Social Engineering - Pretexting Primer Leading Into Correcting the Record • blog.network-sec

In this article we show, how you can combine two techniques seemlessly for an ingenious, evil plan, using a classic priming setup - some would call it pretexting - to trigger a response the victim probably would otherwise have thought about twice.

Disclaimer

Note that people tend in general to anticipatory obedience, trying to match the expectation of the group they belong to.

That’s the reason, why we remain sceptical towards a setup as the following. The result might differ quite a bit from an uninfluenced, honest answer, where the victim had time to carefully weight good vs. evil against one another. We all decide emotionally and such deception tactics highly influence the emotion of the victim.

At this point we also need to emphasize: “Any similarities with real events, companies or persons, living or dead, are purely coincidental and not intended by the author.” We actually mean it.

Let’s Start

Either way, it’s first and foremost a very cool and exciting setup, which can teach a lot about Social Engineering.

Negative Expectation - Emotional Manipulation

This technique involves engaging the target’s deep-seated beliefs or emotions to provoke a specific reaction or response. It is designed to set a negative expectation, while subtly introducing a scenario that conflicts with the target’s personal values or beliefs, thereby creating emotional confusion.

This conflict primes the target to be more susceptible and reactive to subsequent stimuli that align with their beliefs, also making them more likely to act or express themselves in a manner that reveals their intentions - yet taken with a grain of salt, as all manipulated emotions don’t truly reflect the uninfluenced oppinion.

Correcting the Record, Indirect Edition

Based on our inner drive for justice, order and correctness (what the internet thinks OCD is), people naturally will try to correct false assumptions.

You could use this along with the timeline technique, why not add a few waypoints that are intentionally wrong, and leave out another few? The other person might want to correct them and fill in the blanks for you.

Or you combine it with a well thought through plan. “Correcting the Record” is a form of indirect interrogation (not to be confused with the accusation audit). By presenting information or narratives that indirectly relate to the subject’s recent experiences or dilemmas, the orchestrators encourage the target to voluntarily express their views or intentions. This is done under the disguise of an unrelated discussion, making it harder for the target to recognize the manipulation.

Scenario: The Marketing Loyalty Test

Bob, a recent addition to the marketing department of a multinational corporation, finds himself in the middle of an internal assessment he’s unaware of.
(see also: Negative Manipulation 01 - tests unknown to the person being tested)

The group orchestrating this assessment is concerned about potential leaks of sensitive marketing strategies to competitors. They decide to employ a two-step social engineering tactic to evaluate Bob’s disposition without direct confrontation.

Step 1: Emotional Manipulation

The group knows, Bob has a strong attachment to honest advertising practices, stemming from a college project where he exposed deceptive marketing tactics. They decide to leverage this by introducing him to a scenario that would emotionally engage him. At a department meeting, a consultant (an insider playing a role) discusses the possibility of using exaggerated claims in the next campaign to boost sales, citing it as a common industry practice that’s technically not illegal but ethically grey.

Step 2: Correcting the Record

Shortly after the meeting, Bob comes across an article shared on the company’s internal social network. The article discusses the importance of honesty in advertising and how some companies have faced public backlash and legal consequences for misleading practices. It ends with a call to action for employees in the marketing field to uphold ethical standards, even when faced with pressure to do otherwise.

To give Bob an additional push, the group had sent him an internal Newsletter stating that the company wished for more engagement of the employees with their Intranet Services.

Moved by the article and still disturbed by the previous discussion in the meeting , Bob posts a comment on the social network. He states his strong belief in honest marketing and expresses that, if faced with unethical practices, he would feel compelled to take action, even if it means reporting internally or consulting external auditory bodies.

Analysis

In this scenario, the group successfully assesses Bob’s loyalty and integrity without direct confrontation, using sophisticated Social Engineering techniques. The group orchestrates a situation where exaggerated claims in advertising are suggested as a viable strategy. This suggestion directly clashes with Bob’s ethical stance, generating an emotional conflict and ensuring he is mentally and emotionally primed to respond to related cues or discussions. Bob’s dedication to honest advertising practices is exploited. Bob’s reaction to the consultant’s suggestion and his subsequent public stance on ethical marketing provide the group with the insights they needed, all while Bob remains mostly unaware of the true nature of the assessment - we said mostly, cause if Bob is not a complete idiot, he’ll surely find out after a while and now not only knows about unethical marketing practices, but also about unethical treatment of employees.

Author’s Comment

Albeit these tactics surely have a high success rate, they have the same potential for false confessions. On top, experiencing such manipulation over a longer period of time, or with stark consequences (Bob losing his new position), can result in deep trauma, lead to long-term mental health problems, severe trust issues, loss of self-worth or even suicide. While we admire the genious hacking aspect of such tactics, we generally disadvice using them outside a well-defined test setup, such as a RedTeam engagement.

Social Engineering should never cross the ethical border into personal areas and never leave a victim without resolution, explaining the setup and taking full responsibility.

With all our articles about Psychological Manipulation we aim to help victims of such tactics. These days, Bad Actors use these techniques and tactics, outside of a legal context like Redteaming or Pentesting, for their own purposes. Thereby attackers are often crossing ethical borders, for reasons like Fraud, Blackmailing or just to put people under pressure, leaving their victims without resolution.

We provide detailed analysis of these techniques in hopes to create awareness, to help people understand what maybe has happened to them and to protect them against Social Engineering attacks.