Social Engineering Techniques/Terms

Pretexting

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g., For impersonation: Birthday, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.

This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).

As most U.S. companies still authenticate a client by asking only for a Social Security Number, Birthday, or Mother's maiden name — all of which are easily obtained from public records — the method is extremely effective and will likely continue to work well until a more stringent identification method is adopted.

Pretexting can also be used to impersonate co-workers, police, bank, IRS or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the target. The pretexter must simply prepare answers to questions that might be asked by the target. In some cases all that is needed is a voice of the right gender, an earnest tone and an ability to think on one's feet.

An example of pretexting can be seen on this the broken episode at time 8:55 minutes.

Phishing

Phishing applies to email appearing to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not done. The letter usually contains a link to a fradulent web page that looks legitimate — with company logos and content — and has a form requesting everything from a home address to an ATM card's PIN.

Trojan Horse / Gimmes

Gimmes take advantage of curiosity or greed to deliver malware. Also known as a Trojan Horse, gimmes can arrive as an email attachment promising anything from a cool or sexy screen saver, an important anti-virus or system upgrade, or even the latest dirt on an employee. The recipient is expected to give in to the need to see the program and open the attachment. In addition, many users will blindly click on any attachments they receive that seem even mildly legitimate. See Trojan horse (computing) for more examples.

Another variation uses physical media and relies on the curiosity of the victim: The attacker leaves a malware infected floppy disc, CD ROM or USB key in a location sure to be found (bathroom, elevator, sidewalk), gives it a legitimate looking and curiosity piquing label - and simply waits.

Example: Get corporate logo off target's web site, make a disk label using logo and write "Executive Salary Summary 1Q 2006" on the front.

Quid pro Quo

Something for something:

* An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access and/or launch malware.

* In a 2003 Infosecurity survey, 90% of office workers outside of their building gave away their password in answer to a survey question in exchange for a cheap pen.

Copyright 2008 - France BtoB from Wikipédia