Having a legitimate reason for approaching someone to ask for sensitive information is called what?

Pretexting

Pretexting is a method of inventing a scenario to convince victims to divulge information they should not divulge. Pretexting is often used against corporations that retain client data, such as banks, credit card companies, utilities, and the transportation industry. Pretexters will request information from the companies by impersonating the client, usually over the phone.

Pretexting takes advantage of a weakness in identification techniques used in voice transactions. Because physical identification is impossible, companies must use alternate methods of identifying their clients. Often, these alternate methods involve requesting verification of personal information, such as residence, date of birth, mother’s maiden name, or account number. All this information can be obtained by the pretexter, either through social Web sites or through dumpster diving.

Pretexting

Pretexting is often at the heart of every good social engineering attack, yet has numerous definitions, each adding to the confusion of what it actually is. For example, the Webster’s dictionary defines it as:

The practice of presenting oneself as someone else in order to obtain private information.

This is close but is really only describing impersonation. Furthermore, the objective may not necessarily be private information. Various online sources define pretexting in exactly the same way as social engineering is often defined:

The art of manipulating individuals into revealing sensitive information.

It is true that most pretexts are designed to manipulate individuals or elicit information, but this isn’t a clear enough definition.

The closest explanation of a pretexting attack was discovered in the Iowa State University’s 2009 paper1:

Pretexting is an attack in which the attacker creates a scenario to try and convince the victim to give up valuable information, such as a password. The most common example of a pretexting attack is when someone calls an employee and pretends to be someone in power, such as the CEO or on the information technology team. The attacker convinces the victim that the scenario is true and collects information that is sought.

The key part of the above definition is the reference to the creation of a scenario, which is the pretext used to engage the victim. The pretext sets the scene for the attack along with the characters and the plot. It is the foundation on which many other techniques are performed to achieve the overall objectives. A pretext is composed of the following two main elements:

Plausible situation

This is the situation that could potentially lead to the objective being achieved. It is a sequence of believable events, designed and guided by the social engineer to extract information or manipulate the target. The chosen pretext is based on the initial reconnaissance. It is this reconnaissance that not only points to a viable pretext but also provides the necessary information to support it.

Character

The plausible situation involves the social engineer playing a “role” much like an actor. This does not necessarily mean impersonating someone real, in fact, it is more often a fictitious character. However, it is important to remember that there are many aspects to consider when creating a character. The social engineer must consider how they would dress, how they would speak and what kind of skill set they would have.

For example, suppose the social engineer would like to elicit bank account information from a member of the public. They have searched through the victim’s garbage and found a letter from their Internet service provider (ISP). They decide to use this information to their advantage and build a pretext around it. This attack would likely involve many different aspects but here we just concentrate on the basic pretext that could be used.

For instance, the plausible situation could be:

The victim receives a telephone call from an attacker posing as their ISP. Unfortunately the previous attempt to retrieve the necessary funds via direct debit has failed. If the customer is confident they have the sufficient funds, then the ISP would like to check it isn’t a mistake at their end. They would like to confirm the bank account number used, by the victim, and retry the transaction while they are on the phone. If the transaction is successful they will amend their records accordingly.

The character could be:

The caller would be a typical help desk employee, pleasant, polite, helpful and eager to solve problems.

Suppose a social engineer wanted to gain access to a particular business’s building. Unfortunately online research had not revealed anything that could be used to aid an attack. However, the social engineer still needs to build a pretext, one that doesn’t require any prior knowledge of the business or its processes.

The plausible situation could be:

The business is apparently due a fire extinguisher maintenance check. An attacker, posing as the engineer has turned up to site and needs access to the building to check each fire extinguisher and replace them where necessary. This is not entirely uncommon as these checks are often performed unannounced. The engineer does not need to be escorted.

The character could be:

The engineer would be appropriately dressed in uniform, possibly with various tools. They would only be interested in performing the job quickly and may not react well to delays.

