Social Engineering with Pretexting

Posted by: Rea Maor In: Security and Prevention - Sunday, October 7th, 2007

In an early scene in the movie “Sneakers“, a security guard is aroused by an alarm and rushes to the phone. The voice on the phone reassures the guard that this is a false alarm, and that it should stop in a minute. It does. The guard is visibly relieved and thanks the officer. Then we cut to a scene outside the office, where one of the “sneakers” is hanging up the phone – having intercepted the call and pretended to be an officer – and radios the partner cutting wires under the building that they’re all clear.

This is called “pretexting”, where you pretend to be somebody you’re not over the phone for the purpose of violating your target’s security. It is relatively easy to do, requires no technical skills, and is used all the time, by both industrial espionage experts, system crackers, and private detectives. Let’s take a hypothetical example:

Widget, Incorporated, has a site called “widget.com” that we’d like to break into. The phone number and address of the headquarters office are given on the site itself. Dialing into their phone system will eventually reach our penetration point: a human being who is going to give us the site password. But first, we need to prepare ourselves so that we’ll sound official.

Our first stop will be Netcraft, where we type “www.widget.com” into the search box to find out “what’s that site running?” From getting the report, we find out their domain registry (i.e. GoDaddy.com), the location of the server, and the name and address of the registered owner of the domain.

Next, we visit builtwith.com to find out what technology the site is built with. We note whether it uses PHP, SQL, Javascript, Google ads, WordPress, and so on. To further our pretense, we can check the site through the W3C validation service to find an error. The majority of websites out there will have some minor flaw.

We’re all set to write our phone script, which can go:

“Hello, I’m with WebMage development and your boss – is it John Smith? – contracted me to fix some errors with your website at widgets.com. Is your boss in?”

(Of course the boss isn’t in – you called at 4:45 PM on a Friday before a 3-day weekend! The receptionist is all on her own!)

“Ah, I see. OK, if you go to http://validator.w3.org/ and enter www.widget.com, you’ll see the problem there I’m trying to fix. (Either the receptionist will take your word for it or go do that and be ‘convinced’.) I believe it’s a problem with the MySQL retrieval function in the PHP. Your site uses an older version, but GoDaddy.com is famous for hosting older servers without updating. (Any random techno-babble or ruse using names the receptionist will be familiar with will work here.) The problem is, Mr. Smith needs this fixed by Monday, and I was in the site and then logged out and I had the login and password right here on my laptop, but the battery just died. Could you go look it up for me?”

Probably the receptionist won’t know, but the webmaster’s cubicle is right over there, she can go find it. If the receptionist is reluctant, you can remark that the site’s problem represents a critical security flaw, so this matter is urgent.

This is just an example of how a little information and a little sweet-talking is all you need! Not much in the way of 1337 hacker skills going on here, but you’d be surprised how often a ploy just like this works.


Related Posts:


Leave a Reply