When conducting a social engineering engagement, be it in person or remote, your pretext can mean life or death for your engagement. First off, let’s define what a pretext is. A pretext is your story. Who you are, the company you work for, your purpose, even down to how many kids you have, their names, the car you drive, etc. Depending how far you need to go, having details down to your dog’s name can help you make your way into the target building.
Dissecting the Pretext
Ultimately, the goal is to convince your target to perform some action to help you advance towards your goal of compromise. This can be done by developing a believable background for yourself. Think of it as writing a short story. The first step is to consider a few hypothetical things:
- Who you are: What’s your name? What company do you work for? What’s your position at the company? Are you new or a seasoned employee? Who’s your boss? How old are you? Going into a breach attempt with answers to these questions will ensure you’re at least minimally prepared for the inevitable challenges. In an effort to save time, make sure your level of depth matches the necessity for the engagement. For example, if you use email phishing rather than an in person attack, you probably don’t need to develop an entire life story for the character you are playing.
- What you want: You have to have a goal. Otherwise, there’s no point. For phishing or vishing, you may be trying to get credentials, gather information, or compromise a system. For a physical assessment, you may just want to enter a facility. Either way, document the end goal. Have it memorized because you’re going to do everything you can to achieve that goal.
- Timing is everything: You’re conducting an assessment, and you don’t have an infinite amount of time. More often than not, you’re going for your goal at the same time as you’re conducting your social engineering attack but there are those time where you could let it seep in and return later. For example, through King Phisher, you can phish through calendar invites. Having users forget that they had received a random invite a week after-the-fact only to have a reminder pop up and a corresponding, “Uh-oh!” moment might be to your advantage. Plan your time so that it fits nicely into your chosen pretext.
- Location, Location, Location: Obviously, remote assessments don’t really apply here, but for assessments that involve a physical component, where you choose to initiate your attack is one of the most important factors in a successful social engineering engagement. If you just want information, perhaps visiting the corporate headquarters may not be the best option. Hit up a local bar in close proximity right after working hours. Chances are, your target will be more willing to talk to a random stranger who seems interested in what they do. After all, people love talking about themselves and questions placed in the right parts of a conversation will allow you to control the conversation as organically as possible.
- Why: Short and simple. Why are you doing this? Why do you need access to the building? The server room? Why do you need fifty people to execute that macro in your Excel document? What I’m getting at here is conveying why you need your target to perform some action in a believable way is crucial to the success of the attack. For example: In a phishing assessment that includes a malicious attachment, don’t claim the attachment is internal accounting information that needs verification only to send it straight to the sales team. Couch your attack in as much realism as possible.
IMPOSTER!
One of the most widely used pretexts involves emulating a legitimate user. For phishing this is no problem. It’s fairly trivial to be able to send emails as legitimate users, so as long as you can bypass (or avoid) SPF, the biggest challenge becomes making your signature look authentic and wording the email just right. And the latter is solved with a quick email to your target’s recruiting office asking for an application and then reusing the signature in the reply. For an engagement which requires interaction in person, however, this can be tricky.
On a recent vishing engagement, we had placed a call to a company posing as a Risk Manager for a credit union trying to get information from a vendor in vulnerability management. As we didn’t know what sort of questions were going to be asked from us, we had to do extensive research on both the individual we were posing as, and both organizations. We looked at current events for the organizations, the specifics of their service offerings, and researched the individuals at the target to whom we might end up speaking. The point here is to do your research. If you’re going to pose as someone, become that person. Know as much as you possibly can about your persona and the company they work for because you will more than likely be challenged at some point and you need to make that other person believe you are who you say you are.
So What’s a Good Pretext Look Like?
There’s no real good way to tell what makes a good pretext. In one of our most consistently successful phishing engagements, we include Excel documents with very suspicious looking coupons for Target and Kmart claiming it’s Employee Appreciation Week. Never mind the fact that we’ve never actually sent this type of email on Employee Appreciation Day (it’s the first Friday in March, FYI), but the coupons themselves are all clearly labeled as expired and “not valid for any goods or services.” As baffled as I am about how successful this pretext is, people still open the document and enable macros. A good pretext will easily convince the target to perform the task you request with little-to-no opposition, and if you are questioned, being able to continue on with your story will make your mark a believer.
