Episode 16: Pretexting – What You Need to Know
Social Engineering starts with research. You have to understand your target and have some information to continue to phase 2. Phase 2 is pretexting and that’s the topic for Episode 16.
Pretexting is similar to building a rapport with someone. An attacker tries to build a relationship with the victim using information they have uncovered during research. The difference is the attacker has no intention of maintaining the relationship. They’re trying to gain access to steal and/or cause damage in most cases.
In this episode, we define pretexing, share a few examples of pretexting in action, and let you know how to prevent becoming a victim of pretexting.
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data, the human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.
Recently, I was on site replacing some networking equipment for a client. During this process, I needed some configuration information from the ISP, the owner of the business was not available, and I had no information about the account other than the static IP and the name of the ISP. I found a phone not in use in the business and determined that the phone was also through the ISP knowing that most telecommunications companies utilize 611 to call from their provider phones into the ISP, I gave it a shot. Sure enough, I got into the ISPs queue and was verified right away because I was calling from the phone system they provided great. When I got a rep on the phone, I asked for the information I was looking for. And I was asked for additional account information in the form of an account pin. This is common procedure now for a lot of telecommunications providers. And I was also advised that they would need this information from the account holder. Fortunately, I had not given them a name yet, but I was not sure whose name the account was under so I played dumb. Oh, I’m not sure if the account is under my operations manager or myself. Let me see if I can find the recent bill. The rep came back with Mr. Smith, I still hadn’t given my name yet. It looks like you haven’t set up a pin on your account yet. We can do that. Now. I just need some information from your modem. Fortunately, the modem was right in front of me. So I provided the MAC address to the rep and then asked to that they verify the networking information I needed. They oblige. And I said oh, I would call back to set up the pin, a disconnected call and went about my day. I’ve done this numerous times to a number of telecommunication companies for various reasons. While the account verification requirements have gotten stricter, it can still be done given the right person on the other end of the phone, and a little bit of honey. This is what you call pretexting Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused, security minded proactive IT service provider. All right, this is episode 16. And we’re going to call this pretexting. What you need to know it’s a working title for now, but I may change the title on the social media stuff in the website. Anyway. You hear a lot about social engineering. Why is it so successful wire this wire people falling for these tricks all the time. And often it starts with pre PT it almost always starts with pre texting and pre texting. The definition of pre texting is a social engineering technique in which an attacker creates a false or fabricated scenario to deceive and manipulate their target into divulging sensitive information, granting access to restricted resources or performing actions that benefit the attacker. pretexting often involves the attacker impersonating a trustworthy individual or authority figure, such as a company executive, IT support personnel or law enforcement officer. The attacker crafts a convincing narrative or pretext leveraging the targets trust and willingness to comply, ultimately leading to the compromise of information or systems. Now, you’ve probably seen TV shows where pretexting is done, somebody dresses up as let’s say, a UPS driver and pretends to deliver a package and gets through the front doors and into the office and then does whatever they’re there to do. While this is that is a form of pretexting it’s also called piggybacking sometimes they they get through following somebody else’s ball carrying a bunch of boxes. So that’s that’s a form of it happens more now. Virtually so in other words through phone call or email, they’ll pretend to be someone they’re not or set up a pretext using a method that would gain the trust so it’s sort of a form of rapport rapport building, I guess. They’ll gain the trust them you’ll hear this a lot the Microsoft skin As somebody calls up, pretends to be from Microsoft says they’ve