Posted 7 years ago
·
Author
Introduction
Hello! As many of you are aware, the modern age has brought with it endless opportunities to exchange information in all its forms...as well as exploit one and another's psychological scripts (also known as fixed action patterns - explained later) to influence that information exchange to one's advantage. Practitioners of this skill are known as social engineers, as opposed to con artist, as they once were. The format of this post will have two parts in each technique description. First, the act of executing the attack - black hat, to put you in the mind of a social engineer and help you think as they do. This is NOT to help you carry out your own attacks! XD
Second, the act of defending - white hat. This is the critical thinking mindset you should erect to prevent being manipulated. If you want to be very cautious, it is recommended you engage this mode of thought any time you meet someone you suddenly really like. There is nothing wrong with a best friend, but skilled social engineers know how to become your best friend almost immediately, and that is when the trouble begins. Indeed, when this new best friend happens to coincide with a recent spot of trouble or happens to need a favour is a time to do some critical thinking about them. So, without further adieu, let us examine the flaws that an engineer might exploit and how they might exploit them!
Techniques
1.) Mimicry
Black Hat Approach
First, and foremost, we establish rapport! This one is a bit harder on IMVU, as it primarily involves body language. However, there are other ways to mimic someone (do not be too obvious). What the attacker does on IMVU, then is mimic typing style. Look at the phrasing they use, the way they type. How long their sentences are, even. Look at what emojis they use frequently. You, as the attacker, would subtly incorporate this into your typing style. Again, do not be too obvious, as it might be noticed. If you can execute this properly, you will build greater rapport without them being the wiser. They will like you and not know why.
In real life, this is accomplished with monitoring the target's body posture, his breathing, his tone. This is also known as mirroring. You are mirroring them to convince them you are like them.
White Hat Approach
This one is easy to counter now that you know it can be used against you. Again, if you find yourself liking someone too quickly, check if their typing matches yours shortly after meeting them. Do they use the same words you do in the same manner? Psychological studies reveal that this happens naturally over time as people grow to like each other. They mimic one another. It is when this happens too fast that something is wrong. The social engineer works fast. They generally want you to like them, take your resources, and get out.
2.) The Theory of Names
Black Hat Approach
To continue our discussion about similarity and convincing your target that you are like them, we come to the name. In real life, having the same first name as someone automatically earns you subconscious bonus points with them. You hear your first name all the time and pay special notice to it. Familiarity breeds contempt sometimes, but it breeds liking in the social engineering realm almost always. On IMVU, if you have someone specific in mind, look at their screen name, and make an alternate account (more on their use later) with similar characters/words. Use their name frequently in conversation. Not too often, but slightly more often than you use the names of others. As a quick example of similarity, VampireWolf666 and Guest_xXDragonWolf666Xx would likely get on quite well. One of them is a victim.
White Hat Approach
It is likely that a smart attacker would choose a name only similar and not the same as yours. He would introduce himself as John, knowing your name is Johnny. Anyone who claims to have the same name as you (or if their account name is similar to yours) might be out to get your credits, your time, or your services.
3.) Interests and Hobbies
Black Hat Approach
Our last technique discussed for making your target like you is to describe yourself similarly in the interests section. If he likes IT, you do, too. With practise, you can fake your way through talking about any hobby. Improvisation and strip phrases such as "yeah" are key here. Also, people rarely probe you too much if you just blindly agree with them (this CAN backfire, so be careful). Mirror your target. Like what they like, or at least pretend to. If you find you cannot, there is always the idea of being an information sponge. Actively listen and ask specific questions about their passions. "I cannot go a day without listening to [some band]" "Oh, what song is your favourite?"
White Hat Approach
You may assume a pattern that just knowing about these techniques is usually a "good enough" blanket approach to combat them. Well, awareness does help in the main, certainly, but remember that there are very sophisticated ways of executing these not discussed here, so keep that guard up if you suspect you are being played. That said, this one is not hard to combat. In real life, salesmen will focus on your interests very nearly always. They will try to connect to them in various ways and enjoy listening to you talk about them. Someone who does this too much or seems very interested in what you have to say about a topic could genuinely like you or have that in common, but be sure to take that liking in context.
4.) The Reciprocity Norm
Black Hat Approach
Quid pro quo. A favour for a favour, as it were. Do something for the target. Something small and easy for you. He will feel obligated to repay you in some way. Often what you want can be a much bigger favour than what you gave. This is called the reciprocity norm. Do you want a gift? It is often good practise to give a small gift (600Cr) to the target and wait. Be sure to fill your gift list with only more expensive gifts beforehand, so you are guaranteed to profit when they obey the reciprocity norm.
White Hat Approach
Something of course suspicious here is if someone gives you a service or gift randomly, then asks for a return considerably larger. It is almost certain they are using the reciprocity norm to leverage gains from you. It is also unlikely someone would be that blatant about it, unless they are an amateur engineer. Be careful of the overgifter. These people are not necessarily using con artist tactics on you, but may have poor self-esteem or perceived social standing and feel the need to compensate for this. Evolutionarily, in the long run, this overgifting is a disadvantage. In the short-term, it COULD indicate a ploy is being used. The key thing here is if they want larger returns on your part.
5.) Exploiting F.L.A.G.S or Fear, Lust, Anger, Greed, and Sympathy
Black Hat Approach
Your emotions. You have seen them, I am sure. Emotional people on IMVU. They often boot with no provocation, may harbour egotistical/delusional thoughts about themselves, or make themselves known in other ways. Well, they are not the only ones vulnerable to attacks on the emotional state. Everyone is. The attacker thus learns what his subject is most prone to.
Do they empathise with others? Do they have a need to be complimented? Do they become enraged easily? Are they very dissatisfied with their standing and want something that you can proffer (or claim to proffer)? The attacker here watches his target for a bit and learns their weakness. It is often one if not more of the above. He uses anger to turn friends against each other. He uses a sympathy ploy to extract a gift (NEVER ask for a gift directly - this is a common mistake). For fear, he uses subtle intimidation. Perhaps he implies or lays a false trail of evidence that he holds power or influence. Perhaps he drops a name. These are subtle intimidation ploy...or greed ploy if you seek such influence.
White Hat Approach
The best approach here is to take a break. Walk away from the computer. Type a "BRB" and think. Let the emotion leave you, then you have a clear mind to approach the problem. A social engineer wants you to be emotional so your decisions are quick and, thus, poor. Said decision will often be to their favour, as well. Keep yourself level-headed and give yourself a breather if you find yourself being flattered, angered, or if your new friend is very flirty. Throw up some red F.L.A.G.S.
6.) Creating a Problem and Creating Its Solution to Extract a Favour
Black Hat Approach
This attack is one of the most common you might encounter from a social engineer. You start by gaining rapport, of course. This can be done in a few ways, detailed above. Making a problem is easy. Once you have gained your target's trust, you can simply invent a problem that sounds reasonable enough to exist, although this is risky, as they might know you are lying. IMVU frequently changes things for the worse, though, making this a valid attack. A more sophisticated attack vector is to be aware of a problem that will actually occur (or you cause) and be ready with a solution. Example: Room darkeners are pretty annoying, but not everyone knows about them. I ran across a moderator who believed a blackened room was due to server maintenance (it was me - I feel bad). One could exploit such an instance by having the victim enter a certain "command" to reset their room and turn the blackening effect off. Creativity is key here.
Once the problem is solved, trust is earned, and it sets you up for future attacks. Now they owe you a favour, too. ;D
White Hat Approach
If you know someone who frequently has answers at conveniently proper moments, you might be dealing with a social engineer. Again, though, they rarely stick around. The only reason one might in this case is the set up. You might trust them for their "expertise". Funny how they often seem to show when you need them, though, eh? This user who has been hassling you, but has been h4c|<7d by your new friend who came to your rescue...maybe they are one in the same person on two different accounts.
7.) Door-in-the-Face
Black Hat Approach
Asking for something ridiculous, or high-balling, is a fast route to what you really want. In terms of money, asking for a million Euros when you would really only need 100,000 is the name of the game here. It is another technique so subtle, you would really need to be told about it. At least, it was for me before I knew about it. Never saw it coming, and neither will your target. They just assume you are greedy, a trick which could be used to feign a weakness to greed ploys, if done right. That is advanced counter-social engineering, though. Ask for more than you expect to receive, then reduce your demand, which will seem like a favour and invoke the reciprocity norm.
White Hat Approach
In negotiations, most people know not to low-ball, but they are less knowledgeable of the high-ball technique. Your con artist will likely start off ridiculously high when they ask a request, then immediately reduce their needs through clever wordcraft. When that happens, you know you have a trick being pulled on you and chances are that others have at least been attempted. I would back away immediately and not let them know how they failed, lest they refine their approach next time.
