Social Engineering: Pretexting

by Natsuya Uesugi

Pretexting is a social engineering practice that is akin to cosplay or can we say getting into character. Hackers do this for example by posing as a security guard or a software tech to gain access to a building or area to gain information. You have to be careful to ensure the ruse is correct for the environment. If you pose as an outsourced software technician but the small company doesn’t outsource their tech department then you have a problem.

We describe it here as cosplay because I guess San Diego ComicCon is going on right now and many people are dressed up as their favorite super hero living out their fantasies and playing someone they might wish they could be in their dreams. Pretexting is similar because some otaku take their cosplay very seriously and will talk, walk, have mannerisms and stay in character the entire time they are in the costume at con.

Pretexting requires homework though. You have to know your character and actually be them for it to be believable. It is better if it is something simple and not overly complicated and the closer it is to your actual personality makes it also easier.

The more research you do the better your chance of success. In order to get into character you need to know the setting, the dress, the mannerisms, the environment that the character interacts in. A member of the kitchen staff will have a very different character from an IT helpdesk tech but may have similar traits to a waiter. It is best to scope out the locale for the character and actually learn. Some of the better movie actors do spend significant amounts of time and research learning their character for their next movie. The more believable they are in a scene the better the audience will relate to them or even hate them depending on their character. Bad acting can always be felt by the audience. This is the same with pretexting. The target will see through the ruse if it is not believable.

Another way to make the pretext belieavble by having similar traits is to bring some of your own likes and dislikes into the character. This will bring it a more personal feel. If you like cars you might be able to play a believable car salesman since you are familiar with the subject. Something that is foreign to you will take more research.

The simpler the character the better, if he is similar to you then it will not be as much of a leap to make it belieable. In grydscaen: tribute which is coming out in August 2014. In the short story “Simulatrix” Faid has to access the secure labs floor at the SenseNet to gain access to the code base for iNAX Simulation to steal it. He has an ID that gets him into the area and a lab coat. When he gets in the lab he initiated a conversation with a tech that needed to believe him enough to show him where he can get access to the code base. The tech never suspects him because Faid is able to play the part accurately. Given the time prior to the mission Faid was able to learn from some of his Packrat team about the security, the room and the activities of the scientists and techs so that he could have a believable pretext for the infiltration.

Other examples of pretexting in grydscaen are when Anj plays a data messenger in the short story “Rogue” from grydscaen: tribute and infiltrates into the palace to get to Mr. Stuart. He has to have a fake cit card and be wearing the right data messenger dress to get him past the Imperial Guard to even get to Mr. Stuart and show him the video file.

Grydscaen shows various hacking and social engineering techniques throughout the story. Pretexting is just one of the many forms of diversion that leads to access and information gathering that hackers rely on.