noticed that your computer’s spreading malware throughout the internet. And they want to gain access to your computer to help troubleshoot the problem. And so you let them onto your computer, thinking this is actually a Microsoft employee, they may even spoof their number, this is part of pretexting a lot of the time they’ll spoof their number. And that in itself is not that hard to do. But they’ll spoof their number, get onto your system. And then they’re going to likely steal some information, install a way to get back onto your computer or install a keylogger. Any number of things that could happen. And ultimately, this is what they’re trying to do. They’re trying to gain something, gain information, gain access something, and usually the end result can be very damaging. So what are some examples of pretexting? So I’ve created I’ve got one story from 2021. And then I created another sort of narrative of what a pretext would look like. And so we’re gonna get to both of those. So the story from 2021 is hackers impersonate HR employees to hit Israeli targets. And ultimately, what they do is these are Iranian hackers, Iranian, they’re associated with the Iranian government group called Lyceum, or like em, hexane and Siamese kitten. They pretend they created a LinkedIn profile for the former HR manager of a technology company called chip PC to create to create a profile on LinkedIn, of someone who’s looking to recruit employees. Now pretexting, the pretext that they did is they found the identity of a former HR person. So we often wonder why do people create clones of our Facebook accounts or clones, or LinkedIn or Instagram accounts. And this is why they’re trying to trick someone into doing something. They’re trying to create a pretext. So what they found was that this person, or this group, I should say, created a fake LinkedIn profile using the name of an ex, HR manager at chip PC. And then when they did this, they were able to use a pretext of a job offer and ultimately delivered malware to potential victims and how did they do this? So first identified potential victims that would be employees or potential employees. They identified Human Resources Department employees to impersonate it created a phishing website that impersonates the target organization. And again, it’s not hard to duplicate a website, it’s actually gotten even easier. Thanks to artificial intelligence. They created lower files compatible with the impersonated organization. When you think of lawyers, you think of, you know, like fishing bait. They set up fake profiles on LinkedIn in the name of the HR employee, contacted potential victims with an alluring job offer detailing a position in the impersonated organization, sending the victim to a phishing website with the lure file. And then that person in going then downloading a file, downloaded a backdoor that affected the system and connected to a command and control server over DNS and HTTPS. So these are protocols that are used to connect to other resources over the internet. Then there’s something called the danbatta Remote Access Trojan is downloaded to an to the infected system and a remote access Trojan is something that allows for the bad guys to maintain access to your device or your computer whenever they want. And then hackers also got data for espionage purposes and try to spread spread on the network. So this is what they did. This was back. This was reported in 2021. But it goes back as far as 2018 they started doing this campaign. So they use the pretext of of an HR manager to attract their potential victims or potential victims would be job seekers. And in doing so they were able to gain access to systems maintain that access, steal data, and eventually remote, probably other malicious content and then spread throughout the network, which is probably what they’re most interested in the gain access into. The business, any number of businesses really so they gain access, somebody’s looking to change jobs. So you might have it might be An internal job board, they might have cloned an internal job board or an external job board, depending on how the company works. And in doing so, gotten current employees to download this malware onto the system, which then probably helped them get a foothold into the network and spread throughout the network. All this was successful, because they use the pretext of an HR manager for an IT company. And the image shared in the article, the articles on bleeping computer, didn’t even do LinkedIn profile, didn’t even have a profile image. Now, I don’t know if that’s an accurate depiction of what really happened. But that is what they shared. So no profile image, and people still fell for if that is the case.
