Social Engineering - Christopher Hadnagy [47]
The Principles and Planning Stages of Pretexting
As with every skill, certain principles dictate the steps to performing that task. Pretexting is no different. The following is a list of principles of pretexting that you can use. By no means are these the only principles out there; maybe others can be added, but these principles embody the essence of pretexting:
The more research you do the better the chance of success.
Involving your own personal interests will increase success.
Practice dialects or expressions.
Many times social engineering effort can be reduced if the phone is viewed as less important. But as a social engineer, using the phone should not reduce the effort put into the social engineering gig.
The simpler the pretext the better the chance of success.
The pretext should appear spontaneous.
Provide a logical conclusion or follow through for the target.
The following sections discuss each of these principles in detail.
The More Research You Do, the Better the Chance of Success
This principle is self-explanatory, but it can’t be said enough—the level of success is directly connected to the level and depth of research. As discussed in Chapter 2, it is the crux of successful social engineering. The more information a social engineer holds the more chances he or she has of developing a pretext that works. Remember the story I told in Chapter 2 about my mentor Mati Aharoni and how he convinced a high-level executive to visit his “stamp collection” site online? At first glance, the path inside that company might have seemed to be something to do with financial, banking, fund raising, or something along those lines because it was a banking facility. The more research Mati did, the clearer it became that the pretext could be a person who was selling a stamp collection. Finding out what the executive’s interests were allowed Mati to find an easy way into the company, and it worked.
Sometimes those little details that are what make the difference. Remember, no information is irrelevant. While gathering information, looking for stories, items, or aspects of a personal nature is also a good idea. Using a target’s personal or emotional attachments can enable you to get a foot in the door. If the social engineer finds out that every year the CFO donates a sizable sum to a children’s cancer research center, then a pretext that involves fund raising for this cause could very likely work, as heartless as it sounds.
The problem is that malicious social engineers use pretexts that feed on emotions without a second thought. After the attacks on the Twin Towers in New York City on September 11, 2001, many malicious hackers and social engineers used the losses of these people to raise funds for themselves via websites and emails that targeted people’s computers and fake fund raisers that obtained funds from those with a giving heart. After the earthquakes in Chile and Haiti in 2010, the same things occurred where many malicious social engineers developed websites that were positioned as giving out information on the seismic activity or the people who were lost. These sites were encoded with malicious code and hacked people’s computers.
This is even more evident directly after the death of a movie or music star. Search engine optimization (SEO) and marketing geniuses will have the search engines pulling up their stories in a matter of hours. Along with marketers, malicious social engineers will take advantage of the increased search engine attention by launching malicious sites that feed off that SEO. Drawing people to these sites, they harvest information or infect them with viruses.
That people will take advantage of others’ misfortune is a sad fact about this world, and one of those dark corners I said you would visit in this book. As a social engineering auditor, I can use an employee’s emotions to show a company that even people with seemingly good intentions can trick a company’s employees into giving access to valuable and business-ruining data.
All these