Site icon Easy Prey Podcast

Social Engineering and Pick-Pocketing with Chris Kirsch

Easy Prey
“Social engineering is the art of understanding how people tick and then presenting information to them in a way that gets you to a desired outcome.” - Chris Kirsch Click To Tweet

Gifted pick-pocketers can use social engineering skills to choose their victims. Many times as we travel, we may not realize that our body language makes us an easy target. 

Today’s guest is Chris Kirsch. Chris is the CRO and co-founder of Rumble. With a background in product marketing and technical mindset, he has helped formulate go-to marketing strategies at PGP, Rapid7, and Veracode. In 2017, he earned the black badge for winning the social engineering capture the flag competition at DEFCON. He has a passion for InfoSec, OSINT, and is a volunteer advisor for the National Child Protection Task Force.

“If your mind is occupied by something else, you are an easy target.” - Chris Kirsch Click To Tweet

Show Notes:

“Social engineers create a sense of urgency and pressure that is applied. They try to move you from rational thinking to emotional thinking.” - Chris Kirsch Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Can you give our audience a little background at who you are and what you do?

Sure. I’ve been in the security industry for a while—over two decades. I worked on some really interesting products and companies. My first gig after coming to the States from Germany was working for PGP Corporation. Some folks might remember Pretty Good Privacy. That was the first time that strong encryption was available to the average Joe, and then companies, and so on. It was in the middle of those crypto wars at the time.

Later, I worked for Rapid7. I worked on the Metasploit product. This is an open-source project that allows people to try and attack their own networks from the vantage point of a hacker, like ethical hacking, penetration testing, those kinds of things. That was really interesting because it was a completely different world. It wasn't so much the math geeks, it was more like the hacker crowd.

Less rule-bound, I would say, more in that crowd. That was super interesting. Then I worked on an incident detection and response product at Rapid7, switched to Veracode. They make software security. Basically, scan your code. If you're writing an application, scan your code and figure out what's wrong with it. Now I'm a co-founder in a company called Rumble. It's a company that takes care of asset discovery on your network.

Basically, we just tell you what's on your network, what's connected so that you can manage it, so that you can secure it. I joined forces again with HD Moore, who is the creator of Metasploit. If you're paying attention earlier on, I got to know him at Rapid7 where we worked together on the Metasploit product.

That's a nice varied background. One of the things I recently ran across is a presentation that you did for the Layer 8 Conference on pickpocketing. I thought it was really interesting that it's definitely not cybersecurity in that sense, but I can probably make the case that it is cybersecurity if people can take your company ID badge off of you without you noticing, grab your phone, or things like that.

It really started me thinking, when you're going through the presentation that there seems to be an overlap in some sense between pickpocketing skills and social engineering. Not necessarily in the physical manipulation, but in the obfuscation, the misdirection, the leading the person to do something in order for you to be able to exploit that.

Absolutely, yeah. A lot of people think that for pickpocketing, the most important thing is to have a really good tactile sense and be really quick with your fingers. It's actually not. The most important thing is that you distract people—to confuse them and direct their attention with where you touch, where you look, and what you talk about. Those are the three things how you can misdirect people, and then you pretty much have easy access to all of those areas that you want to get to.

For example, if I stand to your left, I have my hand on your shoulder, and I start also conditioning you like Pavlov's dog. If I first put my hand on your shoulder, you're probably thinking like, “Why the hell is he so touchy? What's happening? Is that safe?” Your limbic brain is reacting to that. Then you realize that, “Oh, maybe it's just overly friendly.” All of that stuff. You get used to that hand being there and you no longer observe it as a threat.

Now I've conditioned you that that hand is OK to be there. If I now reach down or reach over and say, “Oh, those are really cool shoes. Where did you get those?” I can now reach into your breast pocket and pull something out. Because my hand is on the shoulder, it's already there. If you feel a little bit of movement on the shoulder, you're probably OK with that because you expect the hand to be there, but your attention is directed elsewhere. I talk about your shoes, I point at your shoes, I look at your shoes. That directs your attention somewhere else.

There's a ton of parallels between that and social engineering. I actually skipped over something in my bio, I realize now, that is not work-related, but something that I did on the side that relates more to social engineering. Because social engineering is not something that I really did for work, but I have a personal interest in it. When I was at my first DEF CON—DEF CON 23—one of the rooms that I walked into was the Social Engineering Village. I thought that was fascinating.

I read a ton about social engineering. I was really interested in the topic. I read books by Mitnick, some other folks, and so on. But it never really clicked for me how it worked until I walked in the room and saw people calling companies live on stage and eliciting information from them. I thought that was so cool. Because I also have a personal passion for the security industry, I was looking for a way to participate more in DEF CON rather than just attending and sitting at talks.