The above two pretexts seem fairly simple but remember that they are only a foundation on which to build the attack. The other techniques described in this chapter can be added to the pretext to make it more likely to succeed. For example, the social engineer may use impersonation, persuasion and credibility gaining techniques to support the pretext to name just a few.

Pretexting

In pretexting, we often assume the guise of a manager, customer, reporter, or even a co-worker’s family member. Using a fake identity, we create a believable scenario that elicits the target to give us sensitive information or perform some action which they would not normally do for a stranger.

While we can use pretexting in face-to-face encounters or over some communication medium, each of them has their own challenges. Direct, face-to-face encounters require a heightened level of attention to detail about our body language, while indirect encounters, such as over the phone or through e-mail, require us to focus more on verbal mannerisms. However, both types of encounters require strong communication and psychological skills, specialized knowledge, and a quick mind in order to be successful.

Walking up to a security guard without any detailed knowledge of the target organization and convincing the guard that they need to allow us access to their facility is quite a challenge, and one that probably won’t succeed, unless the guard is incompetent or the social engineer is very skilled. Pretexting gives us an edge when trying to social engineer a victim; if we can drop names, provide details on the organization, and give the victim sufficient cause to believe we deserve access to the information or access for which we are asking, or for that matter already have it, our chances of success increase substantially.

The Sender

Similar to pretexting, we need to impersonate someone that the victim will believe; however, with spear phishing, we need to impersonate someone within the victim's company or someone they know personally, in order to get them to read our e-mail and follow our instructions within. The target we intend to impersonate can be a friend, a colleague, a human resources representative, a boss, or a person of higher authority. The trick is to be able to do so with enough credibility.

Although it would be nice to say that we should try to impersonate the person with the greatest authority over our target victim, our efforts to gather information may be insufficient to be successful. Sometimes we will have to simply accept a lesser figure in order to completely convince the target as to our fake identity. Since we are focusing on e-mail attacks, we must make sure that all identifying information in any sent e-mail is accurate and believable; it may be possible that the intended victim is cynical and untrusting by default and will examine any communication with suspicion. Because of losing the initiative if we are caught sending fake e-mails, we cannot afford to make a mistake. This means we have to obtain an e-mail from the person we intend to impersonate, so we know how they address and sign their e-mails, as well as understand how they write – everything must be exact to assure the highest chance of success.

The closer the target victim is to the person we intend to impersonate, the more work is required to successfully perform our impersonation. There are two considerations that we need to be aware of – the first being how well the two individuals know each other's writing mannerisms. The second consideration is what type of knowledge the person we intend to impersonate has.

When trying to imitate someone's writing mannerisms, we need to be aware of what types of words they use and how they address the target victim (first name, last name, and/or nickname). We also need to be familiar with how they indent paragraphs, their use of emoticons, and when they typically send e-mails (mornings or afternoons). All these things add up to build a person's identity, and when closely imitated, it will reduce the potential for suspicion.

The second consideration of what type of knowledge the person we intend to impersonate possesses is intended to prevent us from overreaching in our attempt to pull our victim into the trap. If the person who we are trying to impersonate is not very familiar with technical details about a system that we want to access, we should not be using vernacular used by system administrators. We should also be careful about asking for information that the person we intend to impersonate should not have access to – it would seem odd for HR to want information regarding system configuration, for example.

It is possible to successfully use spear phishing without going to the extent of deception outlined in this section, but the better we craft our understanding of our intended targets and the interrelationship between them, the greater chance of success we enjoy.

Social Engineering

One of the easiest ways to gather information about you involves trickery. Social engineering is the practice of using various techniques to get people to reveal sensitive or personal information. By understanding how people act and react, a person influences others into performing actions or revealing confidential details. Using manipulation, technological means, or documents you’ve made accessible, the person is able to gather facts about you or another target. If done right, you won’t realize you’ve given away information to the wrong person until it’s too late, if at all.

