00:01:03,160 --> 00:01:05,580 You saw the phishing example from Bank of America. 31 00:01:05,580 --> 00:01:07,030 Your account has been hacked, 32 00:01:07,030 --> 00:01:08,870 click here to reset your password. 33 00:01:08,870 --> 00:01:11,250 I saw a lot of PayPal scams like that as well. 34 00:01:11,250 --> 00:01:12,470 These are very common. 35 00:01:12,470 --> 00:01:13,730 They're using that authority 36 00:01:13,730 --> 00:01:16,710 something you really just trust like your bank, 37 00:01:16,710 --> 00:01:18,990 your police department, your government 38 00:01:18,990 --> 00:01:21,440 your CEO, your managers, your important clients, 39 00:01:21,440 --> 00:01:24,710 all of those things, that all falls into authority. 40 00:01:24,710 --> 00:01:27,520 Now, the next one that we have is what's called urgency. 41 00:01:27,520 --> 00:01:29,470 And urgency is all about 42 00:01:29,470 --> 00:01:31,890 the fact that people know that we're in a rush 43 00:01:31,890 --> 00:01:32,723 a lot of the time, 44 00:01:32,723 --> 00:01:34,090 we're busy these days, right? 45 00:01:34,090 --> 00:01:36,120 And people want to help others by nature. 46 00:01:36,120 --> 00:01:37,440 It's just in our human nature. 47 00:01:37,440 --> 00:01:39,100 You ever walk up and you hold the door open 48 00:01:39,100 --> 00:01:40,110 for somebody, right? 49 00:01:40,110 --> 00:01:41,377 That's just being nice, right? 50 00:01:41,377 --> 00:01:42,510 And if somebody is really busy 51 00:01:42,510 --> 00:01:45,270 you might, you know, help them get through really quickly. 52 00:01:45,270 --> 00:01:47,350 Well, that's the whole idea with urgency. 53 00:01:47,350 --> 00:01:49,940 Maybe you say, hey, I've got a couple of minutes 54 00:01:49,940 --> 00:01:51,140 and I really need this printout. 55 00:01:51,140 --> 00:01:53,120 I've got to be in the conference room in five minutes. 56 00:01:53,120 --> 00:01:54,080 Here's my thumb drive, 57 00:01:54,080 --> 00:01:56,110 can you print out this PowerPoint for me, 58 00:01:56,110 --> 00:01:59,110 and on that thumb drive is a bunch of malware, right? 59 00:01:59,110 --> 00:02:00,220 All of these things type of things. 60 00:02:00,220 --> 00:02:03,570 It's trying to push somebody to go and bypass the processes 61 00:02:03,570 --> 00:02:05,580 because this has to be done right now. 62 00:02:05,580 --> 00:02:06,580 You call up and you say, 63 00:02:06,580 --> 00:02:08,860 hey, this is John and my account's locked down, 64 00:02:08,860 --> 00:02:10,750 I really need you to reset my password. 65 00:02:10,750 --> 00:02:11,950 And the IT guy in the other end says, 66 00:02:11,950 --> 00:02:13,790 no, no, you got to come down and show me ID. 67 00:02:13,790 --> 00:02:15,610 Well, no, no no, I've got to make this next meeting, 68 00:02:15,610 --> 00:02:16,580 I've got to get this email, 69 00:02:16,580 --> 00:02:18,940 please please, you just got to reset this right now. 70 00:02:18,940 --> 00:02:20,420 And they try to force them into doing it 71 00:02:20,420 --> 00:02:21,700 by the sense of urgency 72 00:02:21,700 --> 00:02:24,350 that there's this approaching deadline, right? 73 00:02:24,350 --> 00:02:25,810 And that's the way that they you can start using 74 00:02:25,810 --> 00:02:28,540 that motivation as part of your attacks 75 00:02:28,540 --> 00:02:30,470 in social engineering. 76 00:02:30,470 --> 00:02:32,610 The next one we have is social proof. 