Post by modeski on Dec 14, 2004 12:09:53 GMT
Greetings!
As I promised in my last post, I'd like to share some more information regardiing phone techniques for social engineering. I have a background in sales and customer service, and received extensive training on how to use the phone as a tool, as a means to an end (ie getting a sale). Many of the methods used in sales can be equally applied to social engineering, and this is why I'm posting here. What you do with this info, which is posted purely for educational purpose is up to you.
So to recap, I discussed the basic structure of a call, covering the Introduction, the "hook", and what are known as "trial closes". If you recall Ted and Bob's phone conversation, for the sake of brevity Ted was shown to be successful [sp] in his pursuit of the boss' phone number. Whether or not the call would have gone so smoothly in real life is debatable. if you use the techniques described though, chances of success are greatly increased.
Good social engineering is essentially good salesmanship. Trying to "sell" yourself is arguably what social engineering is all about.
I'd like to discuss something well known to any salesman worth his (or her) salt, and will be essential to any social engineer, aspiring or otherwise: Objection Handling.
Objection handling is, as the name suggests, a way to overcome objections. In sales, when a customer says "im not interested in your product", that is what's known as an object. Some people would give up at this point and try elsewhere. Not good, they won't be in sales for long. A salesman will not take "im not interested" as a final answer. S/he will simply use the objection as a platform from which to make their next pitch, or spring the "hook" to try and gain the customer's attention and keep them on the phone. This is a primary goal, especially in telesales - the longer the customer is on the phone, the higher the chances of making a sale. Simply railroading customers often works out for the best.
So how can this work in a social engineering context ?
Objection handling is a skill, one which is easy to master, especially when you face the same objections more often. The key to success is to
always have an answer. As before, your phone manner must be strong, confident and knowlegable. When Bob at reception says that, for example, he's been instructed not to give any information out, you must have an answer ready. Any experienced social engineers amongst you
will no doubt have faced the same problems over again, on the phone to various receptionists/security etc. Think about the most common obstacle come across:
- What is the one objection that prevents you reaching your goal more often than any others?
- How do you overcome that objection (if you do)?
I'm sure many of you use objection handling without realising that there was a name for it. The best examples of objection handling in use can be seen, or course, in sales. To show how this works in a sales context, let's have a look at Joe Bloggs, who's buying a minidisc player from his local consumer electronics store...
>
Joe: I'd like to buy the silver sony behind you.
Teller: okay, that'll be $250, would you like insurance for that ?
Joe: No, just the player is fine.
>
A bad salesman will let Joe go his merry way, sans insurance. A good salesman will try to overcome Joe's objection, thus:
>
Teller: Are you sure? It costs a heck of a lot to get the minidisc looked at if it breaks down, though if you have insurance we can repair your unit or even replace it!
Joe: Well I've paid so much for the player itself, how much are we talking for insurance ?
Teller: Well, you have 3 options - 2 years, 3 years, and 5 five years. It'll cost you only $200 for 5 years, and that covers accidents.
Joe: I can't afford that.
Teller: Well how about 2 years? only $100, and if you drop your minidisc player we'll replace it for free!
Joe: No thanks, I don't want any insurance, it'd cost too much after spending $250 already.
Teller: Okay, well you can pay it up in monthly installments, it'll only be a few dollars out of your bank account and you'll have the peace of mind that you're protected.
Joe: It'll still be more money coming out of my pocket for something that will never happen, im careful with what I buy.
Teller: Yes, but say the unit is damaged accidentally, it'll cost you $50 just to put it in for repair.
Joe: I think it's covered on my house insurance already, so...just the machine please.
Teller: I can tell you with 95% surety that your own insurance won't give you the same cover as the protection plan we're offering you.
Joe: I'm going elsewhere, give me my credit card back........
>
Okay, so you get the idea - basically the teller has an answer to all Joe's objections. To use this during social engineering, you should emulate the teller. If you can convince Bob at security through sounding knowledgable and overcoming his objections, that phone number or whatever will be given with the greatest of ease. A good exercise to do, is to compile a list of the most common objections you've encountered, and list them. Share the list among your peers, what answers/lines have worked best in the past?
Okay, so that's a basic outline of Objection Handling. This method, used in conjunction with those described in my last post should be of at least some help, both in sales and social engineering.
