Believe it
or not people want to be told what to do. Imagine if you went to a doctor and
he walked in, checked you over, wrote some things on his chart, and said, “Okay;
see you in a month.” That would be unacceptable. Even in the event of bad news,
people want to be told the next step and what to do.
As a social
engineer, when you leave the target, you may need him to take or not take an
action, or you may have gotten what you came for and just need to leave.
Whatever the circumstance, giving the target a conclusion or follow-through
fills in the expected gaps for the target.
Just as if
a doctor checked you over and sent you home with no directions, if you engineer
your way into a facility as a tech support guy and just walk out without saying
anything to anyone after cloning the database, you leave everyone wondering
what happened. Someone may even call the “tech support company” and ask whether
he needed to do anything, or at worst you just leave the workers wondering.
Either way, leaving everyone hanging is not the way to leave.
Even a
simple, “I checked over the servers and repaired the file system; you should
see a 22% increase in speed over the next couple days,” leaves the targets
feeling as if they “got their money’s worth.”
The tricky
part for a social engineer is getting the target to take an action after he or
she is gone. If the action is vital for completion of the social engineer
audit, then you may want to take that role upon yourself.
The
requests you make should match the pretext, too. If your pretext is being a
tech support guy, you won’t “order” people around with what they must and must
not do; you work for them. If you are a UPS delivery person, you don’t demand
access to the server room.
As
mentioned earlier, more steps may exist for perfecting a pretext, but the ones
listed in this chapter can give a social engineer a solid foundation to build a
perfectly believable pretext.
You might
be asking, “Okay, so you listed all these principles, but now what?” How can a
social engineer build a well-researched, believable, spontaneous-sounding,
simple pretext that can work either on the phone or in person and get the
desired results?
No comments:
Post a Comment