77 00:02:32,610 --> 00:02:34,220 Let's say that I put up a website out there 78 00:02:34,220 --> 00:02:36,220 that was fake and scammy, right? 79 00:02:36,220 --> 00:02:38,620 And I was trying to fish people to get them to go there. 80 00:02:38,620 --> 00:02:41,210 Well, if I can get some social engineering done 81 00:02:41,210 --> 00:02:42,710 through Facebook or Twitter 82 00:02:42,710 --> 00:02:44,470 where I get people to like that site 83 00:02:44,470 --> 00:02:46,260 or share that site for me, 84 00:02:46,260 --> 00:02:48,260 that starts showing social proof 85 00:02:48,260 --> 00:02:50,620 and people are more likely to click on it, right? 86 00:02:50,620 --> 00:02:52,390 People are much more likely to click on things 87 00:02:52,390 --> 00:02:53,460 that have a lot of likes, 88 00:02:53,460 --> 00:02:55,910 a lot of shares and a lot of their friends doing it. 89 00:02:55,910 --> 00:02:57,610 So if I can trick one friend, 90 00:02:57,610 --> 00:03:00,013 that friend might turn it to the second friend 91 00:03:00,013 --> 00:03:01,580 and the third friend of the fourth friend 92 00:03:01,580 --> 00:03:03,810 and maybe I'm not going after the organization directly 93 00:03:03,810 --> 00:03:05,300 but I'm going after a friend 94 00:03:05,300 --> 00:03:07,510 who works in that organization, right? 95 00:03:07,510 --> 00:03:10,420 People have this craving to be part of a social group. 96 00:03:10,420 --> 00:03:12,360 They want to have social interaction 97 00:03:12,360 --> 00:03:14,830 and they have this need to be included. 98 00:03:14,830 --> 00:03:17,420 And so sometimes you can use that social 99 00:03:17,420 --> 00:03:18,810 against them as well. 100 00:03:18,810 --> 00:03:20,910 Hey, join this Facebook group 101 00:03:20,910 --> 00:03:22,970 and be a part of this thing, right? 102 00:03:22,970 --> 00:03:24,660 And then you can start building trust 103 00:03:24,660 --> 00:03:26,020 with that person, right? 104 00:03:26,020 --> 00:03:27,990 Sometimes we don't really understand 105 00:03:27,990 --> 00:03:31,300 what is being asked of us as part of this inclusion 106 00:03:31,300 --> 00:03:33,660 but, or even why we're performing an action. 107 00:03:33,660 --> 00:03:36,580 I mean, how many of those different scams have gone on 108 00:03:36,580 --> 00:03:38,790 and then passed around through Facebook and Twitter 109 00:03:38,790 --> 00:03:41,500 and all these other things that attackers are using 110 00:03:41,500 --> 00:03:44,740 because we all just feel like we have to share it, right? 111 00:03:44,740 --> 00:03:47,050 Some of these are good, some of these are bad 112 00:03:47,050 --> 00:03:49,840 but you have the social proof that gets built up 113 00:03:49,840 --> 00:03:51,640 because so many people like it. 114 00:03:51,640 --> 00:03:53,100 I mean, when you decided to buy this course 115 00:03:53,100 --> 00:03:54,557 you probably looked at the statistics 116 00:03:54,557 --> 00:03:56,790 and you said, well, if there was zero people 117 00:03:56,790 --> 00:03:57,790 enrolled in this course, 118 00:03:57,790 --> 00:03:59,180 you might've thought it was horrible, 119 00:03:59,180 --> 00:04:01,380 but if there was a 100,000 people who bought this course 120 00:04:01,380 --> 00:04:03,980 you might go, wow, this must be a great course. 121 00:04:03,980 --> 00:04:05,380 That's social proof, right? 