Social Engineering - Christopher Hadnagy [45]
Other key factors include making sure that your communication style, the questions used, and the manner in which you speak all match your pretext. Knowing how to ask questions that force a response is a key to successful elicitation, but if all that skill and all those questions do not match your pretext then the elicitation attempt will most surely fail.
Summary
This chapter covered some of the most powerful points in this whole book—powerful in the sense that applying them can change not only your social engineering abilities but also your abilities as a communicator. Knowing how to ask the right questions in the right tense and the right manner can open so many opportunities. As a social engineer, this is what separates success from failure. First impressions are based initially on sight, but what comes out of your mouth first can make or break the deal. Mastering elicitation can almost guarantee success as a social engineer and can add serious weight to any pretext you decide to use.
Throughout this chapter I mentioned the power of pretexting. This is another topic that every social engineer, both malicious and professional, must master. But how can you ensure you accomplish this goal? To answer this you must learn about pretexting and understand exactly what it is, as discussed in Chapter 4.
Chapter 4
Pretexting: How to Become Anyone
Honesty is the key to a relationship. If you can fake that, you’re in.
—Richard Jeni
At times we probably all wish we could be someone else. Heck, I would love to be a little skinnier and better looking. Even though medical science hasn’t come up with a pill that can make that possible, a solution to this dilemma does exist—it’s called pretexting.
What is pretexting? Some people say it is just a story or lie that you will act out during a social engineering engagement, but that definition is very limiting. Pretexting is better defined as the background story, dress, grooming, personality, and attitude that make up the character you will be for the social engineering audit. Pretexting encompasses everything you would imagine that person to be. The more solid the pretext, the more believable you will be as a social engineer. Often, the simpler your pretext, the better off you are.
Pretexting, especially since the advent of the Internet, has seen an increase in malicious uses. I once saw a t-shirt that read, “The Internet: Where men are men, women are men, and children are FBI agents waiting to get you.” As slightly humorous as that saying is, it has a lot of truth in it. On the Internet you can be anyone you want to be. Malicious hackers have been using this ability to their advantage for years and not just with the Internet.
In social engineering playing a role or being a different person to successfully accomplish the goal is often imperative. Chris Hadnagy might not have as much pull as the tech support guy or the CEO of a major importing organization. When a social engineering situation arises, having the skills needed to become the pretext is important. In a discussion I was having with world-renowned social engineer, Chris Nickerson, on this topic he said something I think really hits home.
Nickerson stated that pretexting is not about acting out a role or playing a part. He said it is not about living a lie, but actually becoming that person. You are, in every fiber of your being, the person you are portraying. The way he walks, the way he talks, body language—you become that person. I agree with this philosophy on pretexting. Often when people watch a movie the ones we feel are the “best we have ever seen” are where the actors get us so enthralled with their parts we can’t separate them from their portrayed characters.
This was proven true to me when many years ago my wife and I watched a great movie with Brad Pitt, Legends of the Fall. He was a selfish jerk in this movie, a tormented soul who made a lot of bad decisions. He was so good at playing this part my wife literally hated him as an actor for a few years. That is a good pretexter.