Unsolicited Approaches

Consider possible ulterior motives when approached by a stranger

In keeping with the themes of social engineering and elicitation its a good point to discuss the need to be wary of unsolicited approaches.  We also need to be mindful that these approaches are not necessarily made in person although they can be. In today’s technological world they are frequently also made via email or through social media.

These types of unsolicited approaches are made by criminals and other dangerous people for a variety of reasons.  Their objective is often fraud or theft of proprietary or classified information or other sensitive data.  Sometimes – as we saw in the case of the Colombian Facebook kidnapping gang it can be to facilitate more violent crimes such as kidnapping, armed robbery or rape.  Anytime people you don’t know seek you out – whether in person or online – you should look at the situation with a critical eye and question their motivation.

I once attended a counterintelligence presentation that addressed this issue.  The instructor – a short, overweight middle-aged man with a beard and glasses wearing suspenders and a bowtie – stepped to the podium.  He began by saying how when he was at home in the US he couldn’t get an attractive women to give him the time or to even spit on his shoes.  But when he goes overseas its another story.  He turns into Brad Pitt and beautiful women at the bar flock around him.  He gets phone calls from women and has them knocking on his hotel room door at all hours of the night.

The point is well made.  If these types of things don’t happen to you regularly at home why are they suddenly happening when you arrive in country X?  His presentation was focused on counterintelligence but the motivation may be different and probably related to separating you from your money in some way.  The broader concept is that you should be cautious of someone’s potential ulterior motives if you are approached unexpectedly.

Sometimes these are “cold approaches” that come largely out of the blue and some are “warm approaches” where the person may have gathered some basic information on you (often through social media or other Internet resources) and has – or purports to have – something either professional or personal in common with you.  This is one of the risks of posting too much on social media sites, especially concerning hobbies, interests and other things that can be used as a vehicle to get in contact with you, establish rapport and so forth.

These warm approaches can take places over time and may be very effective in getting you to gradually lower you guard.  It appears that was the case in the Colombia Facebook case.  The kidnap gang was apparently successful in convincing their wealthy male victims via Facebook that they were attractive women and by cultivating an online discussion and ultimately enticing them to come to a physical meeting where they were subsequently drugged and kidnapped.

There can also be “cold approaches” where you are approached by a stranger who initiates conversation without any prior connection of any sort.

Be wary – but not paranoid – if you are approached by a stranger.  Always look at the situation with a critical mind and ask yourself what ulterior motives or hidden agendas might exist.  You do not need to be rude but be cautious, especially if the situation seems unusual or outside your usual frame of reference.

Social Engineering: Implications for Your Security

Social engineering – the calculated manipulation and exploitation of people has historically been associated with cyber security issues.  Computer hackers found they could best get access to secure networks by targeting the weakest link – the human factor.

The same techniques used to get an employee to give up their password or provide other information to facilitate entry into a network can be used to gather information to compromise a person’s personal security as well.

Social engineering can use any one of a combination of several vectors to approach the target – telephone, email and in person being the three primary ones.

The example of the Colombian kidnapping gang that use Facebook to target their victims that we discussed in the last post is applicable here.  While there is limited information currently available on that incident it appears the the victims were cultivated over a period of weeks or months via the use of social engineering techniques on Facebook. The information available on Facebook gave the kidnap gang a foundation with which to build their approach.  Knowing something about their victim – his lifestyle, interests and hobbies would help them develop an online relationship and build rapport that would put him at ease.

Understanding and recognizing the techniques employed in social engineering is the best defense against them.  Here are some of the primary ones you may encounter:

Elicitation: Elicitation is a method of extracting information from an unwitting person by framing questions and statements in such a way that the person gives more information than they normally would or would intend to.

Pretexting:  The social engineer presents himself as someone other than who he really is in order to get information or drive a certain course of action.  In some cases this may mean the social engineer portrays himself as an authority figure.  In the case of the Facebook Kidnap Gang the kidnappers presented themselves as beautiful, available young women.  The anonymity of the Internet facilitates this immensely.

Influence and Persuasion Techniques:  By artfully exploiting human desires to be liked, reciprocity and obligation and the introduction of fear social engineers can compel people to reveal sensitive information or perform a certain action on their behalf.

