According to the definition by the FBI, elicitation is a technique used to discreetly gather information. That is to say, elicitation is the strategic use of casual conversation to extract information from people (targets) without giving them the feeling that they are being interrogated or pressed for the information. Elicitation attacks can be simple or involve complex cover stories, planning, and even co-conspirators. Social engineers use elicitation techniques to gather valuable information, and in turn, use the intel during the development of a larger Social Engineering campaign.
The purpose of this article is to aid the reader during a Social Engineering campaign when it comes to eliciting information from targets. Enjoy and please contact us regarding your next Social Engineering campaign.
Guidance used in the development of this article has been grafted from a book written by our team titled, The Social Engineer’s Playbook: A Practical Guide to Pretexting.
This Is By No Means A Full And Complete List!
The use of flattery goes a long way in sweet-talking a target into giving up additional information. Statements such as, “You seem like a top-notch guy. I’ll bet you were the brains behind that project” is sometimes all that is needed to kick start valuable elicitation. Flattery seems like too obvious a tactic, but it is proven to be very effective when done skillfully.
Bragging is something that is frowned up in the West. People are often proud of their achievements but find little opportunity to share them due to the stigma. When we compliment a person, it generally opens the door for bragging. For example, after we compliment a tar-get they will likely feel compelled to elaborate on his or her involvement on a project. Even if he or she is downplaying the compliment, the target is talking about the subject and possibly giving up information. A good social engineer should exploit that opportunity by digging deeper.
An important note to mention is that exaggerated flattery about a target’s accomplishments rarely backfires. Because of the stigma attached to bragging, this usually compels the target to normalize their accomplishments to the attacker. This is good because it gets the target to open up. A chatty target can be a gold mine of information to a social engineer. On the other hand, exaggerated flattery when referring to a target’s clothes or persona, for example, can be disastrous. This approach must be handled with tact. Sexual harassment or borderline sexual harassment statements should never be a part of a social engineering plan. Therefore, it should be avoided at all costs. Instead, compliments should be directed away from personal features and appearance and toward more material things. For example, shoes, watches, briefcases, glasses, purses, automobiles, etc.
Want to find out which of these threats your organization is most susceptible to? Set up a call with us and we’ll help you understand where your most likely risks lie.
2. False Statements
This tactic involves stating a deliberately false statement in the hopes that the target will correct you with the accurate information. A useful statement might be, “I heard they have seventeen cameras, twelve guards and a fingerprint scanner in their lobby. They say that place is like Fort Knox! Nobody can get in.”
The key to this tactic is to include details and greatly exaggerate the scenario. For example, if the objective is to learn about the number of cameras in the lobby, be sure to grossly exaggerate the number. Do not simply say that there are several cameras in the lobby. The goal is to get the target to correct you by stating the correct number. If someone is spouting off incorrect information, such as the number of cameras, when all the while we know the undeniable truth, it’s part of human nature to want to educate that person. It is that human behavioral characteristic that sits at the core of this tactic and is exactly what we want to tease out.
It’s worth mentioning that if the false statements are too close to reality, the target may not feel obligated to correct you. Again, the key is to overstate with detail so that the target feels compelled to correct you with detail.
3. Artificial Ignorance
As described in the previous technique, false and grandiose statements play on human behavior triggering a reaction to correct incorrect statements. Much in the same manner, humans have an intrinsic desire to teach and educate others. Social engineers use artificial ignorance to pretend to be inexperienced on a topic in order to instigate a reaction by the target to educate them. A useful statement might be, “I don’t know anything about motion detectors, but I’ll bet the cops are here often. I heard they go off all the time due to shadows from the trees.” The intrinsic desire to teach is especially notable where the “teacher” has an affinity toward the subject matter or works in the industry. Leveraging subject matter the target has an affinity toward will increase the chances he or she will feel compelled to educate you.
Blending elicitation tactics increases the opportunity for success. From our own experiences, conjoining flattery tactics with artificial ignorance has been proven to be very effective. The two accompany each other extremely well as elicitation strategies. For example, playing dumb about the function of motion cameras while responding to the target with flattering comments. Boosting egos tends to open people up to conversation much easier. A chatty target is a good target. It also creates a likeness between the social engineer and the target — and a likeness is a powerful tool for influencing others.
4. The Sounding Board
The sounding board takes advantage of human behavior to brag or grumble about their feelings. An immediate kinship is created transparently when a person confides their feelings in another individual, even perfect strangers. He or she will likely give up more information as a result. The key to successfully leveraging the sounding board tactic is to listen intently, patiently and validate his or her feelings.
Social engineers frequently play on the instinct to brag or share exploitable information with complete strangers. A good social engineer can create a “safe” environment for the victim to brag or complain. One way to do this is by validating all of the target’s feelings, positive or negative. This creates a connection between the engineer and the victim. By the social engineer depicting himself as a person, they will never ever meet again also creates a safe environment. As a result, it lessens the potential for negative judgment from the stranger and in turn, increases the chances for additional disclosure by the target. In essence, it sends a signal that no negative sharing is off the table and opens up the floodgates for information.
At the root of the sounding board, the tactic is being a good listener. This is easier said than done. The social engineer must make frequent eye contact with body language that says, I’m interested in what you’re saying. Secondly, agreeing with what the target’s thoughts and validating them by sharing some of your own similar experiences or fabricating them.
This technique is used by social engineers to elicit more precise information from a target. To accomplish this, a very high or very low approximation is given in an effort to entice the victim to respond with a more specific number. For example, if the goal is to learn about the number of motion detectors in the lobby. The social engineer might say to the target, “I’d guess their security is pretty tight. I would assume they have fifteen motion detectors in their lobby.”
From a personal angle, we make heavy use of bracketing tactics specifically when trying to learn about the physical security makeup of a building or room. Most security guards we’ve encountered rather enjoy opportunities to either complain or brag about the environments they protect. I will say that most of them have a tendency to have pride in the environments they protect. As a result, they like to talk about how secure they are. If the objective is to learn about the number of motion detectors from security guards, be sure to pump their egos a bit. However, intentionally lowball the number of motion detectors. This will likely trigger them to correct you with a glimmer of pride in their eye when they reveal there are actually ten motion detectors! Now that you’ve pumped up their ego, they are primed for other elicitation techniques.
Thank you for taking the time to read or share this article with your network of peers. This is by no means a full and complete list, but we hope you find at least one valuable nugget in here somewhere!
Guidance used in the development of this article has been grafted from a book written by our team titled, The Social Engineer’s Playbook: A Practical Guide to Pretexting. More information about the book’s contents can be found on Amazon and Hexcode Publishing.
As always, we welcome you to schedule a time to chat with us directly using the link below.
10-Point Offensive Security Checklist
Get A Bird's Eye View Of Your Organization's Security Readiness