Social Engineering - Christopher Hadnagy [171]
“See, we decided to take a little weekend getaway trip and I am at the Hilton over here with my family,” I say, pointing to my beautiful family a few feet away. “My daughter saw the ad for your theme park and begged us to come. We told her that we would take her. We found a great deal on tickets on the website…”
“Oh, yes, our web-only deal—very popular right now. Can I have your tickets?”
“Yeah, you see this where I need your help so I don’t get the ‘Loser Dad of the Year’ award.” My nervous laughter was covered by her smile. I explained, “Tina, I saw that deal and my wife and I said, let’s save the 15% and we bought the tickets at the hotel computer. But after I got done paying, I couldn’t print them because the hotel printer was down. But I was able to save it as a PDF and I e-mailed it to myself.
I know this is an odd request but would you log into my e-mail account and print it out for me?” Now this account was a generic one filled with e-mails titled “Pictures of the kids,” “Dad and Mom’s Anniversary” and things like that.
I could tell she was really struggling with this decision and I was unsure whether the silence would be to my benefit or if I should help her to think it through. I said, “I know it is a weird request, but my little girl is just dying to go and I hate to tell her ‘no.’” I point again to my daughter who was doing a great job at being cute but impatient.
“Okay, how do I do it?”
“Go to gmail.com, log in with Paul1234@gmail.com and a password of B-E-S-M-A-R-T.” (I know, using this password is terrible in a way, but a little last-minute warning never hurt. It went unfollowed.)
Moments later Tina was double-clicking on my PDF and getting a blank screen. “Are you kidding me—did I print it out wrong? Wow, I am definitely getting the Loser Dad award now.”
“You know what, sir? I feel so bad for you, what if you just paid for the adult tickets and I will let your daughter in for free today?”
“Wow, that is so generous of you.” With a smile I forked over the $50 and thanked her for all her help and asked her to log out of my e-mail. We part ways with me having a happy daughter and the park having been compromised.
Moments later my partner text messaged me and told me that he was “in” and “gathering” data for the report. After enjoying a few hours of relaxation, we left the park to go back to work to compile the report for the Monday meeting.
Applying the SE Framework to the Theme Park Hack
Information gathering, as shown in this case study, is not always majorly Web-based; instead, it can be done in person. The juiciest information in this case was gathered during an in-person visit. Finding out what computer systems were used, feeling out the target to know how he or she would react to certain questions, and knowing how the ticketing system worked were major components of the information gathering stage.
The real takeaway from this particular hack is that a good pretext is more than just a story; it’s more than just some made-up costume and phony accent. A good pretext is something you can easily “live” without too much effort.
In this scenario I was easily able to speak, act, and talk the father, because I am one. My concern about being a “loser” dad was real, not made up, and comes across as real and then is transferred to the target as genuine. This makes everything that is said more believable.
Of course, having a cute child in the distance looking longingly at the ticket lady helped, and so did a believable storyline about a hotel printer not working. Chapter 2 touched on this, but sometimes a social engineer will promote that pretexting or social engineering in general is just basically being a good liar. I do not believe that is the case.
In a professional sense, pretexting involves creating a reality that will manipulate the target’s emotions and actions to take a path you desire him to take. People are not often motivated by a simple lie. A social engineer must “become” the character in the pretext for a gig, which is why using pretexts that are something you can closely follow,