There are many techniques that can be used to coax or convince a person to willingly give up information. A common method is called pretexting, in which you create a scenario that will persuade a person to perform some action or reveal the information you want. To give you an idea of how this might work, consider these situations:

You might receive a call at work from someone claiming to be in the IT department, who says there’s a problem with your network account. After some discussion, they ask for your username and password.

Someone claiming to be with the police, FBI, or other law enforcement call you, a family member, friend, or neighbor, and say that your name came up in an investigation. They wonder if it’s an identity confusion, and want some personal information to clear things up.

Someone saying they’re from the bank, a credit card company, or Internal Revenue Service (IRS) calls you and asks you to confirm some information to prove they’re talking to the right person. They ask for bank account numbers, Social Security number, access codes, or other financial details.

The reason people are easily manipulated into giving away information is because they’re convinced it’s in their best interest to do so, or because they believe they’re helping in some way. If the person claims to be in some position of authority, the target believes they have the right to know this information. After all, we’re trained to answer and work with authority figures, and not question them.

Another way social engineering is used to gather sensitive details is through the use of surveys. Perhaps there’s an enticement of some reward, the person conducting the survey is personable, or you want to help the person out by answering a few questions. Regardless of the reason, the results can often be surprising.

When InfoSecurity Europe (www.infosecurityeurope.com) conducted their second annual survey, they asked office workers at Waterloo Station in London, England, a series of questions with the reward of receiving a cheap pen. The questions included asking people to reveal their password, which 90% of those questions did. Of those questioned, 75% disclosed their password when asked “What is your password?” and 15% gave their password after some additional questions, such as asking the category their password fell into. Applying some social engineering tricks, a CEO of a company initially refused to compromise security and give up his password, but later said it was his daughter’s name. When asked what his daughter’s name was, he replied without thinking, thereby giving up his password.

While most people in this survey gave their password when asked, a social engineer will often structure the questions so it doesn’t seem like you’re revealing anything important. You may be in a chat room or conversation, and asked seemingly innocuous questions or drawn into a conversation where you reveal more as your trust in the person builds. The information can also be drawn out of you in ways you wouldn’t consider. For example, you may have seen questions posted on Facebook notes or in email, where you’re asked to share things that wouldn’t normally come up in conversation so others can learn more about you. They may seem funny or silly, but if you searched Google for “Facebook notes questions,” some of the types of questions include:

What is your favorite color?

What is your real name?

What city were you born in?

What is the name of your favorite pet?

While these may not seem important, especially when mixed in with fifty or a hundred other questions, you’ll notice that these are also common security questions used if you need to reset a password. Even if a social engineer didn’t send you the questions, they may be able to read ones you’ve answered previously by looking at your previous posts or Notes section.

Protecting yourself from social engineering requires being aware of the potential security risks, and taking steps to minimize them. In addition to the various tips we’ve discussed in relation to specific kinds of interactions (e.g., chat rooms and email) here are some additional tips:

Be mindful of the information you post on the Internet, and realize it could be visible to strangers. If you’re talking with someone you don’t know in real life (i.e., Facebook friends, people in chat, those who call you), be wary of them. After all, they’re still a stranger, even though they may have built up some trust.

Question (and ask yourself) why someone is asking for the information. If you don’t feel comfortable answering, then don’t.

Never reveal personal, financial, or other sensitive information over the phone or Internet. If it’s in person, make sure it’s in a secure location, such as the offices of your bank.

Realize that anyone in an IT department won’t request information like usernames and passwords over the phone or in an email.

If a caller asks for confidential information, ask for their contact information, and then verify that it’s real. Don’t trust the phone number they give you, as it may be false. Use the phone book, dial information, or use the company’s website (if you’re familiar with it) to get the correct phone number, and have them redirect you to that person’s extension. If they claim to be from a financial institution, you could call the number on your monthly statement.

Gramm–Leach–Bliley

The Financial Modernization Act of 1999, also known as the Gramm–Leach–Bliley Act (named for its Republican Party sponsors Phil Gramm, Jim Leach, and Thomas Bliley), or GLB Act, has provisions to protect consumers’ personal financial information held by financial institutions. The act is enforced by multiple federal agencies as well as states. It affects not only banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.