122 00:04:05,380 --> 00:04:08,030 We can use the same thing as trying to make it 123 00:04:08,030 --> 00:04:10,300 so that while everybody else is doing it, 124 00:04:10,300 --> 00:04:12,340 it must be okay for me to do it too. 125 00:04:12,340 --> 00:04:14,160 So that's the idea here. 126 00:04:14,160 --> 00:04:16,230 The next one we have is scarcity. 127 00:04:16,230 --> 00:04:18,270 Now, scarcity is when you use a technique 128 00:04:18,270 --> 00:04:21,140 to get people to act quick, much like urgency, 129 00:04:21,140 --> 00:04:23,170 but the difference here is that usually you're going to do it 130 00:04:23,170 --> 00:04:25,380 through like an email campaign or phishing, right? 131 00:04:25,380 --> 00:04:27,880 You go sign up now, supplies are limited. 132 00:04:27,880 --> 00:04:29,750 We only have five spots left, 133 00:04:29,750 --> 00:04:31,270 you've got to sign up right now, 134 00:04:31,270 --> 00:04:32,890 if you want to get part of this, right? 135 00:04:32,890 --> 00:04:34,640 And so you'll get this email and you'll be like, 136 00:04:34,640 --> 00:04:36,020 wow, this is a really good deal 137 00:04:36,020 --> 00:04:37,520 on a new MacBook computer. 138 00:04:37,520 --> 00:04:40,450 Instead of $2,000, they are just selling for 999. 139 00:04:40,450 --> 00:04:41,430 Well, I better click now 140 00:04:41,430 --> 00:04:43,400 'cause there's only three left, right? 141 00:04:43,400 --> 00:04:44,233 That kind of a thing. 142 00:04:44,233 --> 00:04:45,800 And then you click it and you're putting your information 143 00:04:45,800 --> 00:04:47,240 and now I've got your credit card information 144 00:04:47,240 --> 00:04:48,700 and your email and everything else. 145 00:04:48,700 --> 00:04:50,830 And maybe you never even get your Mac computer, right? 146 00:04:50,830 --> 00:04:51,950 So that's the idea here, 147 00:04:51,950 --> 00:04:54,700 is scaring somebody into acting really quickly 148 00:04:54,700 --> 00:04:56,780 because there's very limited quantities. 149 00:04:56,780 --> 00:04:59,390 And again, this is very common inside phishing, 150 00:04:59,390 --> 00:05:01,960 spear phishing and willing scams. 151 00:05:01,960 --> 00:05:04,310 The next one we have is likability. 152 00:05:04,310 --> 00:05:08,100 People want to be and interact with people they like. 153 00:05:08,100 --> 00:05:10,460 Social engineers are some of the most friendly 154 00:05:10,460 --> 00:05:12,890 and likable people you will ever meet. 155 00:05:12,890 --> 00:05:15,760 You don't have these crusty, angry people 156 00:05:15,760 --> 00:05:16,980 as good social engineers. 157 00:05:16,980 --> 00:05:18,180 It just doesn't happen. 158 00:05:18,180 --> 00:05:19,570 You have friendly people, 159 00:05:19,570 --> 00:05:21,100 you have pretty people. 160 00:05:21,100 --> 00:05:22,030 One of the things that a lot 161 00:05:22,030 --> 00:05:23,760 of my pen testing teams like to do 162 00:05:23,760 --> 00:05:25,610 is they will take a very pretty woman 163 00:05:25,610 --> 00:05:26,830 and put her on the team, 164 00:05:26,830 --> 00:05:29,720 because a lot of the people who work in IT are men. 165 00:05:29,720 --> 00:05:31,510 And so she can get her way 166 00:05:31,510 --> 00:05:34,080 and get them to do all sorts of things 167 00:05:34,080 --> 00:05:36,410 that they would never do for a guy who looks like me. 168 00:05:36,410 --> 00:05:38,760 And so likability is important, right? 169 00:05:38,760 --> 00:05:40,770 Sometimes it's about finding common interests. 170 00:05:40,770 --> 00:05:42,480 Sometimes it's about sexuality. 