7/4/11

Pretexting Principles and Planning

One of the most crucial aspects of using pretexting as a social engineering tactic is proper planning. If proper planning is not taken, the percentage of your social engineering attempts that will succeed will be few to none.

Contents

1 Basic Principles
2 Planning and Using Pretexts
3 Character Creation
3.1 Trust Relationships
4 Conclusion
5 References

Basic Principles


There are some basic principles that should be followed when using pretexing:
The more research that is done the better chance of success
If your pretext involves activities or interests you have you increase success
Careful planning is required for success
Practicing dialects or expressions that will be familiar to your target is essential
Just because the pretext is over the phone does not minimize the research effort
The simpler the pretext the better chance of success
Your pretext should appear spontaneous
Your pretext should seem accurate or have aspects that are not susceptible to verification
You must know the intelligence and type of person you will be contacting
Provide logical conclusion or follow through for the target
Be aware of the local laws



Planning and Using Pretexts

Pretexting has been hailed as one of the quickest ways to obtain information. It is utilized by federal and local law enforcement, private detectives, reporters, interrogators and many other types of people.

While selecting your pretext it is imperative to consider a few key questions:
What problem am I trying to solve?
What questions am I trying to answer?
What information do I seek?
The nature of the person whom we will be contacting

When using a dialect it should only be attempted when the social engineer has considerable ability and practice in speaking and acting with that dialect. it is more than having the accent, but also being aware of certain phrases, terms, idioms and especially slang terms that are used in the area you will be pretexting in. When planning for a pretext it is wise to consider not just planning how you will act, what you will say, etc... but planning for what the target will say, how they MAY react. One of our goals in pretexting is to bring the target to logical conclusion, to do that we must anticipate their attitudes and statements as well as be spontaneous enough to lead them down the path we want.
Character Creation


When you're developing a pretext you are essentially creating a character. The complexity of that character is determined by the planned depth of interaction with people at the target site. A pretext can be as simple as just being friendly to someone during a conversation or as complicated as a full blown fake identity complete with ID’s, public records, and all the trappings of a normal person’s life (social networking pages, blog postings, and other things searchable via the Internet). The process of character development is well documented and practiced by the acting community and many of their techniques could translate easily into developing pretexts.

The following links provide some helpful insight about character development:
http://www.social-engineer.org/wiki/archives/Pretexting/Pretexting-CharacterDevelopment.html[1]
http://www.social-engineer.org/wiki/archives/Pretexting/Pretexting-CharacterDevelopment2.html[2]

Trust Relationships


Some pretexts may not need such thorough attention to detail if they can exploit a trust relationship instead. Mati Aharoni[3] tells a great story of how he was able to convince an employee of a target company to visit his “stamp collection” website under the pretext of having some rare stamps for sale. He had already cultivated a casual relationship with the employee based on information he’d found online about this person’s interest in stamp collecting. The site was fake and hosted malicious content but the person believed they could trust Mati’s information and didn’t require a finely crafted forgery of a “real” stamp collecting site to believe what he was looking at.

Another important aspect of pretext development is what information to use and where to find it. Information gathering and target research is key to obtaining relevant information that can be used for the pretext as well as other aspects of social engineering. Elicitation, Google mining,dumpster diving, and now social network mining (aka Maltego) are all valid techniques for information gathering and currently in use during social engineering attacks.
Conclusion


When you're communicating with someone it's more than just the words you're speaking. It's also the way you act, your tone of voice, mood, body language, even the way you dress. A pretext may be composed from information that fits the target environment but successfully implementing it relies on your ability to fully understand and control how you're communicating that information. With all this being said, planning for your pretext can not be stated enough. It is essential to properly plan or the social engineer will fail.
References
http://www.social-engineer.org/wiki/archives/Pretexting/Pretexting-CharacterDevelopment.html
http://www.social-engineer.org/wiki/archives/Pretexting/Pretexting-CharacterDevelopment2.html
http://www.offensive-security.com/about.php

Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου