Prestidigitation: the Heart of Social Engineering

July 8, 2021
Michael Solomon

WRITTEN BY MICHAEL SOLOMON

Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
Prestidigitation: Social Engineering

Magicians use misdirection, smooth patter, and a knowledge of human attention and motivation to pull off illusions. When successful, the illusion results in a seemingly normal series of actions that have an unexpected result.

Prestidigitation is a term that describes how magicians carry out illusions. The Free Dictionary defines prestidigitation as:

1. Performance of or skill in performing magic or conjuring tricks with the hands; sleight of hand

2. Skill or cleverness, especially in deceiving others

Notice the second definition. Although good magicians are skilled in several areas, their main skill is in deceiving others.

Social engineers use many of the same techniques to create an illusion in order to gain a victim’s trust and trick the person into doing their dirty work. They are essentially magicians, with the intent to derive some direct value by deceiving victims.

Let’s explore how prestidigitation is a core skill of cybercriminals, and how understanding that can help users to avoid being tricked by the tricksters.

Falling for the illusion

Magic is more than just the mechanics of handling cards, coins or other props well. A smooth sleight-of-hand demonstration may be cool to watch, but it is not very effective without captivating patter. A magician tells a story around the illusion that is crafted to lure the observer in and set the stage for the unexpected outcome. Effective patter focuses attention on what the magician wants. Falling for any illusion is essentially falling for the patter.

Of course, some choose to use their prestidigitation abilities for unscrupulous personal gain. Tricking someone into unknowingly giving up items of value is not a new scam. However, this scam has evolved to be prevalent in the online world as well. 

A key part of any magician’s patter is misdirection. If the magician is doing something with the left hand, you will likely be asked to watch the right hand as it moves away and upward from the body. Or perhaps you will be asked to direct your attention to the right side of the stage. Either way, getting the audience to “look the other way” is key to tricking them into believing that an illusion is real. Magicians practice their illusions over and over to perfect the process because they want you to direct your attention where they want and to ignore what is really going on.

While most people enjoy the entertainment value of a good magic show, everyone grows tired of basic illusions at some point. This is where the creativity of the magician’s patter can make or break an illusion. An effective magician builds a captivating story with elements to keep their audience tuned in and attentive. Once a magician loses the attention of the audience, the illusion will unravel. People will start examining their surrounding environment and doubt what the magician is telling them. The key to falling for any illusion is to believe the magician and hang on each turn of the storyline.

Spoiling the trick

Since social engineers use prestidigitation as a core skill, a key to not becoming a victim of a social engineering attack is to learn how to recognize and spoil the trick.

The first technique to spoiling any trick is to stop expecting the expected. That may sound easy, but it is not very easy to put into practice. The human brain does a great job (most of the time) of collecting pieces of information and filling in the rest of the details quickly. Sometimes it fills in the wrong details. If you have ever seen something you expect and then looked again to see something completely different, you have had your brain trick you.

The reason getting tricked by your own brain is possible is that most of the time, normal things happen the same way they have in the past. Instead of taking the time to process all the current input from your eyes, ears, nose and skin, a small sample (often just a visual image and sound) gives your brain enough information to assume the most likely situation and fill in the rest of the information for you. Social engineers know this and use it to their benefit. They lead you through a script designed to make you think everything is normal while misdirecting you away from their true activities.

The best way to spoil the trick and avoid being a victim is to stop expecting the expected when anything seems off or unusual. As much as social engineers try to put their victims at ease, there are generally signs that something is not right. If you ever get that feeling, pay careful attention to what comes next.

Most social engineering attacks share a few basic features. If you learn to recognize them, you will be less likely to become a victim.

Claim of legitimacy: Social engineering attackers will try to convince their victims that they have a legitimate reason for initiating contact. They will often drop names or affiliations to establish rapport. If someone is trying to convince you that they are legitimate, be wary.

Immediate action required: The next step after legitimacy is the call to immediate action. Social engineer attackers do not want their victims to think about things too long. Most attacks require action that is urgent and not generally a normal response. If you are ever asked to click on a link to resolve something now or take some other immediate action, pause and think it through first.

Substantial consequences of inaction: To advance the issue of urgency, the attacker will warn the victim of the risks of inaction. A lack of action could include losing out on a lucrative deal, incurring some penalty, or being subject to guilt for refusing help to another person. If you encounter a situation that involves a risk of inaction, terminate the conversation and check out the information on your own. 

As you read the list of social engineering common features, you may notice that you can often find these same features in advertisements. There are many ads that use emotion to elicit a response. But there are a couple of differences between legitimate ads and a social engineering attack. First, ads generally come directly from an authentic source, and claims of legitimacy can be verified. And second, ads are generally a form of broadcast communication and do not rely on one-on-one communication. It is a lot easier to ignore a plea for action from an ad on TV than it is to ignore a person on the telephone. 

The takeaway is always to be on the lookout for social engineers and to spoil the ability to make you a victim when you encounter an attack. Avoid believing everything any stranger says and you will be able to spoil the trick.

Avoiding the magic show

While jousting with social engineers can be fun, remember that they are likely better at it than you may expect. They only have to win once for you to become a victim. Spoiling the trick is a great strategy, but it’s one you should only exercise if you find yourself on the receiving end of an attack. A better approach is to simply avoid the magic show. Social engineering attackers will evaluate their potential victims early in an encounter to determine the likelihood of success. If you appear to be a difficult target, most attackers will move on to someone else.

The best way to avoid the show is to decline or resist initial attempts to draw you in. Learn how social engineers succeed and use that knowledge to avoid contributing to that success.

Recall that the first feature of most social engineering attacks is legitimacy. Whenever you are contacted by someone whom you do not know personally, make the effort to authenticate their identity. A favorite tactic of social engineers is to contact a potential victim and claim to be a member of that person’s organization. The social engineer will often drop names to reduce suspicion. Their goal is to develop immediate trust so they can ask the potential victim to carry out actions on behalf of the social engineer.

Whenever someone unknown to you contacts you unsolicited and asks you to take action, terminate the conversation and make the call yourself. If the person who called you is legitimate, you will be able to continue the conversation after verifying their identity. Requiring proof of legitimacy is the first step in avoiding the magic show. Once you trust the attacker, breaking out of the later stages of an attack is more difficult.

If you do find yourself well into a social engineering attack, slow down the pace and find ways to get out of the conversation. It may be harder once you have decided to trust the attacker, but if you even remotely suspect that you are about to become a victim, get out. Reach out to another person to discuss what is happening and do some fact-checking on your own. Chances are, if you feel like something is not quite right, you are probably right.

Magicians can be very entertaining, but social engineering attackers use the skill of prestidigitation for bad purposes. Enjoy the magic, but spoil the social engineers.

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.