I have a little bit of a technical background. For example, with Metasploit, I can use it in a lab, but I'm not a penetration tester. I'm not a hacker, in that sense of the word. I was looking for some competition or something to get involved in. The Social Engineering Village was really that venue for me where I thought, “OK, as a person with a—actually, my background is in marketing. I'm a marketer by trade, product marketing, and so on. Now, lead sales and marketing at the new company.

In those professions, that's actually pretty close to social engineering because you're trying to influence people. Social engineering is the art of understanding how people tick and then presenting information to them in a way that gets you to the desired outcome. Same with sales and marketing; the difference is really only whether you do it one-to-many or one-to-one.

Social engineering is the art of understanding how people tick and presenting info them that gets you to the desired outcome. -Chris Kirsch Click To Tweet

I applied for the Social Engineering Capture the Flag contest. First year, I did really well on the report. There's a report and a stage part. I did really well on the report but bombed on the calls because nobody was picking up my phone calls. In the second year, I actually won the competition. I think I had the second highest score in history and that was a ton of fun. That was way better than year one.

That shows you a little bit there that there is some element of luck, especially if you get somebody to pick up the phone within those 20 minutes, but also who you get on the phone and so on. Then there’s, of course, planning, skill, and all of that involved as well. I had a lot of background in social engineering because I've really gone deep on that topic. Then I won the competition.

I was actually in Paris with my family to celebrate my birthday, and my dad got pickpocketed next to me on the Metro. I was standing there. We kind of knew who did it, but they'd thrown the wallet back on the floor minus the money. At the moment, I didn't quite know what to do because the wallet was there. We didn't have any evidence. What do you do in that situation? It's actually really hard.

I was researching a little bit about what you should do in those situations and how you can prevent pickpocketing. Then I actually realized that learning how to pickpocket is much more interesting. I started researching that. That ultimately ended up in this talk at Layer 8. There's a funny story to that as well because I was researching it. I found some resources on YouTube and so on. They were directional, but they were not instructional.

I thought, “OK, I think I've researched enough that I could give a decent theoretical talk about pickpocketing at Layer 8.” I submitted the abstract to the conference and I said, “All right, I'll try to get as far as I can until the date, but at least I'm good enough today that I'm not going to embarrass myself.” That was actually on the morning of RSA. I submitted that, got dressed, and then went to the conference.

One of my jobs at the time was competitive intelligence. I went from booth to booth, looked around, and so on. Also very useful to know social engineering for that. One of the booths had a pickpocketer, like a magician pickpocketer. I thought, “Oh, that's really cool. Let me stop here.” And then he started stealing my stuff and so on.

After he'd done his little show, I told him, “Hey, I've got this little weird obsession. I want to learn how to pickpocket and I just submitted for this talk, but I don't actually know how to do it. Can you help me out and recommend what I should read?” He was recommending a lot of the books that I'd already read as a social engineer, which I thought was really interesting.

For example, Joe Navarro is a guy who helps you read people's body language. Reading the body language. This guy said, “Oh, if you can read the body language, you see what people are paying attention to and what mindset they're in. You can pickpocket them more easily.” I said, “Yeah, that's all fine and good. I've read those books, but I still don't know how to pickpocket. Can you tell me a little bit more? Actually, can I invite you for dinner tonight or drinks? I hope this is not too forward.”

He said, “Well, I would love to, but by contract with my agent, I'm not actually allowed to give out my information at this booth.” I said, “Oh, but your name is Rory from Dallas, right?” He said, “Yes.” I said, “OK. I'll walk away now, but expect a text from me.” Another skillset I'd learned doing the SECTF was OSINT—open-source intelligence, researching people online.

This one was a super easy case because I just typed into Google: Rory magician Dallas. Of course, I found his website with a phone number. I texted him. He texted back within two minutes, and we met up that night. He gave me a lot of tips on where to find these resources. The reason that I hadn't found a lot of instructions on YouTube was that, essentially, there are two schools of thought for pickpocketing. There are the street pickpockets and then there are the stage magicians.

I was going to ask you: Is there a fundamental difference between stage pickpocketing and real-world pickpocketing?

There is. This guy pointed me to all of the online magic shops that were selling books, videos, and all of that stuff on pickpocketing with instructional videos. That helped a ton because, for some reason, this did not show up in my Google searches. Maybe I didn't do my research right or they were just too far down in the results or whatever, but I haven't come across those. Knowing what to look for, like the names and the titles of the publications, helped a ton.

