Social Engineering - Christopher Hadnagy [57]
The danger with malicious pretexting is the threat of identity theft, which makes it a very valid part of a social engineer pentest. Testing, checking, and verifying that your client’s employees will not fall for the methods used by malicious social engineers can go a long way in safeguarding you from a successful pretexter.
Staying Legal
In 2005 Private Investigator Magazine was granted an interview with Joel Winston, Associate Director of the Federal Trade Commission (FTC), Division of Financial Practices. His office is in charge of regulating and monitoring the use of pretexting (see a copy of this valuable article at www.social-engineer.org/resources/book/ftc_article.htm).
Here are some of the key points from this interview:
Pretexting, according to the FTC, is the obtaining of any information from a bank or consumer, not just financial information, using fraud, deception, or misleading questions to obtain such information.
Using already-obtained information to verify that a target is a target, even while using false pretenses, is legal under the FTC’s definition of pretexting, unless the social engineer is using this information to obtain information from a financial institution.
Acquiring toll phone or cellular records through deceptive business practices is considered illegal pretexting.
The FTC website provides some clarity and additional information to this interview:
It is illegal for anyone to use false, fictitious, or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
It is illegal for anyone to use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
It is illegal for anyone to ask another person to get someone else’s customer information using false, fictitious, or fraudulent statements or using false, fictitious, or fraudulent documents, or forged, counterfeit, lost, or stolen documents.
Although the FTC’s focus is on financial institutions, the guidelines outlined are a reminder of what is considered illegal in the United States. Looking into their local laws and making sure they are not breaking those laws is a good idea for professional social engineers. In 2006, the Federal Trade Commission moved to expand Section 5 of the FTC Act to specifically include a law banning the use of pretexting to retrieve telephone records.
HP’s pretexting situation ended in one of the private investigators being charged with conspiracy and federal identity theft—very serious charges.
Keeping pretexting legal will entail some research on the part of the professional social engineer as well as a clearly defined and signed-off plan of what pretexts, if any, will be used.
Despite the legal matters mentioned earlier, using a solid pretext is one of the quickest ways into a company. Pretexting is a talent all its own and, as you can see from this chapter, is not simply putting on a wig or a pair of fake glasses and pretending you are someone you are not.
Additional Pretexting Tools
Other tools exist that can enhance a pretext.
Props can go a long way in convincing a target of the reality of your pretext; for example, magnetic signs for your vehicle, matching uniforms or outfits, tools or other carry-ons, and the most important—a business card.
The power of the business card hit me when I was recently flying to Las Vegas on business. My laptop bag usually gets scanned, rescanned, then swabbed for bomb dust or whatever. I am one of those guys who doesn’t really mind the extra security precautions because they keep me from blowing up in the air, and I am happy with that.
Yet I realize that 90 percent of the time I am going to get extra attention by Transportation Security Administration (TSA). On this particular trip I had forgotten