This is a broad overview of social engineering – in particular how it relates to personal security.  Using clever techniques criminals can not only commit fraud and information theft, they can also facilitate violent crimes like kidnapping.  These tactics may be directed at the victim himself/ herself or at unwitting third parties like coworkers and domestic staff.  The first step to countering these techniques is being able to recognize them.

Social Networks and the Threat to Personal Security

 

Recent open source reporting indicates that the Colombian National Police just arrested a group of criminals that were using Facebook to identify, profile and target victims for kidnapping.  Initial reports the gang were using false Facebook profiles with pictures of beautiful women to target wealthy men as victims.  They would use information in the victim’s profile to assist them is selecting potential targets.  They would then engage the target in online discussions to build report and elicit additional information.  After a period of time, usually a few weeks they would arrange to meet the victim.  When the victim arrived at the pre-arranged meeting location he would be drugged – most likely with scopolamine – and moved to another location where they would be tortured and held for ransom.

This incident not only illustrates the vulnerability of revealing to much information about yourself in social network websites and to unknown persons online – which is the point of the post – but also touches on the use of drugs (probably Scopolamine in this case) in facilitating kidnaps which we discussed in “Devil’s Breath and the Ativan Gang” and also the process of victim selection, use of honey traps and utilizing technology to do a valuation of potential targets which have all been discussed to a degree previously.

The Facebook kidnapping gang is a clear example of what can go wrong if too much information is available in the public domain.  Even information that is can only be viewed by friends or contacts can compromise you if you “friend” or “link” to people you don’t know or don’t know well.

Social networking is a key part of most of our lives now and most people use if for personal or professional reasons or both.  The issue is not whether or not to use social networking but how to understand the vulnerabilities that exist and manage the type and amount of information available.

Social networks and the easy availability of online personal information is a huge force multiplier for stalkers, burglars, fraudsters, identity thieves,  social engineers of all types, terrorists and kidnappers make it much quicker, easier and safer to compile detailed dossiers on potential victims and exploit that information to their advantage.  Social networks also provide a vehicle to do a “cold approach” to a potential victim, establish rapport, gain additional information and arrange a physical meeting in person if desired.  That appears to be what occurred in this case in Colombia.

It also significantly reduces the need for physical surveillance of the target and the vulnerability to exposure that exists with that activity.  If the victim can be induced to voluntarily present themselves at a place and time of the criminal’s choosing it makes it much easier to carry out the kidnapping with limited risk.

The lesson here is not to eliminate the use of social networks which would be unrealistic given the role they now play in society.  The objective should be to understand the vulnerabilities that exist – especially in the context of your personal situation and risk profile.  Arguably a soccer mom from Annapolis, Maryland and a wealthy Colombian businessman have very different risks profiles and would need to manage their personal information differently.   While the soccer mom still has some level of risk, barring exceptional conditions (such as a stalking situation) her risk profile is much lower than the Colombian businessman.

Some things to consider regarding personal security when using social networks:

  • Security settings: most social networking platforms provide security settings that allow you to limit who is able to see what information about you and your personal network. Consider using these rather than the default settings.
  • Posting Potentially Compromising Information:  Not only can posting information about your drunken weekend put you in a precarious position with your employer, clients, etc. it also provides insight into your personal lifestyle that can be exploited.
  • The risk of using applications like TripIt when linked to social networks that share your travel itinerary.  This allows others to see where and when you are traveling.
  • The risk of using Foursquare and other GPS related applications that use your smartphone to identify and post your location to people in your social network.
  • Posting Photos:  Posting a portrait photo of yourself gives a potential assailant who has never seen you before the ability to recognize you.  Additionally many smartphone cameras also automatically geotag photos without the user being aware of it.  When the photo is posted it is possible to retrieve the geotag to determine where the photo was taken.

Social networking is here to stay and its role in our personal and professional lives will only grow. There are numerous positive aspects of social media and it can be leveraged to your benefit in many ways.

It’s important to look at the potential impact to your personal security based on an honest assessment of your personal risk profile.  You should consider limiting what you post, who you allowed into your social network or in some cases both depending on your situation.