AbleToTrain by Willing & Able

Pretexting

A pretext is a madeup scenario developed by threat actors for the purpose of stealing a victim`s personal data.

During pretexting attacks, attackers ask victims for personal information for purpose of confirming the victim`s identity. In reality, the attackers steals this information and then uses it to achieve illegal benefit and commit identity related crimes.

Sophisticated pretexting attacks may attempt to trick victims into performing an action that exploits the physical and/or digital weaknesses of an organization. For example, a threat actor can pretend to be an external IT service auditor and use this alias to persuade the organization’s physical security team to allow the threat actor to break into the building.

Many attackers who use this type of attack pretend to be Treasury employees or HR managers. These impersonations can target C Level executives and other employees with broader privileges that are more valuable to attackers. While phishing attacks typically use urgency and fear to prey on victims, subterfuge attacks create false confidence in targeted victims. This requires the threat attacker to build a credible story so that the victim does not suspect fraudulent play.

Pretexting Attack Techniques

Pretexters use sophisticated tactics to make victim to trust them and later on to hand over personal information.

Types of pretexting attacks:

  1. Impersonation

An impersonator trying to act as person of confidence, for example as a colleague or friend. This involves maintaining a sense of credibility, often by spoofing the phone numbers or email addresses of impersonated institutions or individuals.

An example of impersonation is the SIM swap scam, which exploits vulnerabilities in twostep verification processes including SMS or phone verification to take over target accounts. The pretexter impersonates a victim and claims to have lost their phone and persuades the mobile operator to switch the phone number to the attacker`s SIM. The one-time password is forwarded to the attacker, not the victim. The success of the spoofing social engineering attack was the 2015 attack on Ubiquiti Networks. The employee received a message from a fraudster disguised as a corporate executive requesting payment to the attacker’s bank account. This cost the company $ 46.7 million.

  1. Tailgating

Tailgating is a social engineering technique that gives an attacker physical access to a facility. Tailgate means taking an authorized person to the facility unnoticed. Upon reaching the entrance, an attacker can quickly insert a foot or other object into the door before the door is fully closed and latched.

  1. Piggyback

Piggyback is very similar to tailgating, except that not only the authorized person knows the actor, but the actor can piggyback to the credentials. For example, an authorized person arrives at the entrance to the facility. The person claims to have forgotten the access badge and approaches and asks for help. She may be a woman holding a heavy box. In any case, authorized personnel can decide to help these people access the building.

  1. Baiting

A baiting attack is an attempt to make a fascinating promise to lure victims into a trap. Attackers typically aim to distribute malware or steal sensitive information.

Baiting attacks feed on malware-infected hardware such as flash drives, often adding something that gives them a real look.

Baiting is placed in frequently visited places such as lobbies, bus stops and toilets. The attacker places the baiting in such a way that the victim becomes aware of it and has an incentive to insert it into an individual or business device. The baiting hardware then distributes the malicious software to the device. The baiting system can also be run online. For example, attractive ads can direct victims to malicious websites or urge them to download malware-infected applications.

  1. Phishing

Phishing impersonates a trusted entity in communications such as email and text messages to obtain sensitive information such as payment card details and passwords. Phishing is a separate category from pretext, but you can combine them. Phishing attempts often use pretext scenarios. The pretext increases the chances of a successful phishing attempt, for example, if the target employee thinks he or she is talking to a contractor or employer. The compromised employee account can also be used for further pretext attacks targeting individuals via spear phishing.

For example, MacEwan University in Canada was a victim of a phishing scam that cost the university about US $ 9 million in 2017. The attacked employee changed the payment details, believing that the fraudster was a contractor.

  1. Voice phishing and smishing

Voice phishing (or smishing) is a social engineering technique. This type of attack uses the phone to trick the victim into revealing sensitive information or providing the attacker with remote access to the victim’s computing device.

For example, in a typical bishing scheme, an attacker impersonates an IRS employee and calls the victim. Attackers often intimidate or intimidate victims to provide compensation or personal information. The IRS Bishing program is usually aimed at the elderly. However, without proper training, anyone can be fooled by voice phishing scams.

SMS phishing (or smishing) is a type of social engineering similar to voice phishing or phishing. Use the same technique, but continue via SMS or text message.

  1. Scareware

Scareware attacks attack victims with fictitious threats and false positives. Victims are fooled into believing that their system is infected with malware. Next, you will be asked to install malware or software that benefits the attacker in some way. Scareware is also known as fraudulent software, fraudulent software, and fraudulent scanner software.