Governments' Guide To Social Engineering - Mario Khawam

Hello everyone. Thank you very much for attending. So my name is Mario. I'm a cyber security student and a learning bug bounty hunter. Today I'm going to be talking about social engineering on the large scale. Something that isn't quite talked about a lot by people in the cyber security industry, at least from my experience. Essentially, what this refers to is social engineering and man manipulation by the big players. Not just scammers in your inbox, but the politicians on your TV and how that relates to our digital security landscape. Of course, social engineering by government actors is not something that uh is new. It is something that has been around for a very long time across the

political spectrum and it is an issue that is continuously growing as well as social media becomes uh their tool of choice essentially when uh propagating their ideas. The formula is very simple. You essentially employ the social engineering method. you observe the uh actual effects of it and how the public is receiving it and you adjust your formula accordingly. If they are more receptive to one type of method, you would employ more of it and so on. It's a cycle. Now, I'll be basing my analysis on Robert Dr. Robert Shelini's seven principles of psychological influence. These are the essentially the core principles that guide how we are influenced as humans. and I'll be mapping it all along.

First, we got reciprocity. That's a classic one. Essentially, give and take. And scammers know that all too well that this is something that we fall for quite easily. So, they will offer to give you something only if they take 30 seconds of your time to complete a survey. Of course, where I'm from, this is something that governments know quite too well as well. So you see things like bribes happening on a large scale in many countries and that is one way that reciprocity is used by governments. And then you have scarcity of course ransomware being a perfect example of that. They will tell you that you have a specific amount of time left before payment will be raised or when your

files will be lost and that will pressure you into acting more quickly than you would if there was no time pressure. Obviously, this is something that even governments do, of course. Um, 4 hours left to vote. So, here's four reasons why to vote conservative. It's essentially just pressuring you to commit an act without even thinking about the potential consequences of it. Authority. So, this principle is very straightforward. somebody calls you um you know pretending to be an authority figure such as somebody from your bank or tech support and they're asking you to take specific steps since as humans we have this bias to trust authority figures we will very much fall for it I don't think there's any surprise here

the government and authority are pretty much synonymous in this case they essentially will present to you information especially during war periods where they will try to make it sound like it's just a matter of fact based off the fact that they are the ones saying it. Now, a lot of people might not have a problem with that when it's their own local um government figures doing it, but what happens when it's somebody a bit less savory or or official, let's say, that is doing the same thing and influencing audiences? Can anybody guess what sort of scam this is? It's a pig butchering scam. Exactly. So, essentially what will happen in this scam is you will have the cyber criminal

approach the victim and essentially fatten them up with compliments and relationships and make demands of them that are usually financial in nature. And at some point once they've got enough money from them, they will, you know, butcher the pig. They will get what they want and exit the relationship. you know, personal relationships to influence um to influence your actions is something that also governments do and politicians do quite well. For example, personal door-to-door campaigning is a great um is a great instance of that that we see very often. People who are visited by their local politicians before an election campaign are actually more likely to vote for them than those who are not. Of course,

we like to be commitment committed and consistent to the things we say we'll do. And if you have a politician showing up to your door, chances are you're going to say, "Yeah, I'll vote for you." Because what kind of monster doesn't like puppies, right? A lot of people um I don't I don't think there's a lot of people that wouldn't actually fall for a scam like this when they're pretending to be setting up an animal rescue organization and they will start asking for donations and you know since our heart is softened in the moment we will very much um find ourselves donating. Same thing with politicians. They will hold up a baby and think that because we

like babies therefore we like them as well. Um, this is a classic example. So much so that it even has its own Wikipedia entry called baby kissing. Social proof. This is one of those um uh psychological tactics that work quite well on social media. For example, here what you will see is a scammer will post pictures of somebody living a very lavish lifestyle pretending to be them. and they will say this is what you will also get if you invest in this coin that coin. Unfortunately, a lot of people fall for it because they don't want to be left out. This is the social proof aspect and they end up doing what it takes to, you know, become like them.

But of course, it's a scam. Here we see again, you know, it's us versus them. We want to be on the good side. We want to be the good citizens, whereas you don't want to be on the side of the predators. I think this is a very much um a classic example of how that plays out. As humans, we relate most to people within our tribe, whether that is uh a religious tribe or a political tribe or even our family. It's a it's a tribe in itself. And scammers know that all too well. Um you will find that grandparents who are targeted by people pretending to be their grandsons and daughters they are very much more susceptible to uh to

scams than people who are not approached based on this principle. Again governments employ this principle very very much the same way. Here you have the epitome of of the American symbol making a demand of you personally to fight for the US. Of course, not a lot of people would um would question that. they will think that it is my duty as part of this tribe and um essentially I am united by this principle that I want to fight for and I will go ahead and do it. This is something that is very common and I hope you can all see the pattern now that I'm trying to draw out that these principles that we talk about in cyber security all

the time they're also being employed by bigger players in society even though they don't get as much attention. Now why does that matter? I believe that matters because people are being radicalized at larger scales than ever before. And if these same principles that we are seeing employed by both cyber criminals and governments are employed by say the Lazarus group from North Korea, right, they will very much um successfully uh recruit people from our nation and have them fight for them their cyber war because war nowadays is very much uh fought with bites, not just bombs. And this is something that I also fell for. Um part of an organization I'm in um is a cyber security team who runs

very uh regular fishing campaigns. And one day I fell for it and it was ironically enough while I was finishing up this presentation. So even though it was all fresh in my mind, I still fell for it because it works on everybody. Social engineering works on everyone essentially. Now I leave you with these words because it is more relevant than ever when it comes to cyber security. A lot of people question whether it is even something political to begin with, whether it's something that um that uh even has to do with politics when in reality it very much does because we have all kinds of things like APS, nation state threat actors. All of these things intersect in

such a way that they can't be divorced. And I hope you guys can see that now as well. And if you don't, if you disagree still, feel free to take it up with me on LinkedIn. You know, send me all the hate mail that you'd like. And yeah, I've been Mario. Thank you very much for listening. Thank you. Thank you. Thank you very much for that, Mario. Uh, are you open to questions or Yeah. Yeah. Is anyone got any questions for Ariel?

>> Hi there. That was a really good talk. Um, and yeah, those seven major points of what makes a good fishing example. Obviously, I can imagine you would see, you know, multiple of them being played at the same time. How what's like the ratio or do you see just a a great fishing campaign having all seven? Um so >> you mean like to what extent does politics and cyber security like >> I was mainly focusing on the fishing aspect or like um you using those like uh >> mental uh examples. Uh, sorry I'm I'm losing the words on that one. But yeah, how many of like of those seven would you think is essential for a good

fishing campaign? >> So it could be any one of them to be honest because you could fish somebody pretending to be a tech support in which case it's authority. It could be liking, right? I'll fish you with free vouchers for something that you really like. Um, it could be unity, you know, somebody pretending to be from your family, from your religious group. So there it the sky is the limit when it comes to the creativity of people when uh when they're trying to fish you. And yeah, it really depends on who you're trying to fish and what you're trying to gain basically. >> Any other questions? Um the pillar makes it really difficult to see. So uh yeah. No, no, no. Is there

anyone else? Thank you.