171 00:05:42,480 --> 00:05:44,220 Sometimes it's about shared interest 172 00:05:44,220 --> 00:05:45,890 in common ground, right? 173 00:05:45,890 --> 00:05:47,040 Maybe you and I start talking 174 00:05:47,040 --> 00:05:48,500 and we start talking about football 175 00:05:48,500 --> 00:05:50,720 and you know how my favorite team is X, Y, Z, 176 00:05:50,720 --> 00:05:52,590 because I know that's your favorite team. 177 00:05:52,590 --> 00:05:53,580 Now that would never happen with me 178 00:05:53,580 --> 00:05:55,250 'cause I don't like sports, but you know, 179 00:05:55,250 --> 00:05:56,940 maybe we're going to talk about my favorite video game. 180 00:05:56,940 --> 00:05:58,710 And if I find someone else who likes that video game 181 00:05:58,710 --> 00:06:00,780 I can say, oh, well, I've got some great content for that. 182 00:06:00,780 --> 00:06:01,990 Let me send you this file, 183 00:06:01,990 --> 00:06:04,520 it'll give you this great new skin for your character. 184 00:06:04,520 --> 00:06:05,730 And now I've got to weigh in 185 00:06:05,730 --> 00:06:07,630 because I embedded some malware in that, right? 186 00:06:07,630 --> 00:06:08,860 It's all about likability. 187 00:06:08,860 --> 00:06:10,800 It's all about making that friendship, right? 188 00:06:10,800 --> 00:06:12,600 And some of these become long cons, 189 00:06:12,600 --> 00:06:14,120 some of them become short cons, 190 00:06:14,120 --> 00:06:17,170 just depends again on your scope and scale of your pen test. 191 00:06:17,170 --> 00:06:19,430 Now, the last one we have here is fear 192 00:06:19,430 --> 00:06:23,000 and fear is a great motivator if used properly. 193 00:06:23,000 --> 00:06:25,760 In fact, ransomware and any virus scans, 194 00:06:25,760 --> 00:06:27,830 they live off fear, right? 195 00:06:27,830 --> 00:06:29,740 It's if you don't do this, 196 00:06:29,740 --> 00:06:31,690 then this other bad thing is going to happen. 197 00:06:31,690 --> 00:06:33,270 It's a threat or a demand. 198 00:06:33,270 --> 00:06:34,660 So here's an example on the screen, right? 199 00:06:34,660 --> 00:06:36,500 You see the pop up and it comes up and says, 200 00:06:36,500 --> 00:06:38,000 your computer has been locked. 201 00:06:38,000 --> 00:06:42,270 You've been found guilty by the FBI of piracy. 202 00:06:42,270 --> 00:06:46,060 If you enter click here to pay your fine of $200, right? 203 00:06:46,060 --> 00:06:47,360 And you'll go and click there 204 00:06:47,360 --> 00:06:49,120 and that way they don't come and arrest you. 205 00:06:49,120 --> 00:06:50,440 This isn't really the FBI, right? 206 00:06:50,440 --> 00:06:52,160 It's a scam, they're using fear. 207 00:06:52,160 --> 00:06:54,260 If you don't do this, you're going to get arrested. 208 00:06:54,260 --> 00:06:55,410 That's the whole idea here. 209 00:06:55,410 --> 00:06:57,750 And they can see as some of these get combined, right? 210 00:06:57,750 --> 00:07:00,320 Because this also has that authority tinge to it, 211 00:07:00,320 --> 00:07:02,810 because FBI is a government organization 212 00:07:02,810 --> 00:07:04,800 but we're now using them in a fearful way. 213 00:07:04,800 --> 00:07:07,140 And so a lot of these motivations start overlapping 214 00:07:07,140 --> 00:07:08,200 and working together 215 00:07:08,200 --> 00:07:10,753 to make an effective social engineering campaign. 216 00:07:11,618 --> 00:07:13,875 (upbeat music)