8.) Foot-in-the-Door
Black Hat Approach
So, you have your target liking you, he has already done a favour, but you do not have what you truly want. Say a full furry outfit, or room bundle, or whathaveyou. Well, here we talk about building commitments. This is for the long-term con, which is risky, and rare. You can do this in the short-term, though, if you play your cards right. Start by using the above techniques to get a target to do something for you. Or, simply ask a small favour/invent your own technique. That one act, once done, engenders a fixed-action-pattern (remember those?) of doing things for you in the future. Example: A signature on a form. Making someone sign an official-looking petition can lead to them taking action for whatever cause is detailed on the petition. You just need to keep escalating the requests gradually. The more yeses to small favours, the likelier you will get a yes to a big one.
It is common in this regard to ask leading questions that are simple. Modern law enforcement in interrogation is sometimes careful to avoid these as they can be complained about later in court proceedings. With leading questions, too, your wording is important. Be sure to be partially assumptive when phrasing the question. Example: "Did the blue car hit the red one," should instead be, "How fast was the blue car going when it hit the red one?" Again, just an example. Altering a target's memory of an event is a bit advanced and is beyond the scope of this post.
White Hat Approach
Someone might ask you for a head, then a skin, then a few more accessories toward an outfit. Soon, they are asking for 20,000 credits! Just think of a multi-tiered pyramid. Are their requests slowly increasing in size, moving up the pyramid levels? If so, you have a con artist on your hands...or someone with a very poor understanding of social etiquette. Guess which is more likely! Maybe unfriend and block. To defend against leading questions, practise making them in your mind. Be sure you are not saying anything that can be used against you later.
Conclusion
While this post, in the main, does not take a position on the use of such techniques, I would like to end it by inserting a few statements to help guide you. Of course, no one can control what your hands do when you are given a hammer. You hold it and you choose how to swing it. The tool in this case is the trust of your fellow humans. You have the choice as to what to do with it. The purpose of this was to highlight how to defend yourself against the sometimes malicious denizens of the digital world.
The Internet breeds an attitude of perceived-invulnerability and IMVU is no exception. Someone you might wrong cannot punch you in the face if you are discovered, and because of this, it is more tempting to plunder their psyche for your own satisfaction. I am hoping that you are all more savvy practitioners of mental ninjitsu and know now how to avoid its many, many traps. The warriors of old Japan were masters of stealth and in today's age, the social engineer is, as well. You will find use of these tips not only online, but in sales, and negotiations, as well. The best minds of those fields also know perfectly how to bring you, entrance you, and get your pocketbook, all without you being the wiser. At least, they did. Research and be vigilant. Please use this information responsibly and have fun online.
Hello! As many of you are aware, the modern age has brought with it endless opportunities to exchange information in all its forms...as well as exploit one and another's psychological scripts (also known as fixed action patterns - explained later) to influence that information exchange to one's advantage. Practitioners of this skill are known as social engineers, as opposed to con artist, as they once were. The format of this post will have two parts in each technique description. First, the act of executing the attack - black hat, to put you in the mind of a social engineer and help you think as they do. This is NOT to help you carry out your own attacks! XD
Second, the act of defending - white hat. This is the critical thinking mindset you should erect to prevent being manipulated. If you want to be very cautious, it is recommended you engage this mode of thought any time you meet someone you suddenly really like. There is nothing wrong with a best friend, but skilled social engineers know how to become your best friend almost immediately, and that is when the trouble begins. Indeed, when this new best friend happens to coincide with a recent spot of trouble or happens to need a favour is a time to do some critical thinking about them. So, without further adieu, let us examine the flaws that an engineer might exploit and how they might exploit them!
Techniques
1.) Mimicry
Black Hat Approach
First, and foremost, we establish rapport! This one is a bit harder on IMVU, as it primarily involves body language. However, there are other ways to mimic someone (do not be too obvious). What the attacker does on IMVU, then is mimic typing style. Look at the phrasing they use, the way they type. How long their sentences are, even. Look at what emojis they use frequently. You, as the attacker, would subtly incorporate this into your typing style. Again, do not be too obvious, as it might be noticed. If you can execute this properly, you will build greater rapport without them being the wiser. They will like you and not know why.
In real life, this is accomplished with monitoring the target's body posture, his breathing, his tone. This is also known as mirroring. You are mirroring them to convince them you are like them.
White Hat Approach
This one is easy to counter now that you know it can be used against you. Again, if you find yourself liking someone too quickly, check if their typing matches yours shortly after meeting them. Do they use the same words you do in the same manner? Psychological studies reveal that this happens naturally over time as people grow to like each other. They mimic one another. It is when this happens too fast that something is wrong. The social engineer works fast. They generally want you to like them, take your resources, and get out.