The GLB Act consists of three sections:

The Financial Privacy Rule, which regulates the collection and disclosure of private financial information.

The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information.

The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses).

For IT, it's important to note that the act provides each agency or authority described in Section 6805(a) of this act to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards:

To ensure the security and confidentiality of customer records and information.

To protect against any anticipated threats or hazards to the security or integrity of such records.

To protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.

GLB also requires the safeguarding of “nonpublic personal information,” which includes nonpublic “personally identifiable financial information,” such as any information (1) a consumer provides to obtain a financial product or service and (2) about a consumer resulting from any transaction involving a financial product or service otherwise obtained about a consumer in connection with providing a financial product or service (www.ftc.gov/privacy/glbact/glboutline.pdf).

The act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices. In 2008 and 2009, GLB received criticism as a contributing factor in the subprime mortgage crisis, as GLB repealed the Glass–Steagall Act of the 1933s, thereby allowing banks, securities companies, and insurance companies to compete with one another directly and leading to the creation of financial conglomerates such as Citigroup.

Types of SE Approaches

Once the attacker has gathered the background information necessary to understand some options to approach the target they must decide how aggressive they want to be. From least to most aggressive the approaches are: observation, conversation, interview, interrogation, and torture. They can start by digital or physical observation. Next comes a conversation (electronic, telephonic, or in person). This is often the phase where the attacker will determine who they want to recruit or attack. Typically this is known as elicitation which is generally the extraction of information through what seems to be a casual conversation. To phrase this another way it is “where the con is based on the social engineer’s” ability to spin a lie. This ability comes from pretexting which is developing a scenario where the SE gains the trust of the person who owns or has access to the information in order to get them to break their policies or violate common sense and give the information to the attacker. One method that is used in every type of attack but is especially useful here is mirroring. For example by adopting the target’s speech mannerism (or email style) it will be much easier to get them to engage in a conversation.

Warning

The Financial Modernization Act of 1999 more commonly known as the Gramm-Leach-Bliley Act makes pretexting a crime. Under federal law it’s illegal for anyone to [3]:

Use false, fictitious, or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.

Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.

Ask another person to get someone else’s customer information using false, fictitious, or fraudulent statements or using false, fictitious, or fraudulent documents or forged, counterfeit, lost, or stolen documents.

The Federal Trade Commission Act also generally prohibits pretexting for sensitive consumer information.

The next technique is to conduct an interview or outright interrogation. Both of these require the victim to submit to the attacker’s authority. This can be done by posing as a customer who needs the information to make a decision, pretending to be someone from the government who has the right to the information, or through intimidation. These attacks can be done cold or after a relationship has been developed. The attacker can perform them in person using props like badges or over the phone/email using spoofing to make it appear like the contact is from a legitimate source. An example would be to call someone as the Tech Department or Help Desk and tell them they have to reset their account because of a mistake made during a recent update. Most people want to be helpful and automatically trust their computer. That desire to help or trust in their system is the key to compromising them. Both of these techniques are not by their nature antagonistic. Often the most effective techniques are based on establishing common bonds. All of these techniques require building a relationship based on trust. Finally, after interrogation comes torture, but that is beyond SE practices. Figure 8.1 shows the flow of these Techniques.

1 Introduction

Technically, the term “identity theft” refers to two distinct, but interrelated, crimes: the act of stealing another's identity and the use of that stolen identity in committing a fraudulent act. In the first case, identity theft is similar in function to “pretexting”—or the attempt to take on the persona of another individual for social engineering purposes. In the second case, identity theft falls into the category of digital crime, along with copyright infringement, espionage, phishing, financial crimes, money laundering, and so forth. In many if not most cases, the first type of identity theft is used as a means to the commission of the second type of identity theft. In the fullest sense, identity theft is a strong candidate for the major crime of the new millennium. Identity theft usually begins with a fraudulent document such as that shown in Fig. 1.