Project Puchufy

Pretexting

,

What is pretexting?

In a social engineer’s perspective, pretexting is creating a cover story for their mission – who they are, where they work, where that came from, what is their agenda and all other facts about themselves that will fit the narrative of the exercise. Basically, a lie to justify why are they trying to get into a building for example.

According to Christopher Hadnagy though, defining pretext as a “lie” is an oversimplification because there is more to it. The social engineer should believe the pretext themselves so they can be effective for the task. Method acting is helpful when preparing and immersing oneself into the pretext for an exercise.

Main Ideas

  • Align your pretext to your end goal. For example, if you have two different targets to penetrate, the pretext for an elementary school may not to a multinational corporate center.
  • Mix some touch of reality to the pretext so it will be more believable. In the Reciprocity Principle, people feel the urge to return a favor or disclosure when you give them something first. For example, you can share a non-sensitive part of your personal information like the actual high school you went to.
  • Understand how far you should go – you do not need to build a whole fake life for a pretext. For baseline, always go back to the basic questions when approaching a stranger:
    • Who are you?
    • What do you want?
    • Are you a threat?
    • How long will this take?
  • To avoid short term memory loss, employ some of the techniques mentioned in the book:
    • Exchanging business cards with the target so you can gather more details as possible;
    • If possible and properly authorized, record the live engagement to be able to capture all the details;
    • A partner in crime will also be helpful in remembering things for the exercise.
    • Practice as much as you can.
    • Read books because they help exercise your mind and memory.
  • To support your pretext, a social engineer should also look the part, have all the tools for the cover story and must be equipped with the special knowledge of the person they are pretending to be.
  • Always be prepared for the unexpected during the execution of the exercise – the social engineer and the pretext itself must be flexible if the situation demands.

Pretext Executions from History

  • William John Vassall (UK, 1950s–1960s) – The KGB lured Vassall, a British Civil Servant, into a homosexual encounter at a party—a criminal offense at the time in the UK—then used photographs as blackmail to coax him into spying. MI5-related reports and historical analysis of the Vassall case detail how his personal entrapment served as a classic pretexting to coerce him to spy for the Soviet Union.
  • Clayton J. Lonetree (USA, 1980s) – A female KGB officer, under the guise of romance, seduced U.S. Marine Clayton Lonetree, working at the U.S. Embassy in Moscow. Once emotionally involved, he was blackmailed into handing over highly sensitive materials such as embassy layouts and covert agent identities.
  • Hewlett-Packard (HP) Pretexting Scandal (2006) – Private investigators impersonated HP board members and journalists to trick telephone companies into handing over phone records. HP management used this deceptive tactic to find the source of internal leaks making this a corporate espionage example of pretexting using counterfeit identity.

The first two pretexting execution examples used pretext together with the exploitation of human emotions, while the last one used administrative impersonation to be able exploit procedural weakness.

Movie Time

SALT
TINKER TAILOR SOLDIER SPY
FROM PARIS WITH LOVE
OPERATION FINALE
THE COLDEST GAME
MY NAME
SPY GAME
RED SEA DIVING RESORT
BODY OF LIES
OCEAN’S 11
DAMASCUS COVER
ARGO
HOMELAND
THE DEBT
BUTTERFLY
Here are some well-known spy and deception movies and TV shows. As you watch them, see how many times characters use pretext (false identities or cover stories) to succeed in their goals.