The big difference between theatrical pickpocketing and street pickpocketing is basically if you're pickpocketing on the street, you try to steal something from somebody and they're often not even aware of you. You're trying to get in and out without them noticing. You don't want any interaction with them. Whereas if you're a stage pickpocket, they are up on stage, they know you're about to pickpocket them.

In a crowded area, you may not realize you were bumped into intentionally.

You have to distract them in a way where they're paying attention to something else while you're pickpocketing them. It's a very, very different situation. You're also on stage, of course, you're doing it for the audience. You steal something and you flash it behind their back to show it to them—very different techniques.

Some of those are a little bit the same, some are different, and also some pickpockets steal without interacting with a person. They might be behind you on escalators or something, as you're exiting or whatever, or getting on or whatever they're trying to pull it out. They don't want you to remember their face, so they try to do it that way.

There are other techniques where a group of two people or something comes up to you, maybe with a clipboard. They try to engage you and say like, “Oh, can I have your signature for the Humane Society?” or something like that. They have some pretext of why they're talking to you. Then, for example, with a clipboard, they can cover up maybe your handbag and under the cover of the clipboard, they steal out of the handbag, they steal something out of your wallet, and those kinds of things.

In that sense, it's more like interaction on stage where they're actually interacting with you. They're directing your attention, covering up, and so on. There are so many different styles. It's actually really interesting to get into that because people do it in different ways.

That's the neat thing. As I'm watching the presentation, you're talking with your target. I don't call them a victim. You're talking with your target. It's like, “Let me just nudge the attention this way. Let me nudge the attention that way just to get a little closer to your goal.” I was wondering, you talked about your dad being pickpocketed on the train and the guy took the money and dropped the wallet. For one, what did you see about the person who made you think it was that particular individual? What was the outcome of, “What do you do?”

It was really interesting. We were in a car that was actually relatively empty, which is unusual. You'd think that they would target crowded cars. That was interesting. We went in. We were in a bigger group with my sister, one kid with a stroller, her husband, my mom and so on, my husband, and so on. We were a bigger group. We were moving a little more slowly than one or two people would.

We got on the train. There was one lady in front of us and then there were four kids, maybe 10 or 12, or something like that. They're 12 years old, something like that, behind us. They were just fooling around, fighting or whatever. We got on the train, then the doors closed, and the car started moving. Then I asked my dad, “Oh, do you still have your wallet?” Because he's not always paying good attention. He always thinks like, “Oh, if it's in my front pocket, it'll be fine.” But they'd actually taken it out of his front pocket.

He had slacks on. The jeans have a straight cut. Slacks usually have a vertical cut or diagonal cut. Those are a little bit easier to get into. They’re looser pants and so on. They just dipped in, took the wallet out, which was quite big, and took some money out. I asked him, “Do you have your wallet?” He tapped his pocket. He said, “Oh, it's no longer there.”

 

Some pockets are easier to take items from…

This was in France. My family is German. We were talking in German. As we were having this conversation, this older lady started engaging us in conversation in German. She wasn't from Germany—like you could tell from the accent—and she wasn't French either, but you could tell she spoke German fairly fluently.

She said, like, “Oh, what's going on and so on?” My dad, directing attention. My dad's like, “Oh, yeah, my wallet got stolen.” Then she said, “Oh, is it maybe this on the floor?” Behind him. What I think happened is the kids took it out. When he noticed, she distracted us to direct attention to her. We weren't paying attention anymore because the wallet was already gone.

That gave the kids enough time to take the money out, throw the thing on the floor, and there was no evidence. When you have street pickpockets, different people do different ways. Some people work completely alone, but oftentimes, they work in teams. There are often three positions that you have in a pickpocketing team.

One person is there to block the person in. On a subway, they might be holding on to the handrail at the top and kind of boxing you in so that you can't move around so much. Because if you can't move around so much, it has two advantages. First of all, if somebody is trying to get into your pocket, you're not moving around, so it's easier to reach that, and they're less likely to take a sudden step in a direction. Also, if they get caught, the person blocking can be a little bit clumsy and delay the person getting out and running after the guy.

The second person is the person actually stealing the wallet, phone, or whatever they're stealing. Then they immediately hand it off to a third person who walks away with the wallet. That's what makes it really hard to actually catch people in action and accuse somebody. Because even if you spot the guy taking out the phone, because he hands it off so quickly to somebody else, it might be like he takes it out, drops it in the bag of the other guy, and the other guy walks away. It's sometimes not even like a physical hand-off, hand-to-hand. Often it's done undercover. It's like he drops it into the bag under the coat on his arm, something like that.