Now the reason something like that would be so successful is because there are people looking for jobs all the time, they want, you know, a better job a better paying job, something they’d rather do than what they’re currently doing. All of these reasons people are always looking, you know, I own a company and I still look at the jobs that are available sometimes. Because partly because sometimes some of those jobs could actually be potential clients, but also partly because you never know, you never know what might what you might stumble on. And I definitely looked way more often when I was employed by someone else. I looked for jobs all the time. Because you always have to keep your options open. pretexting is often the very first step or one of the very first research is probably the first step. But then once you have that research and information need then pretexting is next. Got to create that relationship, we got to build that rapport. And that’s what pretexting really is all about. Alright, so now here’s my fictional story, which may or may not loosely be based on actual events. But anyway, the masterminds plan this is called this I’m going to call the story the unseen intruder the masterminds plan is chapter one. John Kellerman, a highly skilled social engineer had meticulously crafted his plan to infiltrate XO Corp, a multinational technology firm known for its advanced cybersecurity measures. He had spent months researching the company and its employees studying their habits and gathering as much information as possible. His goal was to gain access to EXO corpse, cutting edge artificial intelligence technology. John’s plan was to use pretexting, or social engineering technique, in which an attacker creates a believable scenario to manipulate the target into revealing sensitive information. He decided to pose as a high ranking executive from XO corpse headquarters, contacting employees through carefully crafted emails and phone calls. Now, I’m going to stop there for a second and say, a lot of these companies is especially certain types of companies and I’m not going to list those types of companies. But a lot of these companies like to display their high ranking officials on their websites. And in some companies list their entire team, this could be used against you. Chapter Two, the deception begins, John initiated his plan by sending a well written email to the company side of it, Sarah Thompson, the email appeared to come from XO Corp CEO, and inform Sarah that an urgent security audit would be conducted by an external team led by John Kellerman, a seasoned cybersecurity expert. To make the email more convincing John added details that he would he that he had gleaned from his research such as references to a recent company event, and CEOs, personal interests, Sara, convinced by the authenticity of the email responded with her cooperation and provided John with her direct phone number. Because it’s human nature, to be cooperative to be nice to be helpful. And so Sarah says, I’m going to help out the sounds important. John called Sarah posing as the cybersecurity This is Chapter Three now the phone call. So John called Sarah posing as a cybersecurity expert tasked with leading the security audit. He skillfully used his knowledge of industry jargon, and exhale corpse internal procedures to establish trust. He told Sarah that a series of tests would be conducted to ensure that the company’s security protocols were up to date, and that he needed remote access to the company service. That should be a red flag right there to make the request appear legitimate. John mentioned specific details about exit Corp security protocols and emphasize the need for confidentiality. Sarah, eager to assist in security audit and believing John to be trusted expert, provide him with the necessary login credentials. Chapter for the breach with Sarah’s help John successfully gain remote access to exocomp servers. Unbeknownst to Sarah, he began searching for the coveted AI technology human secure lessly navigated the company’s complex network, bypassing firewalls and other security measures. John found the files he was looking for and swiftly downloaded them onto his encrypted laptop. With the prize technology in his possession, he covered his tracks and disconnected from the networks, the company’s network. And then chapter five the aftermath. In the following days, Echo Corp discovered the breach and launched a full scale investigation, Sara was devastated to learn that she had unwittingly aided in the depth of the company’s most valuable asset. Experience served as a harsh lesson in the importance of vigilance and skepticism even when dealing with seemingly trustworthy individuals. As for John, he vanished without a trace, leaving S corp to grapple with the consequences of the attack. This unseen intruder had successfully exploited the power of pretexting, demonstrating the chilling effectiveness of social engineering in the digital age. So now the question is, how do you protect yourself from this, so I’m going to give you a couple of common techniques in another story, and we’ll wrap it up with how to protect yourself. So one of the more common pretexting methods is phishing emails, we talked about phishing on this podcast a lot. But phishing emails, a lot of the time is sent with false intentions. So some of the more common ones you receive a receipt for your purchase from from Best Buy for $500. So that’s meant to do two things. One is start a pretext, because you’re going to then going to place a phone call. And to to to scare you a little bit because you just spent $500, and you’re not aware of it. Another common phishing scenario, though, I’m starting to see more and more of in my own inboxes is that my Facebook account is going to be suspended or deleted. And Facebook doesn’t just randomly send these emails out. And often you can tell that it’s fake, because of the email sender. But