Q. Explain the concept of social engineering Framing. Why is it a key fundamental in a social engineering plan? Provide an example of Framing in your own context of a work or social setting.
Framing is how a Social Engineering target dynamically reacts to a situation based on life experiences and their own traits and characteristics (Hadnagy 159-160). Social Engineers use a technique called frame bridging to close the gap between the scenario a Social Engineer wants the target to respond to and personal facts about the target. A pretext is a strategy the Social Engineer has prepared to bridge the frame – in other words overcome resistance to the scenario.
Today I received the following phishing email. A screenshot of the email is below, and text with the link removed follows. The links are not live because it is a graphic, and no one should click on them if they were live.
My name is Veronica.
Your website or a website that your company hosts is infringing on a copyright-protected images owned by myself.
Take a look at this document with the links to my images you used at www.chasenfratz.com and my earlier publications to obtain the evidence of my copyrights.
Download it now and check this out for yourself:
(url probably leading to something bad was here)
I believe you have willfully infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) of the Digital Millennium Copyright Act (”DMCA”) therein.
This letter is official notification. I seek the removal of the infringing material referenced above. Please take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or disable access to the infringing materials upon receipt of this notice. If you do not cease the use of the aforementioned copyrighted material a lawsuit will be commenced against you.
I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law.
I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
It’s possible that whoever sent this message, whether a person or a bot, distributed them to anyone they could get to who has a blog. Social Engineers deliberately choose words that evoke emotions in the receiver (Hadnagy 163). Clearly fear is what I’m supposed to feel while reading a message like this. There are a lot of scary-sounding legal terms and phrases thrown around, and the dollar amount of possible damages that supposedly could result if I don’t act is high.
The purpose of invoking strong emotions in a target is to get the amygdala in the brain to compel the target to act and click the link before the logical part of the brain says “wait that might be a phishing email” (Hadnagy 184-185). The basic human emotions of anger, surprise, fear, disgust, contempt, sadness or happiness are tools that Social Engineers exploit for different purposes (Hadnagy 163).
If I wasn’t sure about the authenticity of the above email, I could look up the law that has been cited and the name of the artist or designer claiming infringement to see if there is any possibility it might be real. I’m not even bothering to do that, because there are several things about my particular framing that this pretext did not succeed in bridging even that far.
- I’m currently enrolled in a Social Engineering class and the kind of activity represented in this email is foremost in my mind and has been for weeks.
- I’ve actually received a genuine email recently regarding trademark infringement. The allegation of trademark infringement was about an adhesive dots product I had been selling in my Etsy shop. I had used the phrase “glue dots” as a tag to help describe the product when another company claims the phrase “glue dots” as a registered trademark. In my opinion “glue dots” is way too generic a phrase to legitimately claim a trademark on, but my opinion means nothing. For one thing I’m not even an attorney. Etsy informed me that they had removed my listing for that product. Just to make sure the issue was real, I contacted the law firm mentioned in the email and the manufacturer of the product in question. The law firm did not answer my inquiry but I did confirm it actually exists and specializes in that type of law. Today’s phishing email is extra suspicious because there is no law firm mentioned. The manufacturer of the adhesive dots product responded to me and confirmed it was a real issue that they were trying to resolve. In short, I have some idea what a real email of this nature looks like and this is NOT it.
- I’ve been involved with business blogging as part of my work for nearly 20 years, possibly since before the term “blogs” was even in wide use, and I have a pretty good idea about what copyright violation and fair use are. If I was actually guilty of this I would know! At least I think I would. Humility is important, because while people like us are busy working at something legitimate, malicious Social Engineers are planning new schemes instead. We can never let our guard down or assume that we know everything and will easily catch every scam.
Additional Framing Techniques
The Social Engineer who created this phishing example could have used the technique of reinforcing the frame, that is causing me to think about it and therefore strengthen it, if they had done even a little bit of OSINT (Open Source Intelligence) on me (Hadnagy 166). But it’s clear they did none, other than to use my web site url which may have been scraped by a bot.
For example the phrase “Your website or a website that your company hosts” is kind of a giveaway. I would have done a little more digging if they had said “the Fiber Arts section” or something like that indicating it might not be a generic scam email. Creating an email with a more personal and specific pretext via the knowledge gained by OSINT is called spear phishing.
Negating the frame is a way of inadvertently undermining the operation by reminding the target of what they should be suspicious about (Hadnagy 165). The phishers in this case avoided that blunder – they didn’t say anything like “Beware, this is not a scam email!”
Another way of leveraging the framing of a target is hinting at or insinuating something without directly coming out and saying it. This is called evoking the frame (Hadnagy 164). I would have known what the implied threat was if the phishers had said something like “if you don’t stop using our copyrighted material we will be forced to take serious action“. Kind of like a gangster in a movie or TV show saying “this is a nice place you got here, it would be a shame if something happened to it!“
Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.