Now, if you say like, “Hey, you just took my wallet.” He can say, “What? What are you talking about? Feel free to search me, I don't have it, right?” It's very, very hard to actually—after something's been stolen—to figure out what to do and to accuse somebody.

Yeah. I guess the good thing is like with ID cards and credit cards, you at least were able to retain those things as opposed to, “I'm in a foreign country and now I've lost my ID, my credit cards, and my money.”

Yeah, that's true. Also even phones, you can lock them down to a point where they're good for parts, but no longer able to activate the phone fully. That helps a little bit, but there's still plenty of pickpocketing, especially in the big cities. Barcelona is really famous for that because if somebody gets caught pickpocketing and the value is under €400, then they actually don't even get charged. They just walk.

They have some weird laws on the books there. That makes it rampant, where people actually come from all over Europe to go pickpocketing there because the law is like that.

That's horrible. You probably can't entirely eliminate being pickpocketed other than by not having anything on you that can be taken. As in, like, you don't have a wallet, you don't have a phone, you don't have a watch. What can you do to mitigate—to at least reduce the likelihood—that someone might get something from you?

There are a few things. You can only keep a small amount of actual money in your wallet that you take in and out in the shops. Put the rest somewhere elsewhere it's a little bit better hidden. Pickpockets will look where you put your wallet back after buying something. They might stand by an ice cream stand, you pay for something, you put it back, now they know where the wallet is.

There's also a little bit of a joke, but it's also true. A pickpocket waits by the sign that says watch out for pickpockets because everybody touches the place where they have their wallets.

That makes perfect sense.

It's a little counterintuitive. The second thing is to put your wallet in places where it's a little harder to reach. Back pockets, I think, are bad. Front pockets are also bad. Inside jacket pockets are better but still not entirely safe. If you have a zipper on something, zip that up. Don't have it in your backpack where it's easily unzipped or cut open and so on. Put it somewhere where it's a little bit harder to get to.

Also, when you are in a situation, be aware of how people are physically to you. That sounds a little bit weird, but I'll run this by you. There are some tricks, like if you want to get into somebody's personal space. If we're standing across from each other—this is a virtual situation and it's also an audio podcast, so it's a little bit harder to portray, but I'll try to paint the picture a little bit.

Let's say we're standing across from each other and talking—COVID times, six feet apart. This is a safe distance. This is what's called public space. There's actually a science of proximity between people, people and animals, animals and animals, and that kind of stuff. I read a whole book on this topic. It's interesting.

If I stand six feet apart from you, that's public space. If we didn't know each other and I asked you for the way, a perfectly acceptable distance to stand. Then let's say you're standing in a bar with a friend, you're both having a drink, and you're chatting. You're probably closer than six feet apart. That's a more personal space. Then if we got even closer, that's a more intimate space. That might be with your life partner. You might get this close, but if it's somebody else, it's already uncomfortable.

If a stranger approaches you, anything below the public space is a little bit uncomfortable, or you should already watch out. But there are also ways that people use to bypass that perception. For example, if we're standing opposite each other, super close, it's very uncomfortable. But if I move to your side and we stand parallel to each other, looking in the same direction, and maybe looking at each other and having a chat, it's less uncomfortable.

Now, if I pull out my phone, a clipboard, or a map—if we're thinking of a tourist in a city—I’m looking at the map, you're looking at the map, and we were literally standing shoulder to shoulder, the other person can easily reach into your pocket and you're actually standing very, very close to each other. There are these ways how people get into your personal space without you having the perception that they're that close.

Is that when you're standing side by side that's more of a communal, collaborative stance, as opposed to maybe a little more adversarial if you're face to face?

Exactly, you're both looking in the same direction. It feels like you're allies rather than opponents. That's really interesting. Another thing is when you're on an escalator. People can get really close to your back without you noticing, especially in a crowded place. It gets even worse. Let's say you have what's called a bottleneck. A broad space going into a small door or an interruption of the flow.

Let's say a pickpocketing team—there’s somebody in front of you, somebody behind you. The guy in front of you drops a few coins at the end of the escalator and tries to pick them up. You need to scoot around them and so on. Now if somebody touches your back, your pocket, or whatever, you're probably just thinking, “Oh, it's crowded and I'm trying to get through.” It's a little bit of a stressful situation.

You're paying attention to the guy because you don't want to run them over. Maybe trying to get out of the way so that the people behind you don't fall over you as they get off the escalator. Be careful with those bottlenecks because that's a really good time for people to get in. If we think back to the situation where my dad got pickpocketed on the Metro, I think it happened when we were getting on the train.

The train arrives, our attention, our focus, is on the train, getting on the train, making sure that all of our family is on the same train. That's where our attention was. The kids behind us that were horsing around, we didn't perceive as a threat because they're kids and they're like, “Who cares?”

They were doing what kids do: goofing around.

Exactly. I think at that moment when we were trying to get through that bottleneck of the door, coordinating, people getting off the train, us getting on the train, and so on, that was the perfect time where they could bump into my dad. My dad would just see it as, “Oh, other people are trying to get on the train, the kids are playing.” Those kinds of things. You don't even register it because your attention is somewhere.

Recently, I traveled internationally, much less than I'd like to. I always try to be very aware, at least in large crowds where there is a lot of bumping and jostling, realizing that any contact could mean something has disappeared off of my person. It's probably way noticeable. Maybe it makes me a good target for pickpocketing. When I'm in one of those crowds, shoulder-to-shoulder jostling, I almost always have my hand in my pocket on my wallet.

I do too—wallet and phone.

I have them both in the same pocket with my hand resting on them. Yes, if someone knocks me over, it's going to hurt because I'm going to go straight to the ground. In my mind, it's like, “Well, I know back pockets are really easy. I hear front pockets are pretty easy. The only way I can make sure that it's still there is actually by having my hands in my pocket.” I wonder if that makes it even more noticeable, like, “He definitely has something in there that he's concerned about.” I don't know if that makes you more of a target or less of a target.

It's actually pretty easy to figure out where people’s stuff is. You see the bulge of the phone on the front of the pants. You can probably see a bulge of the wallet and those kinds of things. You can even lightly tap and see if it is jingling. Is there a set of keys or is it something else? That's called fanning, by the way. If you touch somebody lightly, especially the back of the hand or something, and just see where the items are.

If you're already broadcasting that you've got a tight hold on your things and you're aware that there is a potential threat, I think people might move on to somebody else. If I were a pickpocket, I’d target the people that are walking around with their phones and texting. They're completely absorbed in their world. They're not paying attention to what's happening around them.

If I were a pickpocket, I’d target people walking around with their phones texting. They’re absorbed in their world. -Chris Kirsch Click To Tweet

Even, let's say you steal something, they notice something, it'll take them a moment to switch context from what they were texting about or reading to what's happening around them and where the person went. I think this is what Rory—the pickpocket that I met at RSA—meant by study people's body language. Because if somebody is not paying attention—I met him for dinner. I gave him a free pick of places. He picked the food court in a mall. I was very happy because it was very cheap for me. It was also great because there were so many people walking around.

He said, “Look at this lady. She doesn't notice anything that's happening around her. Her bag is open in the back. She’s got stuff sticking out. This would be a really easy target. If their mind is occupied with something else, then they become really easy targets.” When you're thinking about maybe you're out and you're shopping for something, maybe you're standing in line, and suddenly you're up. It's maybe a foreign country and you're trying to struggle with the language of the other person trying to make yourself understood to buy an ice cream or something. At that point, your mind is not on your wallet.

The attention on your mind is actually that's the critical thing. It's really hard to control because if you always focus on your wallet, you can never do anything else because we're so single task-minded. It's impossible to pay attention to your wallet all the time. You just can't.

I suppose some of it is just a matter of risk mitigation. Don't carry all the money you're going to use on a vacation with you all the time. That way, if your wallet does get stolen, you haven't lost all of your cash. I know people who put different amounts of money in different pockets. When they're buying the ice cream, they never pull out their wallet, but they know that, “Oh, in my right-hand pocket, I have a $5, €5 bill. I'm going to buy something under €5, I pull a single bill out of that pocket.”

It looks like there's little or no change. They're not pulling out a big wad of money and flipping through trying to find the right bill broadcasting to everybody, “Look how much money I have.”

It's not a bad strategy. Also, it doesn't show as much in terms of the bulge on your pants. It doesn't show as much what you have in there if you just have a few bills in there versus a complete wallet.

I think sometimes even when I travel, depending on where I'm at, I don't actually even take my wallet with me. I might take an ID card in my pocket, a credit card, and a little bit of cash. ID card goes in one pocket, cash goes in one pocket, plastic goes in another pocket, just to spread the risk around hoping that they're not going to get all of it in one swoop.

Yeah, absolutely. I usually travel with a couple of credit cards. I leave one of them in the safe in the hotel. I leave all the IDs I don't need in the hotel in the safe, those kinds of things.

I think as we've been talking about this, there are parallels to the misdirection, maybe even the blocking a little bit in terms of social engineering. What do you think are the most common practices if someone is trying to social engineer us that we should be watching out for?

