The most dangerous social engineers are those who can invent a lie so believable that they are able to successfully impersonate a legitimate employee without ever raising suspicion.
This tactic is particularly harmful if real employees can be tricked into believing the criminal is actually a coworker or a member of upper management.
From that point, it is not very difficult for a charismatic social engineer to manipulate the employee into divulging extremely sensitive information–or even worse, granting the impersonator unfettered access to the network.
As improbable as this technique seems, it is actually a favorite weapon in the social engineer’s arsenal. And it has a frighteningly high rate of success.
The primary reasons for the technique’s popularity are:
- The information necessary to construct a credible pre-text is readily available;
- There's almost no chance of being identified or caught; and
- It's much easier to compromise a human being than it is to bypass technological countermeasures.
This type of low-tech method of attack is predicated on the social engineer’s ability to establish credibility and trust with an employee of the targeted company.
To accomplish this, he or she must devise a believable story–or a “pretext”–based on as much factual information as possible. Given that most companies and their staff members post volumes of information about the organization online, forming a detailed pretext is often the easiest part of the process.
The “fellow employee” pretext usually centers on a new employee, an off-site worker, or even a manager from a nondescript department who needs technical assistance, such as resetting credentials, creating a new account or reconnecting to the network from a different location.
In these scenarios, the social engineer must conduct a bit of research about the company and its practices. Next, they collect enough verifiable information about the persona he or she will be assuming so that the elaborate lie can withstand at least a minimal amount of scrutiny.
The con artist may begin weaving the pretext by gathering basic information, such as locations, services and corporate structure. This can be done simply by reading the targeted company’s website or downloading archived newsletters, press releases, and annual reports.
A quick visit to the company’s LinkedIn page or Jigsaw listing will help determine the corporate hierarchy along with each person’s job title.
NEXT: Finding a target