Security

Social Engineering: Framing

Develop a scenario to get information that uses framing. Incorporate at least two of the four frame-alignment types (see the Framing entry in the reading section for the four types). Make sure you adhere to the four rules of framing listed in the social engineering text. You are welcome to try this out in real life, but, again, do not harm any targets or end up on the 11pm news. Tell the class your scenario and any reflections you have on the process.

Per “The Social Engineering Framework” from www.social-engineer.org, the four types of frame alignment are frame amplification, frame extension, frame transformation, and frame bridging (Social-Engineer, n.d.).

In frame bridging, one attempts to answer a question by not actually solving it. The “bridge” is the hidden relation between two statements, thus allowing a pretext to either be effective in not raising suspicious or gathering more information on a subject.

Frame Bridging

For example, say you were attempting to bypass security at a local marketing company in which the public had been recently informed of a bitter rivalry with another marketing business. The two owners, who were childhood friends, worked with one another at company A, and due to a falling out, one of the owners left and formed company B. At company A’s reception desk (the first real layer of security), you strike up a conversation with the receptionist using a well-researched pretext consisting of his/her name, a fake ID badge with the company logo, and some data retrieved from the contents of her office (photo of kids, college diploma, etc.) Just as you believe you are making progress with your cover story and gaining access to “upgrade their web server for enhanced performance,” the receptionist asks, “Under whose authority is this task under?” Right now, you find yourself in a problematic situation; however, with a little frame bridging, you can attempt not to answer the question, yet provide the necessary motivation for the receptionist to feel at ease. You might say something like, “Well, Mr. Smith (business A’s owner), got word (during his vacation) that Mr. John (business B’s owner), had recently upgraded their web server and, per Mr. Smith, “he (Mr. John) made sure to rub it in to highlight the new clients he just landed.” “So, Mr. Smith has me coming in to do this task, quite immediately, so I wouldn’t be surprised if he didn’t let you know of my presence today, especially due to him being out of town for his vacation. I think we both know that if this doesn’t get done, Mr. Smith will undoubtedly be angered.” Without hesitation, the receptionist will (hopefully), have knowledge of both the vacation and rivalry between the two companies/owners, and not want to thwart Mr. Smith’s ability to match company B’s newly added hardware capabilities (and bragging rights). If this frame bridging is successful, the original question will be answered; however, it was bridged with another train of thought, which motivated the receptionist to allow entry.

Frame Extension

Frame extensions, on the other hand, are attempts to extend the boundaries of a current frame (a topic of discussion, for example) to another frame, hoping to pivot the conversation to another topic; this is useful in many social engineering attacks but can be risky due to the significant possible change of the pretext.

 Seeing as I wrote too much for frame bridging, I will try to give a shorter example for frame extension. Let’s say that you are in the lunchroom at work, surrounded by your peers. The topic of global warming and green initiatives are flowing around to each table. Some employees are undoubtedly on each side of the fence regarding the issue. At your specific table, a young woman whom you’ve wanted to ask out on a date for many years starts to describe the dangers that global warming has on our planet, and what our company, specifically, can do about it. You desire to be a part of this discussion to try to impress her. Currently, the frame is limited to supporting green initiatives, and using this information, you wish to extend the frame to a topic she may also be interested in. You say to the woman, “I admire your passion for this subject; since you are involved in it, I would assume you would also be interested in combating the use of pesticides on our company’s lawns.” This frame extension has the risk of weakening the stance of the original frame; however, if it is successful, you now have a targeted topic to discuss with the woman, knowing she will be interested in your discussion.

Reference

Social-Engineer. (n.d.). Framing. Retrieved April 28, 2020, from https://www.social-engineer.org/framework/influencing-others/framing/.

Hadnagy, C., & Wozniak, S. (2018). Social Engineering; The Science of Human Hacking (2nd ed.). Newark: John Wiley & Sons, Incorporated.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s