Misdirection.. Now you see it, now you dont

Misdirection, is the hand quicker than the eye? I am sure we are all familiar with misdirection, I focus your attention on my left hand, whilst I do the old switcheroo with my right hand, and what do you know I made a coin disappear.

Wikipedia Definition – Misdirection takes advantage of the limits of the human mind in order to give the wrong picture and memory. The mind can concentrate on only one thing at a time. The magician uses this to manipulate the “victim’s” idea of how the world is supposed to be.

The art of misdirection is a useful skill to have and master as a social engineer, and can be used in a variety of situations. Misdirection is all about focusing the attention in a defined area, to allow something else to happen outside of that area, and proceed unnoticed.

A simple example of misdirection when working in a pair could be both that of a physical or verbal nature. You could get you colleague to call ahead to the location you are looking to penetrate and impersonate either an employee or a made up one all together. The conversation will focus on the employee running late, and expecting a visitor, so could reception just see him through, and they can find their own way. We have now set-up misdirection. The focus is on the would be employee who is running late, so when our other social engineer enters the building they will be let through, as all thoughts are elsewhere. (This may sound simple, but I have done this many times with success, remember people want to be helpful, and influence is a key factor also).

From a physical perspective, I am sure this is a scenario you could all have some familiarity with. A colleague creates something attention grabbing at one side of the building, focusing all the attention and resources on them. Your colleague then slips past, or goes in via another entrance undetected. Something as simple as setting of a fire alarm, is ideal misdirection. You may look suspicious entering a building with everyone leaving, so you simply return inside with the hordes of people re-entering.

As an individual when social engineering, you may use misdirection to gain access to confidential paper work, access to a terminal. You may simply ask someone for a drink, as they go off to get the drink as requested the focus on you is off, and you are left to your own devices. We all use misdirection unknowingly day to day, and this is the key. When carrying out an assessment you have to be natural, fit in, be confident and sure of your skills on the outside, even if on the inside your crapping yourself.

I encourage you to think about examples day to day where we see or hear misdirection, and consider how you may use this to your advantage as a social engineer. We use misdirection in sports, we use it in war, we use it as child and an adult to hide things we do that perhaps we shouldn’t.

Like all of these skills we look to understand and master, the more we realise the concepts, the better chance we have at being successful, and also having the awareness for when these tactics are being applied to us.