Taking Advantage of Our Tendency to Simplify
There's an old joke floating around the Internet that claims NASA, upon discovering that standard ballpoint pens would not work in space, invested millions of dollars and years of R&D. The resulting pen was supposedly capable of writing in zero-G, on any surface, and in temperatures that would surely kill any astronaut. When confronted with the same problem, the Soviets simply handed their cosmonauts pencils.
While this story is a myth,[1] it resonates with us because, as humans, we have a deep-seated desire to keep things simple. Deep within our brains, we like to find patterns that help us take complex tasks and simplify them. This is what I call the Simple Nature of humanity. Today, we're going to discuss why we need to simplify, how we simplify things every day, and how attackers can take advantage of it.
The Simple Nature is at the core of what makes social engineering so effective and scary, because it bypasses our ability to reason. Attackers don't have to come up with elaborate backstories that can stand up to scrutiny. Instead, their goal is to keep us from looking too closely.
Thinking is hard
Think about a time when you were studying for a difficult test, solving a difficult problem, or some other time where you were really focused and using your brain. Do you remember how, when you were finished, you felt tired or hungry? Mental exertion, just like physical exercise, takes energy, and we don't run our conscious minds at full tilt every day because that would be exhausting. In fact, our brain naturally looks for opportunities to take pressure off of our conscious mind and offload it to our subconscious or unconscious as a habit through a process called conditioning.
This is an extremely useful mechanism because it allows us to devote our attention away from the routine and mundane, and towards topics which we find more interesting, useful, or urgent. Can you imagine if you had to consciously perform a simple task, like opening a door, every time you did it?
But, there's a catch. First, conditioning can occur without us being aware of it. As a result, we can form habits that we never intended to, and in some cases, we never realize that a habit has formed until someone else calls us out on it.
This leads us to the second problem: because habits happen at the subconscious or unconscious level, when a habit is triggered it can cause us to ignore other information associated with it. This is because our subconscious perceives it as unimportant. This reflex is what social engineers take advantage of. While there are a variety of security fields in which the Simple Nature is exploited, let's focus on phishing and look at two types of exploits.
Timing is everything
It's 4:45 on Friday afternoon. Bob has had a heck of a week and is counting down the minutes until 5 PM hits so he can clock out for some well-deserved R&R. Suddenly, an email hits his inbox. “URGENT!" the message from the CEO says. “I need you to complete this wire transfer for me. It's very important!" He was so close! A stream of curses flow through Bob's mind as he decides to just get this out of the way. After all, it's the only thing standing between him and the weekend. Bob is so focused on getting out the door that he doesn't notice that the from address on the email is unusual. This won't be discovered until Monday morning, when the CFO calls Bob into his office to ask why he wired $25,000 to an organization that doesn't exist.[2]
Humans vary in how attentive they are over time. This is due to a combination of biological factors (ex: tiredness, hunger, stress) and mental/environmental factors (ex: distraction, information overload, boredom). Due to this, there will be times where the Simple Nature will be easier to exploit than others because your brain is more likely to be on autopilot. It's common for smart attackers to target times of day where people are most commonly going to be distracted in an attempt to exploit this phenomenon.
These aren't the droids you're looking for
From the context of phishing, a social engineer is usually going to combine exploiting the Simple Nature with other tactics (which we'll discuss in future articles); they want to trigger a habitual reflex so that your conscious mind doesn't become fully engaged and you react without thinking. One of our recent blog posts provides a great illustration of how attackers will attempt to use a conditioned response to elicit desired behavior.
In this case, the attacker wants you to click on the link. Many end users are taught to only click on links from people that they trust. That's a problem for the attacker, he doesn't have a trustworthy email address. So, he takes a different tactic and fakes the ‘Trusted Sender' banner that a number of email applications use when receiving emails from people you know. The attacker's hope is that your eye will catch that banner and it will trigger an automatic feeling of comfort. The green banner signifies safety to you, and that automatic reaction can be enough to make you look past the myriad of other problems with that email.[3]
Our ability to conserve our mental energy by developing habits is a powerful force that enables us to be more productive. But, if you're not careful which habits you develop, they can be used against you. In our next article, we'll explore the Assistive Nature, and how attackers leverage humanity's desire to help others.
[1] https://www.snopes.com/fact-check/the-write-stuff/
[2] Sadly, this is a true story. Names, dollar amounts, etc. have been changed to protect the guilty.
[3] I stopped counting at 12. C-minus work on the phisher's part, at best.