A lot of times when you're getting social engineered, there is a sense of urgency and pressure that people apply. They try to move you from rational thinking into emotional thinking. What's a good example? For example, there is one phishing scam that I think is particularly evil. Let me explain what you see in the email and then let me explain how the attackers got that information.

A lot of times when you're getting social engineered, there is a sense of urgency and pressure that people apply. -Chris Kirsch Click To Tweet

The phishing email will say, “Hey, we hacked your computer. We have control over your video camera and all of your browsing history. If you don't pay us $1000 in Bitcoin, we're going to send this to all of your friends because we have your contact info as well. As proof, we've got your password here that we included in this email.” This is clearly a pretty big threat for a lot of people.

It puts them into an emotional panicking mindset. They're more likely to react also because it's something that they don't want to talk about. They don't want to ask for help because it's an embarrassing situation, potentially. That's how these scammers try to extract a lot of money. It's actually hard to know how many people got hit because a lot of people just don't admit to it afterward. What's really happening is, there are often—as everybody knows—breaches of different websites. It might be your totally unimportant social media sites somewhere.

Your old MySpace account.

Your old MySpace account. Those websites get breached. Typically, on those websites, you log in with your email and password. If the database gets breached, the attacker has both your email and your password. Now, it doesn't even have to be the attacker who owns the website that's now sending you this phishing email because a lot of times, these databases get sold or just dumped on the internet and then are publicly accessible for download. It could be anybody.

There are actually websites where you can enter an email address and get a list of passwords back that were associated with email addresses in the past. I've actually used those websites for online investigations and those kinds of things. It's super interesting. When you have access to this information, now you can craft a generic email, and you can match up the email address in the to line of the email and you put in the password. Bingo, you've got a really compelling pretext.

This is an example of how a social engineer gets somebody to drop from the rational to the emotional level—panic a little bit. There's a sense of urgency to do this because otherwise, they'll get extremely embarrassed in front of all of their friends and family.

I received an email from a woman once. She says, “I've been targeted with this extortion email.” She didn't phrase it that way. “They claim that I've been watching porn on my computer and they're trying to blackmail me. I've never watched porn on my computer.” She's definitely falling for the emotional because she's being blackmailed with something that she didn't do. Her big concern was, “Why are they specifically targeting me?”

Every kind of phishing scam that she gets, she took it as a personal attack on her, as opposed to, “No, you're just an email address, a password, and a database that got sent out to 100 million email addresses, hoping that you'd be the one person who would try to figure out how to buy cryptocurrency in order to send them money.”

If we're thinking back to marketing, of course, as a marketer, we try to target people with exactly the message that they need to hear. It's called segmentation. If I know exactly that you're into Fortnite and I send you a marketing message for—I don't know Fortnite that well, so a bad example. For something that you can buy in Fortnite, some Fortnite branded gear, or something like that. The assumption is that you will be more likely to buy this than the average person.

There are also marketers that just spray and pray. They sent the Fortnite gear email to 10 million people and for some of them, it'll hit. For this person, the email happened to fit, maybe, maybe not, because she was actually not watching porn, supposedly. Maybe it didn't hit so well, but it still resonated with her.

To her, the key thing that proved that it was real was the password.

Sometimes old passwords are purchased with the hope of getting you to do what the scammers are asking.

There's actually a really interesting magician in the UK. He's called Derren Brown. He runs all sorts of weird social experiments and does documentaries about them. There is one that I loved where basically, from the point of view of this woman that was in the documentary, she received a text message, or maybe it was a letter. It said, “Hey, here's £5. I want you to go and bet it on this horse in this race. I'll be in touch.”

She went, she put the money in, and the horse won. Then she got a second letter with £10. Again, instructions to bet it on a certain horse, and the horse won. The third one with £20 and the horse won. Then he met her at the end and he said, “All right, bring £5000 and we're going to bet it on something and you're going to get a lot of money.”

She went there, she bet it on the horse that he told her, and she lost. How did he do it? He provided value. He built trust over time with this one person, but how did you know which horse has won? Because it was public horse races. What he did is he sent this letter to 1000 people, one for each horse in each race. Then he said, “All right, now for the second round of letters, I reduced it to only the people that won. For the third round, I reduced it to the people that won.”

He selected out, but for the people that he was targeting, they all won all three races. In the end, she bet on the horse, she lost, and he gave her the money back because he said, “Hey, this was an experiment and it's for a documentary. This shows you that just because you're seeing something anecdotal from one perspective, doesn't mean you understand the entire scheme.”

If you look for Derren Brown on YouTube, he's got a ton of these kinds of shows on. He's got three shows on Netflix as well on manipulating people, social engineering people. It's super, super interesting from a psychology perspective. He's got one show—I think it's on Netflix. I think it's called Push—where he gets somebody within 90 minutes of manipulation to push somebody else off a building. It's super interesting.

There is one where he gets somebody through influence and manipulation to take a bullet for another person. The third one is basically about these preachers and healers and how they do things. He does a live show where he does it, then explains how they do it, and that you shouldn't believe in it. He's a super interesting guy exposing all of these scams. Maybe he's somebody you should have on the show.

I will definitely link to him in the show notes. He'll definitely be someone I will look up as a potential guest.

He's definitely well known in the UK because he had a lot of shows on probably BBC or something like that. He's less known in the US, but most of his shows are on YouTube and then also three shows on Netflix. There's also another one—this is a two-part series where he basically makes somebody believe that the world has ended and is overrun by zombies. It's insane. It's really insane.

I think about when you're talking about the one who got the money. To the receiver, it looks like, “Oh, he got it right three times in a row.” Well, he didn't get it right. It's hard when you receive an email to flip it and like, “OK, could this exact email have been sent out to 100 million people? If so, how would they do it?” We don't try to deconstruct when we receive stuff. It's just, “Oh, my gosh, it's about me. It's got my name. It's got my password. They must know something that I don't know.”

There's another one, which is much simpler to explain, where he basically recorded a video and he said, “I can control how a coin lands with my mind.” He shows the coin and he says like, “It's got heads and tails. I'm going to let it land on head 10 or 20 times,” or something like that. This video is unedited, it's uncut. They can see the whole procedure. The coin is never out of the frame. He does it and he hits it 20 times.

In a row—like, heads 20 times?

In a row. Heads 20 times in a row. The likelihood of that is super small. What he did is, he was standing there all day recording videos until he hit it 20 times. He only showed you the one where he hit it 20 times.

I was about to say, “Well, he could have recorded the video a whole bunch of times.”

Yeah.

That's important. The sample that you're seeing is not necessarily the true sample size. You're only seeing the one sample that the person wants you to see. How do we protect ourselves against social engineering? How do we know when people are trying to manipulate us, push us, or nudge us just to give up just that little next piece, which they can use to leverage somewhere else?

It's a hard question to answer because it's so varied. When you are put under pressure, especially by somebody that you don't know, always take a moment to pause and say, “Hey,” first of all, tell yourself, “OK, I'm in a situation where I'm emotionally stressed, I'm under time pressure. Do I really have the right information, and am I in the right frame of mind to make this decision right here right now?”

There are rarely situations where you can’t say, “Hey, I'm sorry, I'm not comfortable making that decision right now; let me call you back.” You can take a moment, reflect on it, maybe ask somebody else for their opinion, and then proceed. When you get a call over the phone, you don't know the person personally, and they're asking you for information that you may not want to give out. Also say, “Hey, can I take down your number?” Then go verify who they are and then call them back.

If I look at the Social Engineering CTF—and a lot of the calls that I've seen in my own call—if people had done that, I would have been dead in the water. Basically, in my situation where we're targeting companies, in that year where we're targeting toy and gaming companies, I targeted the retail outlet of a toy company. I phoned in and I claimed to be Mike from IT, basically. I said, “Hey, are you guys open right now? Because I'm not getting any booking data from your POS systems.” He was trying to help me.

Through that, I built rapport. I asked very easy questions. “Hey, just a quick question, are you guys open right now?” That's not a question where you'd say like, “Oh, I'm not really comfortable answering that.” You would tell that to any customer who phoned up.

Then I said, “Hey, I don't have a lot of time right now because I need to pick up my kids.” I don't have any kids. I was lying—shocker. I wanted to tell them, “Hey, I'm not going to keep you on the phone for ages. I need to go. Don’t worry about it.” That's actually a really good tactic also when you're in sales doing cold calling, for example.

It's your own urgency. You're not putting the urgency on them.

Exactly. Because when somebody phones you up, your first thought is like, “Oh my God, I don't want to talk to this person. Are they going to hold me up forever?” If you tell them, “Oh, I need to go in a second, but can I just ask you real quick XYZ?” It also puts a little bit of time pressure on but not too bad. I increased my asks incrementally.

Basically, “Are you open right now? Would you be willing to help me troubleshoot this? Do you have internet access right now? Can you get to Facebook?” He's probably gone to Facebook a million times. That seems safe. “All right. Now, can you go to this internal server? Can you reach that one? Can you reach this external website?”

I'm increasing my ask every time. Then at the end, I had him where I told him like, “Oh, I'm going to send you a new router, can you unplug the old one, plug the new one in, and just throw the old one away or whatever?” At that point, if I manipulated the router, I would have been in their network. There were a lot of other ways I could have gotten in. I got him to go to a website of my choice where I could have exploited his browser, all of that stuff.

