Social Engineering: Preloading

by Natsuya Uesugi

Think of it as a message intended to sway you to think about something before you get to it. That is preloading. The best example is the movie theatre where you see posters of movies before you get in the door, then when you get to concessions and then even before your movie starts you are assaulted by previews for other movies.

The trailers tell you “this is a comedy” or “this is scary” and get you to react before you see anything setting the stage to what you will see. This is all context before they get to the real heart of the matter the trailer. This is preloading.

In social engineering preloading can be the context before the data gathering starts in earnest. You might be at a car show and someone comes up to you using the context of the show and asks you about your car. You answer because you think the question is innocuous and this is a fellow car enthusiast. Before long he knows what type of car you have and how long you have had it. If the questioning goes well he might even find out when you are on vacation and the town you live in, all information he can use to steal your car.

Not all social engineering is this treacherous but it can be used for nefarious means. Asking a seemingly harmless question by a stranger can lead to many different avenues depending on the motive.

Preloading works by letting the target feel comfortable. It has to be believable by the target to buy into the ruse. If they sense the social engineer is not genuine they will put up their guard and divert or walk away. The context has to be right. If you are at a vegan restaurant you will not ask a question about steak, it doesn’t fit the context.

Along with buying into the context and being believable the social engineer needs to have a goal. The questions need to be directed towards that goal. If you don’t know where you are going or what information you are looking for the goal will get lost and you may lose the target’s interest in the questions. This can get very complex. Having a simple goal is easier and does not require as much planning. A complex goal may require multiple interactions with the target in order to achieve the same end.

Another important thing to do is appeal to the target’s ego. Let them know how special they are. This can help win the target to your side and trust more enabling the questioner a more easy lead.

Another way to influence the situation is by eliciting knowledge and letting the target know you share something similar. If the target assumes you know something after you present some information they may be more likely to open up to you. If for example I am a systems analyst I can talk about requirements gathering and if I sound like I know what I am talking about another systems analyst may not doubt my genuine knowledge of the field.

Preloading can take on many forms. It is subtle but can lead to elicitation, information gathering. With the right context preloading can lead the target down a particular path. It is all about what information you are trying to gather.

For example a hacker who wants to know the badge access system might ask a random employee about how they badge in. Then turn around and pose as a security tech and find the encryption settings on the badge system and what type it is. All this can get hackers access to their target location with just a little questioning. Preloading is social engineering and it can be used for ill gains. It is good to be cautious of strangers in your workplace or out in the world since you don’t know necessarily what their motive is. Think about that next time you strike up a conversation with someone at your neighborhood coffee shop. It could be a social engineer.

Leave a Reply

Your email address will not be published. Required fields are marked *