Privilege Escalation

Pretexting is a way of inventing a scenario to convince sufferers to expose records they need to now not divulge. Pretexting is frequently used against companies that retain consumer facts, inclusive of banks, credit card groups, utilities, and the transportation enterprise. Pretexters will request facts from the organizations via impersonating the patron, generally over the smartphone.

Pretexting takes gain of a weak point in identity strategies utilized in voice transactions. Because bodily identification is not possible, corporations should use exchange methods of figuring out their customers. Often, these change techniques involve soliciting for verification of personal facts, consisting of house, date of start, mother’s maiden name, or account variety. All this records can be acquired through the pretexter, either via social Web sites or through dumpster diving.

The Techniques of Manipulation
Gavin Watson, in Social Engineering Penetration Testing, 2014

Pretexting is frequently on the coronary heart of every appropriate social engineering attack, yet has numerous definitions, each including to the confusion of what it actually is. For example, the Webster’s dictionary defines it as:

The practice of presenting oneself as a person else so one can achieve private information.

This is close but is in reality best describing impersonation. Furthermore, the objective won’t always be private records. Various on-line resources outline pretexting in precisely the identical way as social engineering is often described:

The artwork of manipulating individuals into revealing touchy facts.

It is real that most pretexts are designed to control individuals or elicit information, but this isn’t a clear sufficient definition.

The closest clarification of a pretexting attack become found in the Iowa State University’s 2009 paper1:

Pretexting is an assault in which the attacker creates a state of affairs to try to persuade the victim to surrender valuable statistics, consisting of a password. The most common example of a pretexting assault is while a person calls an employee and pretends to be someone in electricity, inclusive of the CEO or on the records generation team. The attacker convinces the victim that the state of affairs is genuine and collects records this is sought.

The key part of the above definition is the reference to the introduction of a situation, that’s the pretext used to have interaction the sufferer. The pretext units the scene for the assault at the side of the characters and the plot. It is the foundation on which many other techniques are finished to acquire the general goals. A pretext is composed of the following fundamental factors:

Plausible scenario

This is the state of affairs that would potentially result in the goal being executed. It is a series of believable occasions, designed and guided by means of the social engineer to extract statistics or manage the target. The selected pretext is based totally at the initial reconnaissance. It is that this reconnaissance that no longer handiest factors to a possible pretext however additionally offers the necessary facts to help it.


The potential scenario entails the social engineer gambling a “function” similar to an actor. This does not always suggest impersonating a person real, in reality, it is greater frequently a fictitious character. However, it’s miles crucial to keep in mind that there are many elements to don’t forget while creating a character. The social engineer need to bear in mind how they would dress, how they might speak and what sort of talent set they could have.

For instance, assume the social engineer would like to elicit financial institution account information from a member of the general public. They have searched through the victim’s garbage and determined a letter from their Internet provider provider (ISP). They decide to use this records to their benefit and build a pretext round it. This assault would in all likelihood contain many unique aspects but here we just give attention to the basic pretext that would be used.

For instance, the workable situation will be:

The sufferer receives a smartphone call from an attacker posing as their ISP. Unfortunately the preceding attempt to retrieve the vital price range via direct debit has failed. If the client is confident they’ve the enough funds, then the ISP would like to check it isn’t a mistake at their quit. They would love to verify the financial institution account wide variety used, via the victim, and retry the transaction whilst they’re at the cellphone. If the transaction is a hit they may amend their facts for this reason.

The man or woman might be:

The caller could be a standard help table employee, first-rate, well mannered, useful and eager to resolve troubles.

Suppose a social engineer desired to gain access to a particular business’s building. Unfortunately online research had not discovered anything that would be used to resource an attack. However, the social engineer still needs to construct a pretext, one that doesn’t require any earlier information of the business or its approaches.

The possible scenario could be:

The business is apparently due a fire extinguisher renovation check. An attacker, posing because the engineer has turned up to website online and wishes get right of entry to to the constructing to check each hearth extinguisher and update them wherein essential. This isn’t completely uncommon as those assessments are often accomplished unannounced. The engineer does now not need to be escorted.

The man or woman can be:

The engineer might be accurately dressed in uniform, possibly with various gear. They would simplest be interested by performing the process quickly and might not react properly to delays.

The above two pretexts seem pretty simple but keep in mind that they may be handiest a foundation on which to construct the assault. The other techniques described on this chapter can be delivered to the pretext to make it more likely to succeed. For example, the social engineer may use impersonation, persuasion and credibility gaining techniques to help the pretext to call just a few.

Leave a Reply

Your email address will not be published. Required fields are marked *