In that case, if he'd asked me, “Hey, I'm sorry, I don't know you. Could you give me your name and number and I'll call you back?” If he trusts my number, maybe I still win and he calls me back. Never trust the number that you're given. Always research. Is it the right number range for that company? Or can you go through the switchboard, ask for the person, and those kinds of things.

I suppose COVID makes this worse because, “Oh, I'm working from home. I can't answer my desk phone. Can you call me on my cell phone?”

Yeah, absolutely. Another way to spot a scammer—and this is more for the longer cons when you really have somebody who's trying to scam you out of money. They show you trust first so that you reciprocate with trust. The interesting thing is when people think about trust, they always think it's bidirectional. We trust each other. If you've ever studied IT security, trust actually goes in one direction. “I trust you, therefore, I'm doing what you say.” But that doesn't necessarily mean that you trust me and you do what I say.

Most people think that if they show that they trust me, I should trust them back. That's oftentimes a model that scammers and con men use to get rapport and trust with the other person. They might lend the money. They might ask them, “Hey, can you look after my laptop while I go to the bathroom?” Those kinds of things. After they built the trust, now they're asking you for something in return.

Now they could then turn around and exploit that trust.

Yeah, exactly.

“Well, you trusted me and I should trust you.” Now, they think and ask, “Oh, well, I have to reciprocate.”

Absolutely.

It can be hard to know whom to trust.

The law of reciprocity is exploited.

Yeah. Especially with trust, it's even more. Reciprocity can also be a simple act of the cult member handing you a flower and saying, “Hi, this is a gift from us,” and then they ask you for a donation in return. It doesn't have to just trust, it can be other things. But with trust, I think it works really, really well.

We're wired to rely on trust, if that makes sense. How can I sleep at night if I don't trust the person in the room next to me, that the door is going to be locked, or those sorts of things? We're very much wired for that.

Let's wrap up here. We're about an hour in so far and this has been really an incredible conversation. Any parting words before we talk about where people can find you?

If you're listening to this as a private individual, I actually have a page on the medium.com site if you just search for “Kirsch medium identity fraud.” If you find a 13-part plan of how you can protect yourself against scammers, online scammers, and so on, most of those resources are entirely free or at a very low cost. I don't participate in any of these in a financial way.

I wrote that up because I realized that I was giving advice to a lot of my friends and family about those things. I thought, “OK, why don't I just write them up and I can spread the word a little bit more efficiently?” If you're listening to this as an IT or IT security person and you're in that role, I would appreciate it if you came to rumble.run and check out our asset inventory solution.

If you're working for a small company with less than 256 assets, then you can actually use the solution completely for free. A lot of people use it at home to figure out what they have connected to the network. They often figure out weird and wonderful things that they didn't know they had or didn't remember they had. That takes all of 10, 15 minutes to set up.

Or you find out there are way more things on your network than you thought you had on your network. Even though they are purely legitimate things on your network. I ran one of those, unfortunately, not with your product but with a different product.

Shame on you.

I didn't know about your product at that time. I was just amazed. I was like, “Oh, but that's right. Oh, that is connected. Oh gosh, that is connected.” I started thinking through—I really need to update everything that needs a firmware update monthly or at least a check. I'm like, “Oh my gosh, there are way too many devices that are connected.”

On your home network, yes, you might get owned at home and so on. It's more for the interested parties that do that for a job that are also geeking out at home. That's perfectly fine. But if you're running a corporate network, there is this old story of the casino that got hacked because they had a vulnerable thermostat in the fish tank that was internet-connected. It's the weird things that can get you owned, but it's also sometimes your unmanaged devices, all of that stuff on the network.

Even when I'm talking about my house, there are so many things that we forget that are connected. It’s one thing if you were the IT person the entire time with the organization. But I don't know any IT person who was the original IT guy, so you don't know what you've inherited.

Exactly. There's so much legacy stuff out there. It's ridiculous. Everybody's afraid of unplugging it.

There's that Windows XP box in the storage room that no one knows what it does, but no one's going to unplug it or reboot it.

Yeah, absolutely.

If people want to find you online, where can they find you?

My Twitter is @chris_kirsch. On Medium, I'm @chris.kirsch. On LinkedIn, I'm just Chris Kirsch. It's pretty straightforward.

That's awesome. We'll make sure to link to your Medium resources, link to Rumble, the notes as well, as well as your social media accounts. Chris, thank you so much for coming on the Easy Prey Podcast today.

Thank you. It's a lot of fun.

Exit mobile version