Social Engineering: Elicitation

by Natsuya Uesugi

Elicitation is the extraction of information in a subtle manner during the course of a normal seemingly ordinary conversation.

As you can see this can be something simple or a loaded method of information gathering to extract information to be used in an attack against a target. These conversations can occur in a grocery store, a cafe or any other ordinary place.

To give you an example from grydscaen: tribute in the story “Simulatrix” an application developer gathers information about a specific iNAX engineer who is working on the iNAX Simulation game. The developer scours the system and learns the engineer’s schedule and comes to find the engineer goes to the cafeteria at a certain time each day. Needing to get information from the engineer’s badge to be able to get into the secure lab the app developer finds himself in the cafeteria at the same time as the engineer and bumps into him pulling his badge off his lapel. With a hidden device the developer picks the badge up off the floor and hands it back to the engineer after reading the electronics through a ring with technology hidden inside. The developer makes small talk with the engineer after bumping into him as he hands back his badge. This information gathering is just the outcome of some social engineering research.

Elicitation can be as harmless as a conversation in a coffee shop or going to a receptionist with a little bit of information. For example you might run into someone reading an article in the newspaper on a new technology. Sit down next to them and ask to borrow the paper after they are done with a section. Glance over their shoulder and see them reading the technology article and then engage them about it. Now if you have already identified this person as a target you might know that they are interested in this technology and steer the questions. If they take the bait and answer, social engineering and some directed questions can get them to follow the path to where the information lies.

Elicitation works well because most people want to be polite to strangers, people want to appear knowledgeable and if you strike up a good rapport and the person warms up to you a simple bit of congratulations can get people to open up more. Take someone who is wearing a jersey for a specific team. You could engage the person about that team guessing they like that team because they are wearing their jersey. With some pre knowledge of the season it would be easy to engage the person in talking more about the team. They might even tell you they are going to a game.

The goal of elicitation is to get information. You need to be careful to not come across as over eager or creepy. Reading body language can better gauge if the target is easing into the direction. The key thing about elicitation which is noted in the grydscaen series is that it has to be subtle. Acolyte the hacker is seen in grydscaen: beginnings to have a set of IDs that he had to have received from somewhere. These IDs get him into various systems including the Elite Military Network where he searches for Faid’s information and his file.

In grydscaen: tribute we see George who is Faid’s lead guide the activities of Faid while he is getting the iNAX Simulation game and stealing it out of the lab. George controls the guards, their rounds on that particular day and even gains access to the guard desk so he can erase the video of Faid’s entry. The employees don’t question George as he goes about these tasks due to his position on the corporate board of the SenseNet and he can easily move in and out of the SenseNet at his leisure setting up the situation to ease Faid’s entry to infiltrate and take the iNAX code.

The goal of elicitation is to gather information then use that information to motivate a target to take specific actions that the person engaged in social engineering wants them to take. Call it sneaky, call it being a librarian or doing the basic legwork of being a hacker. It is all in how you look at it and what you do with the information.

grydscaen looks into the world of hackers and the things that drive them. Black hat, white hat it is all a matter of your motivation. Are you an ethical hacker or not. grydscaen begs the question, who’s side are you on?