2.) The Theory of Names
Black Hat Approach
To continue our discussion about similarity and convincing your target that you are like them, we come to the name. In real life, having the same first name as someone automatically earns you subconscious bonus points with them. You hear your first name all the time and pay special notice to it. Familiarity breeds contempt sometimes, but it breeds liking in the social engineering realm almost always. On IMVU, if you have someone specific in mind, look at their screen name, and make an alternate account (more on their use later) with similar characters/words. Use their name frequently in conversation. Not too often, but slightly more often than you use the names of others. As a quick example of similarity, VampireWolf666 and Guest_xXDragonWolf666Xx would likely get on quite well. One of them is a victim.
White Hat Approach
It is likely that a smart attacker would choose a name only similar and not the same as yours. He would introduce himself as John, knowing your name is Johnny. Anyone who claims to have the same name as you (or if their account name is similar to yours) might be out to get your credits, your time, or your services.
3.) Interests and Hobbies
Black Hat Approach
Our last technique discussed for making your target like you is to describe yourself similarly in the interests section. If he likes IT, you do, too. With practise, you can fake your way through talking about any hobby. Improvisation and strip phrases such as "yeah" are key here. Also, people rarely probe you too much if you just blindly agree with them (this CAN backfire, so be careful). Mirror your target. Like what they like, or at least pretend to. If you find you cannot, there is always the idea of being an information sponge. Actively listen and ask specific questions about their passions. "I cannot go a day without listening to [some band]" "Oh, what song is your favourite?"
White Hat Approach
You may assume a pattern that just knowing about these techniques is usually a "good enough" blanket approach to combat them. Well, awareness does help in the main, certainly, but remember that there are very sophisticated ways of executing these not discussed here, so keep that guard up if you suspect you are being played. That said, this one is not hard to combat. In real life, salesmen will focus on your interests very nearly always. They will try to connect to them in various ways and enjoy listening to you talk about them. Someone who does this too much or seems very interested in what you have to say about a topic could genuinely like you or have that in common, but be sure to take that liking in context.
4.) The Reciprocity Norm
Black Hat Approach
Quid pro quo. A favour for a favour, as it were. Do something for the target. Something small and easy for you. He will feel obligated to repay you in some way. Often what you want can be a much bigger favour than what you gave. This is called the reciprocity norm. Do you want a gift? It is often good practise to give a small gift (600Cr) to the target and wait. Be sure to fill your gift list with only more expensive gifts beforehand, so you are guaranteed to profit when they obey the reciprocity norm.
White Hat Approach
Something of course suspicious here is if someone gives you a service or gift randomly, then asks for a return considerably larger. It is almost certain they are using the reciprocity norm to leverage gains from you. It is also unlikely someone would be that blatant about it, unless they are an amateur engineer. Be careful of the overgifter. These people are not necessarily using con artist tactics on you, but may have poor self-esteem or perceived social standing and feel the need to compensate for this. Evolutionarily, in the long run, this overgifting is a disadvantage. In the short-term, it COULD indicate a ploy is being used. The key thing here is if they want larger returns on your part.
5.) Exploiting F.L.A.G.S or Fear, Lust, Anger, Greed, and Sympathy
Black Hat Approach
Your emotions. You have seen them, I am sure. Emotional people on IMVU. They often boot with no provocation, may harbour egotistical/delusional thoughts about themselves, or make themselves known in other ways. Well, they are not the only ones vulnerable to attacks on the emotional state. Everyone is. The attacker thus learns what his subject is most prone to.
Do they empathise with others? Do they have a need to be complimented? Do they become enraged easily? Are they very dissatisfied with their standing and want something that you can proffer (or claim to proffer)? The attacker here watches his target for a bit and learns their weakness. It is often one if not more of the above. He uses anger to turn friends against each other. He uses a sympathy ploy to extract a gift (NEVER ask for a gift directly - this is a common mistake). For fear, he uses subtle intimidation. Perhaps he implies or lays a false trail of evidence that he holds power or influence. Perhaps he drops a name. These are subtle intimidation ploy...or greed ploy if you seek such influence.
White Hat Approach
The best approach here is to take a break. Walk away from the computer. Type a "BRB" and think. Let the emotion leave you, then you have a clear mind to approach the problem. A social engineer wants you to be emotional so your decisions are quick and, thus, poor. Said decision will often be to their favour, as well. Keep yourself level-headed and give yourself a breather if you find yourself being flattered, angered, or if your new friend is very flirty. Throw up some red F.L.A.G.S.
