Pretexting 假借借口
What is Pretexting? 什么是假借借口?
● Pretexting is the process of creating a false pretext or scenario to gain the trust of targets and extract sensitive information. This may involve impersonating authority figures, colleagues, or service providers to manipulate victims into divulging confidential data.
● Simply put, it is putting someone or an employee in a familiar situation to get them to divulge information.
● Unlike other forms of social engineering that rely on deception or coercion, pretexting involves the creation of a false narrative or context to establish credibility and gain the trust of the target.
● 假借借口是创建虚假前提或情景以获得目标的信任并提取敏感信息的过程。这可能涉及冒充权威人物、同事或服务提供者,以操纵受害者泄露机密数据。
● 简单地说,就是把某人或员工置于一个熟悉的情境中,以获取他们的信息。
● 与依赖欺骗或胁迫的其他社会工程形式不同,假借借口涉及创建虚假叙述或上下文以建立可信度并赢得目标的信任。
Characteristics of Pretexting 假借借口的特征
● False Pretense: The attacker creates a fictional story or pretext to deceive the target into believing that the interaction is legitimate and trustworthy. This pretext often involves impersonating someone with authority, expertise, or a legitimate reason for requesting information or assistance.
● Establishing Trust: The attacker uses the pretext to establish rapport and build trust with the target. This may involve leveraging social engineering techniques, such as mirroring the target’s language, tone, and behavior, to create a sense of familiarity and connection.
● 虚假借口:攻击者创建一个虚构的故事或借口,以欺骗目标相信交互是合法且可信的。这种借口通常涉及冒充某个有权威、专业知识或有正当理由请求信息或帮助的人。
● 建立信任:攻击者使用这个借口建立与目标的关系并建立信任。这可能涉及利用社会工程技术,如模仿目标的语言、语调和行为,以创造一种熟悉感和联系。
● Manipulating Emotions: Pretexting often exploits human emotions, such as curiosity, fear, urgency, or sympathy, to manipulate the target’s behavior. By appealing to these emotions, the attacker can influence the target’s decision-making process and increase compliance with their requests.
● Information Gathering: Once trust is established, the attacker seeks to extract sensitive information or access privileges from the target. This may involve posing as a trusted entity (e.g., colleague, vendor, service provider) and requesting information under the pretext of a legitimate need or emergency.
● 操纵情感:假借借口常常利用人类的情感,如好奇心、恐惧、紧迫感或同情心,来操纵目标的行为。通过诉诸这些情感,攻击者可以影响目标的决策过程并增加其对请求的服从。
● 收集信息:一旦建立了信任,攻击者便寻求从目标那里提取敏感信息或获取访问权限。这可能涉及冒充受信任的实体(例如同事、供应商、服务提供者)并在合法需求或紧急情况的借口下请求信息。
● Maintaining Consistency: To maintain the illusion of legitimacy, the attacker ensures that the pretext remains consistent and plausible throughout the interaction.
● This may require careful planning, research, and improvisation to adapt to the target’s responses and maintain credibility.
● 保持一致性:为了维持合法性的幻象,攻击者确保在整个互动过程中借口保持一致性和合理性。
● 这可能需要仔细的计划、研究和即兴发挥,以适应目标的反应并保持可信度。
Pretexting Examples 假借借口的例子
● Tech Support Scam: An attacker poses as a technical support representative from a legitimate company and contacts individuals, claiming that their computer is infected with malware. The attacker convinces the target to provide remote access to their computer or install malicious software under the pretext of fixing the issue.
● Job Interview Scam: An attacker pretends to be a recruiter or hiring manager from a reputable company and contacts job seekers, offering them fake job opportunities or conducting fraudulent job interviews. The attacker may request sensitive personal information or payment under the pretext of processing the job application.
● 技术支持诈骗:攻击者冒充来自合法公司的技术支持代表,联系个人,声称他们的电脑感染了恶意软件。攻击者以解决问题的借口,说服目标提供电脑的远程访问权限或安装恶意软件。
● 工作面试诈骗:攻击者假装是来自知名公司的招聘人员或招聘经理,联系求职者,提供虚假的工作机会或进行欺诈性的工作面试。攻击者可能会以处理工作申请的借口,请求敏感的个人信息或付款。
● Emergency Situation: An attacker fabricates an emergency situation, such as a security breach, data leak, or system outage, and contacts employees, requesting immediate assistance or information. The attacker exploits the target’s sense of urgency and concern to extract sensitive information or gain access to systems under the pretext of resolving the emergency.
