Prerequisites and Setup

Before launching a pretext-based social engineering campaign, ensure you have the necessary tools and configurations to execute efficiently. Begin by selecting a phishing platform like GoPhish for campaign management. Install it using:

docker run --rm -it -p 3333:3333 gophish/gophish

This command runs GoPhish on port 3333, making campaign setup seamless and centralized for management. You’ll also need access to look-alike domain names for your pretext masking. Consider registering IDN homographs, such as mícrosoft.com or variations like secure-login.microsoft.co, to lend credibility to your campaigns. Ensure your email server supports SPF, DKIM, and DMARC configurations to pass initial authenticity checks.

Next, prepare email templates that reinforce your pretext. Given the importance of seemingly legitimate cues, craft visuals and text reflecting your target’s corporate branding. Download signature-style elements from open sources to mimic real corporate email formats. Capturing the genuine look and context drastically improves the plausibility of your pretexts.

Step-by-Step Execution

Identify the Target’s Context

Understanding the target environment is essential for crafting a convincing pretext. Use LinkedIn and official websites to gather information on organizational charts, recent projects, and key decision-makers. Craft an initial email structured like this:

From: jane.doe@secure-login.microsoft.co

To: john.smith@targetcompany.com

Subject: Immediate Action Required: Password Update



Hi John,



We noticed unusual activity from your account in our system. Please update your password within the next 24 hours to maintain access. Use the secure link below:



[Secure Password Update](https://secure-login.microsoft.co/update)



Thank you,

IT Support Team

This email capitalizes on urgency and authority, making it seem like a legitimate action request from the IT department. Also, reinforcing the pretext through look-alike domains adds an extra layer of credibility.

Create the Compelling Narrative

The narrative of your pretext plays a pivotal role in its acceptance. Effective narratives align with current organizational or industry contexts, making them instantly recognisable. For example, if an organization recently underwent a merger, an email about integrating new systems could look like this:

Subject: New System Integration - Mandatory Security Update



Dear Team,



As part of the merger with TechCorp, we are migrating to the new system platform. Kindly confirm below your credentials for seamless integration:



[Update Credentials Here](https://integration-update.techcorp.sys)

This crafted narrative exploits the merge event with an imperative call-to-action, leveraging familiarity to lower defenses and drive action.

Execute and Monitor Engagement

Execute your phishing campaign through your configured platform, enabling tracking and analytics for each sent email. Monitor engagement metrics like opens, clicks, and credential submissions. A typical tracking setup in GoPhish might resemble this configuration:

{

    "name": "Phishing Engagement",

    "template": "Password Update Required",

    "url": "https://track-login-update.com",

    "smtp": {

        "host": "smtp.sendgrid.net",

        "port": 587,

        "from_address": "no-reply@track-login-update.com"

    }

}

Use this configuration to automatically adjust the campaign based on real-time results, ensuring maximum impact. Tracking engagement also helps in identifying and refining the most successful social engineering vectors.

Advanced Variations

Role-Based Tailoring

Enhance pretext believability by targeting specific roles within a company, tailoring your approach to their professional responsibilities. For instance, finance personnel can be targeted with tax filing scenarios during tax season. An example email for this might be:

Subject: Immediate Tax Document Confirmation Required



Dear Finance Team,



The recent tax reforms require immediate confirmation of all financial documentation submitted digitally. Log in to your account to ensure compliance:



[Verify Your Documents](https://tax-documents-confirmation.com/secure)

Leveraging current tax laws and reforms specific to finance responsibilities increases compliance and reduces skepticism.

Utilizing Real Occurrences

A potent pretext derives from real organizational events such as IT outages or upcoming audits. References to such events lend credibility and urgency. An IT outage pretext could look like:

Subject: Service Disruption Alert - Verify Account Access



Dear User,



Due to the recent service disruption, we require all users to verify account access settings to prevent downtime. Access the verification form here:



[Access Verification](https://accounts-disruption-check.com/validate)

This approach plays on resolving a genuine issue, making the request seem not only legitimate but also necessary to prevent further inconvenience.