As I promised in my last post, I'd like to share some more information regardiing phone techniques for social engineering. I have a background in sales and customer service, and received extensive training on how to use the phone as a tool, as a means to an end (ie getting a sale). Many of the methods used in sales can be equally applied to social engineering, and this is why I'm posting here. What you do with this info, which is posted purely for educational purpose is up to you.
So to recap, I discussed the basic structure of a call, covering the Introduction, the "hook", and what are known as "trial closes". If you recall Ted and Bob's phone conversation, for the sake of brevity Ted was shown to be successful [sp] in his pursuit of the boss' phone number. Whether or not the call would have gone so smoothly in real life is debatable. if you use the techniques described though, chances of success are greatly increased.
Good social engineering is essentially good salesmanship. Trying to "sell" yourself is arguably what social engineering is all about.
I'd like to discuss something well known to any salesman worth his (or her) salt, and will be essential to any social engineer, aspiring or otherwise: Objection Handling.
Objection handling is, as the name suggests, a way to overcome objections. In sales, when a customer says "im not interested in your product", that is what's known as an object. Some people would give up at this point and try elsewhere. Not good, they won't be in sales for long. A salesman will not take "im not interested" as a final answer. S/he will simply use the objection as a platform from which to make their next pitch, or spring the "hook" to try and gain the customer's attention and keep them on the phone. This is a primary goal, especially in telesales - the longer the customer is on the phone, the higher the chances of making a sale. Simply railroading customers often works out for the best.
So how can this work in a social engineering context ?
Objection handling is a skill, one which is easy to master, especially when you face the same objections more often. The key to success is to
always have an answer. As before, your phone manner must be strong, confident and knowlegable. When Bob at reception says that, for example, he's been instructed not to give any information out, you must have an answer ready. Any experienced social engineers amongst you
will no doubt have faced the same problems over again, on the phone to various receptionists/security etc. Think about the most common obstacle come across:
- What is the one objection that prevents you reaching your goal more often than any others?
- How do you overcome that objection (if you do)?
I'm sure many of you use objection handling without realising that there was a name for it. The best examples of objection handling in use can be seen, or course, in sales. To show how this works in a sales context, let's have a look at Joe Bloggs, who's buying a minidisc player from his local consumer electronics store...
>
Joe: I'd like to buy the silver sony behind you.
Teller: okay, that'll be $250, would you like insurance for that ?
Joe: No, just the player is fine.
>
A bad salesman will let Joe go his merry way, sans insurance. A good salesman will try to overcome Joe's objection, thus:
>
Teller: Are you sure? It costs a heck of a lot to get the minidisc looked at if it breaks down, though if you have insurance we can repair your unit or even replace it!
Joe: Well I've paid so much for the player itself, how much are we talking for insurance ?
Teller: Well, you have 3 options - 2 years, 3 years, and 5 five years. It'll cost you only $200 for 5 years, and that covers accidents.
Joe: I can't afford that.
Teller: Well how about 2 years? only $100, and if you drop your minidisc player we'll replace it for free!
Joe: No thanks, I don't want any insurance, it'd cost too much after spending $250 already.
Teller: Okay, well you can pay it up in monthly installments, it'll only be a few dollars out of your bank account and you'll have the peace of mind that you're protected.
Joe: It'll still be more money coming out of my pocket for something that will never happen, im careful with what I buy.
Teller: Yes, but say the unit is damaged accidentally, it'll cost you $50 just to put it in for repair.
Joe: I think it's covered on my house insurance already, so...just the machine please.
Teller: I can tell you with 95% surety that your own insurance won't give you the same cover as the protection plan we're offering you.
Joe: I'm going elsewhere, give me my credit card back........
>
Okay, so you get the idea - basically the teller has an answer to all Joe's objections. To use this during social engineering, you should emulate the teller. If you can convince Bob at security through sounding knowledgable and overcoming his objections, that phone number or whatever will be given with the greatest of ease. A good exercise to do, is to compile a list of the most common objections you've encountered, and list them. Share the list among your peers, what answers/lines have worked best in the past?
Okay, so that's a basic outline of Objection Handling. This method, used in conjunction with those described in my last post should be of at least some help, both in sales and social engineering.