Pretexting is a form of social engineering used to manipulate people into giving attackers sensitive information. They do this by making up a story, and not in the fun Hollywood kind of way starring the likes of Vin Diesel or Emily Blunt. The type of stories that hackers like to spin involve making you believe they are someone they aren't so that they can condition you into feeling safe. In a previous post, we introduced the concept of pretexting, and we went through some common scenarios related to it. To familiarize yourself with pretexting, check out our previous post on this issue: What is a pretext phishing attack?
It is never a good idea to give any personal information to a stranger. You might think that the only thing an attacker can possibly possibly do with your phone number is to call you, but what you're actually doing is enabling the attacker... plus whomever they feel like sharing the phone number with... a near infinite amount of chances to get ahold of you. You're now their captive audience, as answering any call can escalate to a complex scheme where the attacker uses various tactics to illicit even more sensitive data from you. Additionally, phone numbers are used in authentication methods to identify a person — think of your Gmail password, which gives you the option to have a brief phone call to verify that you're you: with your phone number, an attacker can access that verification method. This is another reason not to give out your phone number to anyone asking for it.
We are frequently seeing attackers use WhatsApp, as these types of messaging apps (like WhatsApp, Telegram, and so forth) provide a good platform for an attacker to both mask their true identity and contact you. In this example, the attacker claims to be busy and therefore unable to talk on the phone. So, the attacker wants to contact the victim through messages. If you start the conversation with the attacker, more information is gathered.
Don't believe us? Here's a real-life message that we've intercepted and edited for posting on this blog. As you can see, this particular attack preys upon the target's politeness in order for them to do what the hacker wants.
Companies are constantly asking for feedback on their services and products. Most of these are done anonymously, but some queries ask for the respondent’s email address, for example. The email provided may be used to submit survey results, advertisement, or follow-up questions. Some attackers can take advantage of such queries and gather information about respondents. This allows them to make even better attacks.
In this pretext example, the attacker wants to ask the victim for an interview because they were pleased with the responses to an earlier survey. This survey may never have been conducted, but it is used as the story behind this interview request. What makes this more credible is that the attacker intends to contact the victim again. Thus, no action is yet required of the victim.
We have seen various attacks involving Zoom. Sounds weird, right? In some cases, the invitation to join a Zoom call has a malicious link that contains viruses or steals your credentials with a fake login page. An even more complex way of scamming via Zoom is for the end user to join the call (thinking nothing is wrong) and start a conversation with the attacker. A Zoom call can create a false impression of a safe environment when the attacker is talking to you in real time with camera on.
This scenario is one of the most used by attackers. You might receive an email stating that there is a serious vulnerability in your account or system. Such messages arouse fear and cause quick actions. If the message offers a possible solution to this, it is no wonder why someone would fall for it.
Another variation of this scenario is that some problem with your account has been detected. These issues may be because your account requires a login or a new password. Usually, these emails seem to come from well-known organizations. If you are in a hurry (or feeling a tad lazy - hey, we've all been there), you might click on the link provided by the hacker instead of going to the organization’s website by typing their domain address. The links are in most cases spoofed or faked and direct to a duplicate website to harvest your credentials.
In the pretext below, an attacker claims to have found a serious vulnerability in the company’s website. The attacker promises to report the problem if there is a compensation. It is very common that in cases like this, the email does not tell you which problem has been detected. For the company or person to become aware of this vulnerability they need to contact the attacker and thus set up communication with them directly, putting the target exactly where the hacker wants them: fearful, vulnerable, and eager to make a perceived threat go away. Hackers use this kind of manipulation all the time.
In our everyday working lives, we meet a lot of people. Sometimes it is hard to remember who we met even just the day before, or with whom we talked on the phone last week. The phrase “It was nice to see you!” from an attacker can be very effective if they know who you have met or where you have been recently. This is collected, for example, from your social media accounts or in some cases outward facing calendars — the type that salespeople use to book calls. Be wary of what you put out there on the internet. Attackers can easily discover what is going on in your life and use that information to make detailed attacks against you.
In this pretext example, the attacker thanks the victim for an interview they allegedly had an hour ago. Next, the attacker secures a time for another meeting. Now, the victim may think that an appointment has already been arranged and the victim has just forgotten to put it on the calendar.
It's not an impossible scenario that an attacker, using a persona and approach like this, could land a (perceived) second interview, which could lead to the possibility of them spying on the company and giving sensitive information to third parties, or use the information gathered to perform an internal attack later.This real attack below— edited by us to remove identifying information and to show the lengths a hacker will go to mask themselves — is perceived as credible and does not immediately raise doubts, which makes it all the more challenging to detect. Fortunately, the victim remembered that he or she had not recently had an interview with this person contacting them and reported this email to Hoxhunt.