Social Media and Phishing Exploits are Going to Get More Sophisticated
As the recently released X-Force 2013 Mid-Year Trend and Risk Report points out, social networks are a relatively new construct, and yet they’ve been incorporated as an extension of our real world presence; an additional sense used to communicate our thoughts, activities, locations and even feelings. And it’s an input sense as well, one where users can vet each other out through the tapestry they spin to define their personas online.
The risk is that we don’t fully understand how to interpret the subtleties of interaction online in the same way our brains have adapted to analyzing non-verbal communication, such as body language, micro expressions and how we respond to cultural and paralinguistic elements. Despite these critical nuances in communications we grant trust to online personalities we’ve never met—and who may be deceased or completely fictitious. Users ignore their better judgment in favor of building a large network, with the status that comes with it, and the promise of gaining access to opportunities that are clearly too good to be true.
Exploiting Influence Tactics to Create Trust—and Risk
Trust is the foundation of security. Systems trust users based on their authentication credentials; users trust systems based on their legitimacy (e.g., Amazon vs BargainClownShoes.com); users trust the links in each other’s email based on friendship and familiar email domains.
Trust and influence are intertwined: we allow ourselves to be influenced by those we trust, but we can also elicit trust by wielding influence skillfully.
Case in point is the Robin Sage experiment, in which a security consultant created a fictional persona, Robin Sage, who was purportedly a cyber threat analyst for the U.S. Department of Defense. Robin had accounts on LinkedIn, Twitter, and Facebook, and those were used to create a network of professional “targets.” Most of her new connections worked for the U.S. military, government, or affiliated organizations. Despite the lack of hard evidence to corroborate Robin’s clearance, credentials, or even existence, the contacts shared information that revealed their email addresses, bank accounts, and even the location of secret military units. Robin was sent documents to review and offered speaking slots at conferences.
The Psychology Behind Sophisticated Cyber Attacks
There are a number of psychological elements that contributed to the success of the experiment, many of which have been outlined in Dr. Robert Cialdini’s book, Influence: The Psychology of Persuasion:
1. Principle of Liking
This is a simple principle with complex implications: people tend to form trust with those they’re attracted to, both physically and emotionally. Robin Sage’s picture shows the face of a pretty girl in her mid-twenties, in half profile, eyes turned directly to the camera, and with a hint of a smile. While not lewd in any sense, despite the picture having been lifted from a pornography-related site, Robin seems young and earnest in her appeal for assistance, yet one is left with the impression of a more sensual agenda and that Robin is about to walk away and encouraging you to follow her.
2. Social Proof
People are motivated more by what others do than a perceived or even quantifiable benefit. For example, hotel guests are 26% more likely to reuse towels when told that the majority of guests comply with that request, than if simply told that reusing towels protects the environment (read more on the science of getting a ‘yes’). The first few connections are the barrier; once Robin accumulated them, others in similar positions or organizations were quick to accept Robin’s connection request, particularly if they shared connection with others in Robin’s social network.
3. Rule of Reciprocation
Humans feel a sense of obligatory quid pro quo; when one person provides something to another—a gift or a favor, usually—the recipient feels indebted to return the act in kind. Cialdini noticed that Hari Krishnas used this principle by giving flowers to passers by in airports, eliciting higher donations than before they appealed to travelers’ sense of reciprocity—even though there was no social contract before the encounter. This tactic can be employed in social networking to compel a stranger to accept your connection request if you provide them with information, for example, and it can even work in reverse, by providing the expectation that you will be indebted to a potential connection if they accept your invitation. Those who joined Robin’s network may have expected a deeper relationship in return after providing help, information, and speaking opportunities.
4. Commitment & Consistency
Most people stick with their original decisions despite information that supports changing their course. This is embodied in the Monty Hall Problem, which demonstrates that subjects who choose one door would not switch when given a chance, even when they were informed that the odds were in their favor to make a different choice. In social networking, once a contact is committed to a connection, they are hard pressed to Unfriend or otherwise break that link, and will continue to interact and assist that person.
There are a couple of other principles of persuasion that may be employed in social networks, but weren’t necessarily a component of the Robin Sage experiment:
5. Principle of Authority
Authority, whether real or perceived, elicits obedience in many people. The principle of authority is widely used in social engineering, and movies take this to an extreme when an undercover cop intimidates her way into a high security area. This can be used in social networking, directly or indirectly, by invoking the name of someone important (e.g., “I was speaking with General Dempsey last week and he asked me to…”) or by fabricating personal credentials designed to impress the target. When invoking someone else’s authority, it’s important to make sure that person is difficult to contact, usually because they’re so high ranking that mere mortals don’t have access to them. Make sure they don’t have a social networking account.
6. Principle of Scarcity
Rarity increases value. People want to be included in exclusive offers and often make poor choices under pressure. Think of all the commercials on TV with the call to action, “Limited quantities! Act now!”, or appealing to your sense of urgency: “Your online banking has been blocked!”
Con men have known about psychological ploys for ages, through intuition instead of documented behavioral models, and we still fall for many of the same scams after centuries of victimization. It hasn’t gotten any better online, either: the Robin Sage experiment was successfully reincarnated under a different, but similar, persona by the co-founder of a dating and social dynamics instruction school. Three years after the original presentation, we appear to have learned not much at all.
In the X-Force 2013 Mid-Year Trend and Risk Report, we look at the current state of social networking threats and the psychological factors of trust that contribute the success of exploits. Those attacks are shockingly effective in their current manifestations. I predict that they haven’t topped out yet in terms of sophistication; there’s plenty of room for improvement using the six key principles of influence.
Before anyone accuses me of providing a primer or roadmap to optimize phishing attacks, realize that the principles have been widely known for almost 30 years. The bad guys already know about them. We, the defenders, the cavalry tasked to defend and protect the territory, property, and honor of our enterprises and compatriots, need to be armed for battles involving well honed psychological tactics.