● 紧急情况:攻击者捏造一个紧急情况,如安全漏洞、数据泄露或系统中断,并联系员工,请求立即的帮助或信息。攻击者利用目标的紧迫感和担忧,在解决紧急情况的借口下,提取敏感信息或获得系统访问权限。
Importance and Impact 重要性及影响
● Pretexting can be highly effective in bypassing technical controls and exploiting human vulnerabilities within organizations. It relies on psychological manipulation and social engineering tactics to deceive targets and achieve malicious objectives.
● Pretexting attacks can lead to data breaches, financial losses, reputational damage, and regulatory penalties for organizations. Therefore, it is essential for organizations to raise awareness about pretexting techniques, implement robust security policies and procedures, and provide training to employees to recognize and mitigate social engineering attacks.
● 假借借口在绕过技术控制和利用组织内部的人类弱点方面可以非常有效。它依赖于心理操纵和社会工程技巧来欺骗目标并实现恶意目的。
● 假借借口攻击可能导致数据泄露、经济损失、声誉损害和组织的监管处罚。因此,组织有必要提高对假借借口技术的认识,实施健全的安全政策和程序,并为员工提供培训,以识别和缓解社会工程攻击。
Pretexting Templates/Samples 假借借口模板/样本
Corporate IT Department Upgrade:
● Pretext: The attacker impersonates a member of the company’s IT department and sends an email to employees, claiming that the company’s email system is being upgraded. The email instructs recipients to click on a link to update their email settings to avoid service disruptions.
● Objective: To trick employees into clicking on the malicious link, which leads to a phishing website where they are prompted to enter their email credentials, allowing the attacker to steal their login information.
公司 IT 部门升级:
● 借口:攻击者冒充公司 IT 部门的成员,向员工发送电子邮件,声称公司的电子邮件系统正在升级。邮件指示收件人点击链接以更新他们的电子邮件设置,以避免服务中断。
● 目标:诱使员工点击恶意链接,该链接将引导至一个钓鱼网站,在该网站上,员工被要求输入他们的电子邮件凭据,从而允许攻击者窃取他们的登录信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<!-- PRETEXT OVERVIEW:
Credential capture.
$organization: Target organization.
$evilurl: URL to cloned Office 365 portal.
$evildomain: Spoofed domain.
Can be sent as helpdesk@domain.com.
Don't forget to setup the mailbox for user replies!
-->
<b>Subject: New Webmail - Office 365 Rollout</b>
<br>
<br>
Dear colleagues,
<br>
<br>
In an effort to continue to bring you the best available technology, $organization has implemented the newest version of Microsoft's Office 365 Webmail.
Your existing emails, contacts, and calendar events will be seamlessly transferred to your new account.
<br>
<br>
Visit the [new webmail website]($evilurl) and login with your current username and password to confirm your upgraded account.
<br>
<br>
If you have additional questions or need clarification, please contact the Help Desk at helpdesk@$evildomain.
<br>
<br>
Thank you,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<!-- 假借概述:
凭证捕获。
$organization:目标组织。
$evilurl:克隆的 Office 365 门户网站的 URL。
$evildomain:伪造的域名。
可作为 helpdesk@domain.com 发送。
别忘了设置邮箱以接收用户回复!
-->
<b>主题:新网邮 - Office 365 推出</b>
<br>
<br>
亲爱的同事们,
<br>
<br>
为了持续为您提供最佳的可用技术,$organization 已实施了 Microsoft Office 365 Webmail 的最新版本。
您现有的电子邮件、联系人和日历事件将无缝转移到您的新账户。
<br>
<br>
请访问[新网邮网站]($evilurl),并使用您当前的用户名和密码登录,以确认您的账户已升级。
<br>
<br>
如果您有其他问题或需要澄清,请联系帮助台,邮箱为 helpdesk@$evildomain。
<br>
<br>
谢谢您,
References & Resources 参考资料与资源
A library of pretexts to use on offensive phishing engagements: https://github.com/L4bF0x/PhishingPretexts/tree/master
用于攻击性钓鱼行动的借口库:https://github.com/L4bF0x/PhishingPretexts/tree/master