6.) Creating a Problem and Creating Its Solution to Extract a Favour
Black Hat Approach
This attack is one of the most common you might encounter from a social engineer. You start by gaining rapport, of course. This can be done in a few ways, detailed above. Making a problem is easy. Once you have gained your target's trust, you can simply invent a problem that sounds reasonable enough to exist, although this is risky, as they might know you are lying. IMVU frequently changes things for the worse, though, making this a valid attack. A more sophisticated attack vector is to be aware of a problem that will actually occur (or you cause) and be ready with a solution. Example: Room darkeners are pretty annoying, but not everyone knows about them. I ran across a moderator who believed a blackened room was due to server maintenance (it was me - I feel bad). One could exploit such an instance by having the victim enter a certain "command" to reset their room and turn the blackening effect off. Creativity is key here.
Once the problem is solved, trust is earned, and it sets you up for future attacks. Now they owe you a favour, too. ;D
White Hat Approach
If you know someone who frequently has answers at conveniently proper moments, you might be dealing with a social engineer. Again, though, they rarely stick around. The only reason one might in this case is the set up. You might trust them for their "expertise". Funny how they often seem to show when you need them, though, eh? This user who has been hassling you, but has been h4c|<7d by your new friend who came to your rescue...maybe they are one in the same person on two different accounts.
7.) Door-in-the-Face
Black Hat Approach
Asking for something ridiculous, or high-balling, is a fast route to what you really want. In terms of money, asking for a million Euros when you would really only need 100,000 is the name of the game here. It is another technique so subtle, you would really need to be told about it. At least, it was for me before I knew about it. Never saw it coming, and neither will your target. They just assume you are greedy, a trick which could be used to feign a weakness to greed ploys, if done right. That is advanced counter-social engineering, though. Ask for more than you expect to receive, then reduce your demand, which will seem like a favour and invoke the reciprocity norm.
White Hat Approach
In negotiations, most people know not to low-ball, but they are less knowledgeable of the high-ball technique. Your con artist will likely start off ridiculously high when they ask a request, then immediately reduce their needs through clever wordcraft. When that happens, you know you have a trick being pulled on you and chances are that others have at least been attempted. I would back away immediately and not let them know how they failed, lest they refine their approach next time.
8.) Foot-in-the-Door
Black Hat Approach
So, you have your target liking you, he has already done a favour, but you do not have what you truly want. Say a full furry outfit, or room bundle, or whathaveyou. Well, here we talk about building commitments. This is for the long-term con, which is risky, and rare. You can do this in the short-term, though, if you play your cards right. Start by using the above techniques to get a target to do something for you. Or, simply ask a small favour/invent your own technique. That one act, once done, engenders a fixed-action-pattern (remember those?) of doing things for you in the future. Example: A signature on a form. Making someone sign an official-looking petition can lead to them taking action for whatever cause is detailed on the petition. You just need to keep escalating the requests gradually. The more yeses to small favours, the likelier you will get a yes to a big one.
It is common in this regard to ask leading questions that are simple. Modern law enforcement in interrogation is sometimes careful to avoid these as they can be complained about later in court proceedings. With leading questions, too, your wording is important. Be sure to be partially assumptive when phrasing the question. Example: "Did the blue car hit the red one," should instead be, "How fast was the blue car going when it hit the red one?" Again, just an example. Altering a target's memory of an event is a bit advanced and is beyond the scope of this post.
White Hat Approach
Someone might ask you for a head, then a skin, then a few more accessories toward an outfit. Soon, they are asking for 20,000 credits! Just think of a multi-tiered pyramid. Are their requests slowly increasing in size, moving up the pyramid levels? If so, you have a con artist on your hands...or someone with a very poor understanding of social etiquette. Guess which is more likely! Maybe unfriend and block. To defend against leading questions, practise making them in your mind. Be sure you are not saying anything that can be used against you later.
Conclusion
While this post, in the main, does not take a position on the use of such techniques, I would like to end it by inserting a few statements to help guide you. Of course, no one can control what your hands do when you are given a hammer. You hold it and you choose how to swing it. The tool in this case is the trust of your fellow humans. You have the choice as to what to do with it. The purpose of this was to highlight how to defend yourself against the sometimes malicious denizens of the digital world.
The Internet breeds an attitude of perceived-invulnerability and IMVU is no exception. Someone you might wrong cannot punch you in the face if you are discovered, and because of this, it is more tempting to plunder their psyche for your own satisfaction. I am hoping that you are all more savvy practitioners of mental ninjitsu and know now how to avoid its many, many traps. The warriors of old Japan were masters of stealth and in today's age, the social engineer is, as well. You will find use of these tips not only online, but in sales, and negotiations, as well. The best minds of those fields also know perfectly how to bring you, entrance you, and get your pocketbook, all without you being the wiser. At least, they did. Research and be vigilant. Please use this information responsibly and have fun online.