Good / Better / Best

Good: Use generic pretexts that convey urgency without specific context. This approach is functional but detectable, as it lacks personalization. Example:

Subject: Password Reset Required



Dear User,



Please reset your password immediately to maintain account security.



[Reset Password](https://generic-password-reset.com)

Better: Integrate specific events or roles into your pretexts, building context that resonates more deeply with recipients. Example:

Subject: Quarterly System Audit - Action Required



Hello,



Due to the upcoming audit, please confirm your access settings.



[Confirm Access](https://quarterly-audit-secure.com)

Best: Personalize pretexts using specific, recent events directly tied to organizational roles or known departmental processes, fully integrating contextuality and relevance, thus enhancing believability. Example:

Subject: Annual Financial Review - Immediate Action



Dear John,



Following the merger, we're conducting an annual financial review. Complete the attached questionnaire:



[Complete Review](https://post-merger-review.com)

Related Concepts

Pretexting is only one aspect of social engineering. It often works in tandem with phishing, leveraging authority cues to collect credentials swiftly. Understanding the manipulation principles, like those explored in this Horizon3 whitepaper, can significantly bolster campaign efficacy. Phishing relies heavily on crafted trust and enticing scenarios more than raw urgency alone, requiring thoughtful composition and planning.

References

• Horizon3 ITSM Cyber Risk Guide
• GoPhish Official Documentation
• Wikipedia: Pretexting

Related Reading

• Crafting Phishing Emails: Techniques and Tactics
• Credential Harvesting Made Easy
• Where Do Email Lists Come From?
• Crash-course in SE

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

At the end of the day, everything we discuss here at P&C is around the attack of the system through the user. We aren’t trying to “hack” computers- an adequately secure system is impossible/improbable to penetrate with our resources (and trust me, we have very few resources).
Instead, it’s better to simply go through the front door and not by busting it down, rather, by being invited in.

Social engineering is a manipulative technique intended to exploit human psychology, trust, and emotions to perform specific actions or to make specific decisions, often to the detriment of the target.

Here are some good ones…

“Trusty Caller”

• Jane, a senior manager at a reputable company, receives a call from “David,” who claims to be the IT department. David explains there’s an urgent security update and asks Jane for her login credentials to ensure her account’s safety. Concerned, Jane shares her details without verifying David’s identity. In reality, it’s a social engineer exploiting trust to gain unauthorized access.

“Friendly Face”

• John, an enthusiastic intern, joins a company. On his first day, Sarah, a seasoned employee, befriends him and offers to show him around. As they chat, Sarah casually asks about the company’s upcoming projects. John, eager to fit in, inadvertently shares confidential information, not realizing that Sarah actually works at a competitor firm.

“Tech Support Scam”

• Mark receives a pop-up message on his computer, warning of a virus and providing a phone number for tech support. Panicked, Mark dials the number and connects with “Lisa,” who claims to be from a reputable tech support company. To resolve the issue, Mark grants Lisa remote access to his computer.

“Emergency Impersonator” Tactic

• Emily receives an urgent email from her boss, “Michael,” requesting a wire transfer for a critical business deal. The email claims that Michael is in a remote location and unable to make the transfer himself. Trusting her boss’s email, Emily quickly initiates the transfer, not realizing that the email came from an imposter.

“Bait and Switch” Tactic

• Alex, an online shopper, receives an email offering a limited-time 90% discount on a popular gadget. Excited, Alex clicks the provided link, which redirects to a convincing e-commerce website. Alex places an order using their credit card information, only to find out later that it was a fake site set up by cybercriminals to steal personal and financial data.

About P&C

Phish & Chips.io is a labor of love from seasoned information security and privacy enthusiasts. Although we provide some resources around engineering technical exploits and navigating computer systems, our true passion is for educating people and the study of human social behavior.

To this end, we have created a Phishing Attack Framework which is a great way to navigate this site and learn more about how to utilize social engineering techniques for your next cyber campaign.

Enjoy!

Related Reading

• Email Crafting: Designing Deceptive Messages That Mimic Trusted Sources
• Social Engineering
• Why we care about phishing?
• Looks Can Be Deceptive: Unmasking the Art of Mimicry