Social Engineering: Pretexting

Pretexting is another attack vector social engineers use. If you're unfamiliar with social engineers read my article on social engineering about another attack vector, social networks. Like all social engineering attacks, the main use for pretexting is to manipulate a person into giving away something valuable, or invaluable, that could lead to something valuable. Pretexting isn't just about stealing information for hackers to use; in some cases pretexting is used to steal physical valuables such as credit cards, debit cards, checks, computers, even cold hard cash!

Like any security measure, if you want to protect yourself, you need to know what you're protecting yourself from. Pretexting was around even before the Internet. Pretexting is the act of creating a scenario to trick a person into giving up something, whether information or an asset. Historically pretexting was done over the phone, but as times have changed, the attack vectors have evolved. Social engineers can now fabricate scenarios over the phone, using the Internet, pinging through social networks, or even making fake costumes.

The targets of social engineers who use pretexting aren't just individuals like you or me. They can extend to even large corporations.

There are tons of movies out there where a hero or a villain uses disguises to infiltrate their enemies. They're caught in the end eventually and you go on to watch the rest of the story progress. In real life, however, not all infiltrators are caught, and they are most definitely never ad hoc. There's meticulous planning involved and with the help of the Internet, it's only become easier.

Creating a fake scenario is much simpler now than ever before. The Internet has so many sources of information that it's hard to determine what's real and what's a scam. Social engineers know this and use it to their advantage. They can set up fake websites, advertise on real websites with fake announcements, and use e-mail to fool people into believing their stories.

 Most recently, in Boston, a social engineer used pretexting tactics by creating a fraudulent web site advertising a bridal expo. The web site invited not only attendees but vendors as well. They advertised by e-mail, posting on Twitter, advertised through Facebook, all actions a true expo would perform. They even went so far as to create a fake phone number for people to call and set up their payments through PayPal. Attendees paid $10 to $15 dollars for tickets, and vendors ranged from $30 to $4000! An estimated 6000 individuals and vendors were reported to have been tricked. This is only one case out of hundreds, and even almost a year later, the culprits have yet to be found.

Corporations use security consulting companies to measure their security against social engineering. There are third party firms out there that are paid to use pretexting tactics to enter a large corporate and steal whatever information they can. The third party firm randomly picks a time before they call and e-mail ahead of time and use pretexting to trick the front desk employees there is a maintenance team headed their way. They create a fake website and buy fake uniforms to continue their facade.

Working in the consulting sector, I have heard stories of CEO's leaving their offices open, the security teams left alone in the building after hours, and confidential paperwork lying in the open. Servers, full of confidential information, were available for access by thumb drives . At the end of the day the security team brings back all the information and reports on the status of the corporation's security against social engineering, and pretexting in general. What the company does afterwards is up to them; there's no guarantee that they'll fix their mistakes.

There's not a lot that can be done regarding your information hosted on corporate servers that are susceptible to social engineers. The liability is on the corporation. That doesn't mean that an individual will not be targeted in a similar fashion.

In the same way that a social engineer can create a false pretense that they're a maintenance worker for a corporation, they can create a persona to enter into an individual's home or office. If you live in an apartment, an e-mail can be spoofed notifying you that a worker will visit to check for some wiring issues. You might stumble on a website, created under false pretense by a social engineer, advertising low priced computer repair, and they're available where you live.

With this knowledge of what pretexting is and how it's used, it's time to discuss how to protect yourself. How do you protect yourself from social engineers who create elaborate scenarios, plan each detail, and are driven to steal? What protective measures must you take to keep your information and your valuables?

Like any other defense to social engineering, you must be proactive and not reactive.  If you receive an e-mail from someone saying that a maintenance worker will be swinging by, contact the sender's company, not the sender. Give them a ring and verify that they are sending someone. If you're home when they arrive, ask to speak to their supervisor, but don't take their word for it, ask for the company's corporate number and their supervisor's name, so that you can call from your own personal phone. It may seem rude, but if they are a social engineer, your best defense is to punch holes into their fantasy world.

The same applies to websites advertising events and expos. Call the event center and ask about the event; go straight to the source. It should raise red flags in your head when you notice that only cash and PayPal are accepted.

In any event, your best measure of protection is to hit the source of the pretense. If the social engineer is using pretexting, their weakest point is the fact that their source doesn't exist, it's all fabricated.