you know, that’s a different topic, just know that phishing is a common form of pretexting. Along with its variations of phishing, which is voice phone calls, which is probably more common, because it does have a higher level of trust, when it’s done over phone, or texting smishing. When they’re combined with text message, and or phone, and phone call, or email and phone call, they have a much higher success rate. So look out for that. Tailgating attacks, we talked a little bit about that the UPS driver comes in with a bunch of packages in hand and you are more apt to hold the door for them because they can’t get the door for themselves, you should just advise them. One suggestion is to advise them to wait for whoever the delivery is for another suggestion is to hold off or to hold the packages so that they can do what they need to do to get into the building. Because if that’s the case, and they are tailgating, then no more likely to just leave. But this can it’s not just UPS drivers, pizza deliveries, H vac employers, electrical employees, they should be allowed in by the person they’re claiming to be there for. Now, here’s one that’s a little more complex that uses both phone and text, you suddenly receive a phone call, stating that they detected fraudulent activity on your bank. And the person on the other end says that they need to verify who they’re talking to. So before they can verify that they will send you a text message and just give them the code that’s in the text message. This is your two factor authentication that they’re setting off by trying to log into your account. So you provide the code and now they have access to your bank account. And this is done. This is starting to increase more and more. The important thing here is never provide your two factor authentication code to anybody. The banks, or any other organization does not need it to access whatever information they’re trying to access never provide the two factor authentication code to anybody. Now here’s a scenario that occurred in real life Ubiquiti Networks. They make networking equipment that we are one of we’re actually partnered with them. One of the networking equipment vendors that we use, lost almost $40 million due to an impersonation scam. They’re pretext or sent messages to ubiquity, employees pretended to be a corporate executives and requested millions of dollars to be sent to various bank accounts. One of the techniques used was a look alike URL. So this is when you buy a domain. So let’s say there is their domain. I don’t know if they own ubiquity.com. But that’s not the domain that I’m familiar with. So let’s say they do own ubiquity.com they change one of the eyes to a one. And so when the email goes out with that domain name the URL It doesn’t use, it looks like ubiquity.com because of the way the eyes in the ones look like or an L or anything like that. So that’s a common
scenario where they use lookalike URLs. There’s some law around pretexting pretexting, generally speaking is illegal in the United States, but especially for financial institutions that are that fall under the gramm leach Bliley act GLBA of 1999, there is an update to that act, there is the FTC safeguards safeguard rule that’s going into effect on June 9. And that broadens the scope of the FTC and also broadens who is covered under the rules. And there are more institutions now not just banks, but lots of other financial institutions. And I’m using air quotes, because it’s a little bit gray for some, but there are a lot of businesses that fall into that now. So now it is it will be illegal for pretexting to be used against any of these organizations. Now, there, there are scenarios where it is legal, you require a sign off by the company itself. And this is for pen testing purposes. So how do you prevent pretexting it’s mostly education, there’s really not much else you could do, there’s not a software out there, that’s going to prevent pretexting. Now there are methods to prevent what comes after pretexting, you know, the launching of malware or, or installation of remote access Trojans and things like that, those can be prevented. However, the actual pretexting itself cannot be stopped it there will always be attempts. And so the best ways to do that is one, education to processes. So have processes in place that say, you know, if we’re going to wire money, this is the steps we need to take, we do not accept communications via X, Y, and Z. If you need to change instructions, this is what you need to do to change those instructions. So have very strict processes that cannot be changed for anything. And then the education, you know, this podcast is a form of education, having training, training within your organization to teach your all employees in its from the top down all employees on how to recognize social engineering scams, and how to what to do in the event that you do recognize a social engineering scam. So there’s going to be different responses for different things, phishing emails, you’re going to report it to it and have them investigate. If it’s somebody trying to piggyback away into the building, that’s a different set of rules. If it’s somebody calling on the phone, pretending to be the CFO, that’s going to have a different set of rules. So there’s going to be the processes, and then there’s going to be the education. And that’s really all you can do to prevent any type of social engineering. But especially pretexting because if you if you recognize in the early stages of the attack, you’re more likely to prevent it from occurring at all. And that’s going to do it for episode 16 pretexting what you need to know I do apologize for the basically four month layoff it’s been the watch Tech has blown up and I’ve been super busy. I’m going to try to get back to at least twice a month on this podcast. So look for future episodes. So until next time, stay safe, stay secure.
Transcribed by https://otter.ai