CAPEC-407 - Social Information Gathering via Pretexting

An attacker engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the attackers' interests. During a pretexting attack the attacker creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie, in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. Basic pretexting attacks may simply seek to learn information about a target, but more complicated pretexting attacks seek to solicit a target to perform some action that assists the attacker in exploiting organizational weaknesses or obtaining access to secure facilities or systems. One example of a pretexting attack could be to dress up like a jogger and run in place by the entrance of a building, pretending to look for your access card. Because the hood obscures you face, it may be possible to solicit someone inside the building to let you inside. Pretexting is also not a one-size fits all solution. A social engineering attacker will have to develop many different pretexts over their career. All of them will have one thing in common, research. Good information gather techniques can make or break a good pretext. Being able to mimic the perfect tech support rep is useless if the target does not use outside support. Pretexting is also used in other areas of life other than social engineering. Sales, public speaking, so-called fortune tellers, NLP experts and even doctors, lawyers, therapists and the like all have to use a form of pretexting. They all have to create a scenario where a person is comfortable with releasing information they normally would not. One of the most important aspects of social engineering is trust. If the attacker cannot build trust they will most likely fail. A solid pretext is an essential part of building trust. If an attacker's alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around the attacker and can disarm their suspicions or doubts and open up the doors, so to speak. .