Blog: Social Engineering
Social engineering in the (festival) field
Social engineering is not the sole preserve of hired hands to test corporate weakness, it’s used by lots of people a lot of the time.
While at a local festival I saw some really good techniques/approaches, used by regular people, to get what they wanted through nothing more than manipulating a situation and the people involved. It was fascinating so I wanted to share.
Scenario 1
Midnight outside a fish and chip stall after the main concert, but before the after dark dance tent. Time for a late-night snack. There is a queue of about 8 people waiting to be served, by limited staff, and the main server looks busy, making him less likely to want long interactions.
A woman in her mid 20’s walks up the stall ignoring the queue. It’s obvious that the main server is pre-occupied and in a hurry.
She states “My boyfriend has never eaten chips, he’s from New Zealand, and I was wondering if I could have just a few chips for him to try, if he likes them we will buy more and I will join the queue, but I just want to see if he will eat them first.”
This cover story covers many aspects of a social engineering approach, she has placed the “blame” on someone else, who happens to be standing nearby but not interacting, this is her convincer or someone who can be the focus of the story to convince the target it is valid.
She is also using “the befuddled foreigner” approach to appear unaware or ignorant of a common custom, and in this case she can push that ignorance to a third party and thus become the victim and place herself in the child state in relation to the target.
The server pauses for a brief moment and then says “I guess so, we only use clean oil…” He turns this into a sales pitch, so he’s clearly hooked and now likely to fall for the scam.
The woman responds with “that sounds fantastic! If he’s going to try chips for the first time it should be from a really good shop!” She is ego stroking now, the target gets his reward, in this case flattery, and is happy that he has made a sale.
The guy hands over half a portion of chips, at no charge, and the woman proceeds to salt and vinegar them, and then eat them as she smiles and walks away. She gently laughs as her “boyfriend” joins her and shakes his head. He’s not getting any chips, he was never going to get any chips. She won’t be back, she has no need, and her work here is done.
The surrounding crowd (me included) all raised an eyebrow to this little scene. The woman at the front of the queue’s reaction was not what I was expecting “How does anyone not try chips!?!? I mean EVERYONE has had chips!”. I said it was “the best piece of SE I have seen in a while, If I give you a believable enough story can I have some free chips too?”. The vendor blushes, but then says “it’s easier to just give in and let them go, than the fight it or enter into a debate.”
I will be kind and accept his story, but it could be he was saving himself some embarrassment, a lie of self protection.
Scenario 2
Two days later (I know this reads like a bad movie cutaway, but bear with me), at another stall, this time mid afternoon.
I am being served and there is only one member of staff. He is a young male and he’s obviously new or is covering for his mate who has just walked away leaving him alone looking slightly confused. It could be said this would be my time to reconsider my eating options, but I went here because there was no queue and the food content was such that I hoped no matter how badly it might be cooked it wouldn’t poison me.
Who should walk up next to me but the same woman from the chip van the other night. Her “boyfriend” is nowhere in sight. “What do you sell here?” the woman asks. “We sell halloumi in wraps with salad…” (the sales pitch).
“What is halloumi? I’ve never had that before” (we’ve heard this before) As she coyly tips her head slightly to one side and plays with her hair. This is the coquettish stance, and not available to male SE’s, it is highly effective on any male who is physically attracted to the other party.
The interaction continues with the strong male explaining his art of cooking and his ingredients. She nods and approves of his statements and at one point gently touches his arm. She then proceeds with her approach.
“I’ve never tried this stuff, could you make me up a little and I’ll see if I like it? Make me something you know I’d like”. Her voice has now dropped a half octave. This is laden with sexual tension and an embedded command.
While I am still waiting to be served he causally cuts part of my portion on the grill off and pushes it gently to one side (wait a minute when did I become the inadvertent target?!). he then makes up my food and hands it over with a asymmetric smile, and then makes up a smaller portion for the woman, who says “thanks!, this is awesome” and walks away (now I’m smiling, the vendor isn’t). I just say “oh well, you win some, you lose some” and walk back into the rain (sorry I couldn’t resist a noir movie moment).
Interesting, but so what?
All this shows me that social engineering is alive and well and being practiced in small ways by normal people to get what they want. Some might say “there wasn’t any harm”. Some might say “caveat venditor” (let the seller beware). But I would say there were easy steps to either reverse the approach or quash it outright.
How could it have been different?
In the first instance the vendor could have firm but politely asked the woman to wait in the queue. This is the best approach in Britain anyone can ever use. The queue is a long standing tradition and has so many social norms and constructs around it that anyone not adhering to the unwritten rules would be at minimum tutted at (a severe tutting can be a terrible thing) or at worse shouted at for being rude (I won’t dwell on the irony).
The second approach is easier to say than for some to counter. I have said “we men are simple creatures, we are reproductive organs at one end and a brain at the other, but only enough blood to run one at a time.”. It’s a stereotype with a kernel of truth, but being self-aware of this can mean that realising that you might be being socially engineered might go some way of prevent falling for it. He could have offered her a money back guarantee if she didn’t like it, this would have meant she paid for food, but if she really had never tried it before it gives her the option of rejection- placing the requirement to break social politeness back on the social engineer.
More tales from the field as they happen…