Social Engineering - Christopher Hadnagy [52]
Let me tie all this together with a few examples that I have used or seen used in audits. After some excellent elicitation on the phone, a nameless social engineer had been given the name of the waste removal company. A few simple Internet searches and he had a usable and printable logo. There are dozens of local and online shops that will print shirts or hats with a logo on it.
A few minutes of aligning things on a template and he ordered a shirt and ball cap with the logo of the waste company on it. A couple days later, wearing the logo-laden clothing and carrying a clipboard, the social engineer approached the security booth of the target company.
He said, “Hi, I’m Joe with ABC Waste. We got a call from your purchasing department asking to send someone over to check out a damaged dumpster in the back. The pickup is tomorrow and if the dumpster isn’t repairable I will have them bring out a new one. But I need to run back there and inspect it.”
Without blinking, the security officer said, “OK, you will need this badge to get onsite. Just pull through here and drive around the back and you will see the dumpsters there.”
The social engineer had a free pass to perform a very long and detailed dumpster dive but wanted to maximize his potential so went in for the kill with this line. While looking at his clipboard he said, “The note says it is not the food dumpsters but one of the ones where paper or tech trash goes. Which block are those in?”
“Oh, just drive the same way I told you and they are in the third bay,” replied the security guard.
“Thanks,” said Joe.
A simple pretext, backed up by clothing and “tools” (like the clipboard), and the storylines were simple to remember and not complex. The simplicity and lack of detail actually made this pretext more believable, and it worked.
Another very widely used pretext is that of the tech support guy. This one only requires a polo shirt, pair of khakis, and small computer tool bag. Many social engineers employ this tactic to get in the front door because the “tech guy” is usually given access to everything without supervision. The same rules apply: keeping the storyline simple will help make this particular pretext very real and believable.
The Pretext Should Appear Spontaneous
Making the pretext appear spontaneous goes back to my point on using an outline versus using script. Outlines will always allow the social engineer more freedom and a script will make the social engineer sound too robotic. It also ties in to using items or stories that interest the social engineer personally. If every time someone asks you a question or makes a statement that requires you to think, and you go, “Ummmm” and start to think deeply, and you cannot come back with an intelligent answer, it will ruin your credibility. Of course many people think before they speak, so this is not about having the answer in one second, but about having an answer or a reason for not having the answer. For example, in one phone call I was asked for a piece of information I didn’t have. I simply said, “Let me get that.” I then leaned over and made it sound like I was yelling for a workmate: “Jill, can you please ask Bill to give me the order form for the XYZ account? Thanks.”
Then as “Jill” was getting the paper for me I was able to obtain the data I needed and the paper was never brought up again.
I have compiled a small list of ways that you can work on being more spontaneous:
Don’t think about how you feel. This point is a good one, because often in a pretext if you overthink you will start to add emotion into the mix, which can cause fear, nervousness, or anxiety, all of which lead to failure. On the other hand, you might not experience nervousness or fear, but over-excitement, which can also cause you to make a lot of mistakes.
Don’t take yourself too seriously. Of course, this is great advice in life, but it applies wonderfully to social engineering. As a security professional you have a serious job; this is a serious matter.