More and more often hackers are relying on exploiting the human aspect of security to gain access to their targets through social engineering type attacks (e.g., phone, phishing, in-person, etc.). With strong firewalls, intrusion detection/prevention systems, and tools like security incident and event management (SIEM), you are seeing an increase in attacks that are targeting the human aspect of security. In order for these attacks to work, the attacker must come up with a legitimate and strong pretext. A proper pretext will give an attacker the keys to the kingdom.

So what is pretexting? Merriam-Webster dictionary describes pretext as a purpose or motive alleged or an appearance assumed in order to cloak the real intention or state of affairs. In simple terms, a pretext is a reason that you give to hide your real reason for doing something. Social-engineer.org defines pretexting as the practice of presenting oneself as someone else in order to obtain private information.  

This practice of pretexting is huge for an attacker to be able to complete a successful SE attack and it is a process that includes more than just picking up the phone and dialing the target, or walking through the front doors of the organization and asking for access to the server room. The more an attacker knows about the target the better the chances are that the attacker will be successful. More goes into pretexting than just creating a lie and hoping that the target falls for it.

In some situations, pretexting will involve a whole new identity and using that identity to manipulate the target into giving up valuable information. This could include the use of an accent, impersonating people in certain jobs, or even spoofing a phone number to make it seem like the attacker is at a certain location that they say they are. All of these techniques that go into pretexting are used for the main goal of gaining the targets trust which will ultimately allow the attacker to gain the information that they are out for.

As an attacker, if you cannot build trust / rapport and build it quickly, then you are more than likely going to fail. That is why a solid pretext is so essential to building solid rapport. If the story you are telling the target has holes and lacks credibility, then you can be pretty positive that the target will catch on. Your attempt to gain information impersonating an employee from a shredding company that handles the shredding responsibilities for a financial institution will be sure to come up short if you failed to find out that the financial institution actually handles the shredding themselves.

There are many avenues that an attacker will utilize to figure out what pretext they want to use. One is social media sites such as: Facebook, Twitter, LinkedIn, etc. A ton of information can be gained and used from social media sites. An attacker could use these sites to find out job titles and descriptions, employee information, events that are happening and much more. All of this could be gold for an attacker.

An attacker is also going to check out the website of their target and can gain very valuable information from doing so. If they can find out personnel names, titles, emails, phone numbers, etc. they can use these to exploit the target. For example, an attacker finds out that Joe Green is in charge of IT at a financial institution by looking at the financial institution’s website. Next the attacker calls into the financial institution impersonating a salesman from XYZ Printer company and asks to speak with Joe Green but the receptionist tells the attacker that Joe Green is out of the office for the day for a meeting. The attacker then calls a different branch of the financial institution impersonating a technician and proceeds to tell the receptionist how Joe Green is having the attacker perform network tests and is in need of some specific information. The receptionist ends up giving the attacker the information which leads to the attacker gaining access to the financial institution. This is a possible scenario that could very well lead to a successful attack due to the attacker utilizing a solid pretext.

Here are some basic principles of pretexting from social-engineer.org:

·         The more research that is done, the better chance of success.

·         Careful planning is required for success.

·         The simpler the pretext the better chance of success.

·         Your pretext should appear spontaneous.

·         Your pretext should be accurate. 

·         Provide logical conclusion or follow through for the target.

Article written by: Chad Gutschenritter