Social engineering is by far the easiest way to access a company maliciously. A company can spend hundreds of thousands, perhaps even millions of dollars on perimeter defenses, firewalls, IDS/IPS, etc., but still the human element is, and always will be, the weakest link. It’s of no surprise that more and more companies are choosing to include social engineering in their penetration tests. Looking at the various ways penetration-testing companies perform social engineer testing, it shows that not everyone is doing it properly. With social engineering, there is definitely not a “one-size-fits-all” template. Yes, of course you can reuse pretexts and methods on companies that are similar in size and nature, but when it boils down to it, each company needs to be uniquely analyzed, and a unique pretext and attack plan needs to be developed specifically for each engagement. Pretexting: Behind any successful social engineering attack is a good pretext. A pretext can be defined as the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. The biggest mistake that penetration testers make is not spending enough time developing a believable pretext. We all have probably, at one time or another, received an email claiming to be from a Nigerian Prince who needs you to transfer some amount of money, which will lead to great personal riches. We pretty much all know that these are ridiculous and would hope that no one is actually falling for them. Then there are the slightly less obvious but still ridiculous emails stating that they are from FedEX, UPS or some other shipping company, stating that you have a package that they are unable to deliver. These unfortunately do work sometimes, but they really shouldn’t. The list goes on; fake PayPal, Bank of America, etc. phishing emails are abundant. So what really works in the real world? During a proper penetration test it is our job to simulate a targeted attack against an organization. Not some passive “dragnet” type phishing attack. Why? Well, if a company can properly withstand a targeted social-engineering attack they are more likely to withstand the lame dragnet phishing attempts. The pure and simple fact is that if an attacker or malicious entity specifically targets your company, or you as an individual, they will not use “conventional” tactics. So what is involved in a proper pretext? Research, proper and thorough information gathering about the target.  Information we would look for would be, but is not limited to, specific company type, size, locations, how many employees, specific employee information, emails, company position, etc. In addition, what externally facing company websites does the company have? Things like extranet portals, HR sites, VPN, and web mail. News searches and public relations sites can be a gold mine of information as well. Putting these elements all together gives us a general idea of how the company operates and aids in the creation of a pretext and attack plan that will have the greatest likelihood of success. Defining pretexts and goals based on the information gathered allows us to analyze different attacks and predict the success ratio of each. For instance, if the size of the target company is small, then posing as an internal department entity will have a low probability of success. However, if the company is large in size and people in the company do not have very much face to face interaction with departments such as Human Resources, then posing as an internal entity may have a higher probability of success. As an example, let’s say that we have targeted a company with 1000 employees spread out over 5 locations. In this instance we have discovered that the company deals with insurance claims for the healthcare industry. As most know, healthcare companies or companies that deal with private healthcare information have to be compliant to certain government regulations, including HIPAA. A proper pretext and attack plan for the previously described organization would be to pose as a compliance department within the company, then requiring them to follow a link to a “company” web site and log on using their domain credentials and accept an amendment to a government compliance standard. Putting it together: Although, the purpose of this post is to focus on creating a proper pretext through information gathering we will touch briefly on some of the technical aspects of the attack. Believe it or not it’s easier than you think.  We require very little to do this:

1. A cloned website resembling one of the company’s external websites.
2. A domain that resembles the target domain. For example, www.compliance-abc.com . In reality, very few if any, notice the difference between a dash and a dot in a website address. As long as it ends in the company’s main domain name.
3. A valid SSL certificate for our fake domain. This can be purchased for a little as $20. This adds to the believability and a sense of security due to the fact that if it is SSL it has to be legit, right?

SET (Social Engineering Toolkit): SET is a very robust tool that we can use for cloning a website. It also gives us options to embed malicious payloads as well as harvest credentials. Techniques like these have been discussed in depth in previous blog posts, and several walkthroughs are available online. SET is available for download from the “downloads” section of TrustedSec’s website. Conclusion: Spending time to profile your target and properly research for a believable pretext really is the key to creating a successful social-engineering test, whether it’s a phishing attack, over the phone, or in person. Some great resources to learn more about pretexting and all aspects of social-engineering are available from our good friend Chris Hadnagy at http://www.social-engineer.org He has written two books on the subject and they are available on Amazon. I highly recommend you read them. http://www.amazon.com/s/ref=ntt_athr_dp_sr_1?_encoding=UTF8&field-author=Christopher%20Hadnagy&search-alias=digital-text&sort=relevancerank