1

00:00:00,940 --> 00:00:02,080

<v ->In this demonstration,</v>



2

00:00:02,080 --> 00:00:03,960

I'm going to show you how pretexting works



3

00:00:03,960 --> 00:00:05,000

as part of a larger,



4

00:00:05,000 --> 00:00:06,740

social engineering campaign.



5

00:00:06,740 --> 00:00:08,480

Now, to help me with this short example,



6

00:00:08,480 --> 00:00:09,540

let's call up a company



7

00:00:09,540 --> 00:00:10,690

on my speakerphone here,



8

00:00:10,690 --> 00:00:12,560

and see if we can trick the receptionist



9

00:00:12,560 --> 00:00:13,750

into giving me some details



10

00:00:13,750 --> 00:00:15,570

about the model of printers that they have,



11

00:00:15,570 --> 00:00:16,810

and maybe I can figure out



12

00:00:16,810 --> 00:00:18,050

a good attack vector,



13

00:00:18,050 --> 00:00:20,333

to use against them as part of my pen test.



14

00:00:20,333 --> 00:00:21,460

(telephone ringing)



15

00:00:21,460 --> 00:00:23,050

<v ->Hi, Big Old Corporate Headquarters.</v>



16

00:00:23,050 --> 00:00:25,400

This is Sally, how may I help you?



17

00:00:25,400 --> 00:00:26,233

<v ->Yes, hello.</v>



18

00:00:26,233 --> 00:00:27,220

My name is Bob Smith



19

00:00:27,220 --> 00:00:28,860

with Ink and Toner Express.



20

00:00:28,860 --> 00:00:30,120

Our offices received your order



21

00:00:30,120 --> 00:00:31,170

for toner last night,



22

00:00:31,170 --> 00:00:32,270

but we're having a slight delay



23

00:00:32,270 --> 00:00:34,120

in shipping your printer's toner cartridges.



24

00:00:34,120 --> 00:00:35,370

Now, I'm pretty sure I can get you



25

00:00:35,370 --> 00:00:36,990

an alternative shipped out this afternoon,



26

00:00:36,990 --> 00:00:38,680

and to your offices by the morning,



27

00:00:38,680 --> 00:00:40,740

but I need to verify your printer model.



28

00:00:40,740 --> 00:00:42,270

I would hate to send you a couple of cases



29

00:00:42,270 --> 00:00:43,640

of the wrong toner, you know?



30

00:00:43,640 --> 00:00:45,520

Are you guys still using the HP LaserJet



31

00:00:45,520 --> 00:00:47,190

as your multi-function printer?



32

00:00:47,190 --> 00:00:50,100

Could you double-check the model number for me?



33

00:00:50,100 --> 00:00:50,933

<v ->Uh, let me check.</v>



34

00:00:50,933 --> 00:00:52,260

Hold on one second, please.



35

00:00:53,450 --> 00:00:55,730

Alright, now while she's off looking for that,



36

00:00:55,730 --> 00:00:57,190

let's talk about this pretext



37

00:00:57,190 --> 00:00:58,090

for a second.



38

00:00:58,090 --> 00:00:59,810

I have no idea what kind of printer



39

00:00:59,810 --> 00:01:00,750

they're even using,



40

00:01:00,750 --> 00:01:02,890

but I bet she has no idea either.



41

00:01:02,890 --> 00:01:04,430

So, if I just pick one of the big brands



42

00:01:04,430 --> 00:01:06,860

like Epson or HP or Lexmark,



43

00:01:06,860 --> 00:01:08,760

hopefully she's going to go check for me,



44

00:01:08,760 --> 00:01:09,700

and if I get it wrong,



45

00:01:09,700 --> 00:01:12,160

she's going to fill the details in for me.



46

00:01:12,160 --> 00:01:13,600

<v ->Mr. Smith, I just checked,</v>



47

00:01:13,600 --> 00:01:16,770

and it says it's a Konika Minolta C368,



48

00:01:16,770 --> 00:01:17,803

not an HP.



49

00:01:18,680 --> 00:01:20,510

<v ->Oh, right! I see that now.</v>



50

00:01:20,510 --> 00:01:22,040

I'm sorry, I had your order mixed up



51

00:01:22,040 --> 00:01:22,990

with somebody else's.



52

00:01:22,990 --> 00:01:24,520

They have the HPs over there.



53

00:01:24,520 --> 00:01:25,480

You've got those wonderful



54

00:01:25,480 --> 00:01:26,650

Konika Minolta's last year.



55

00:01:26,650 --> 00:01:27,580

I remember that.



56

00:01:27,580 --> 00:01:29,620

Let me double-check my system a second here.



57

00:01:29,620 --> 00:01:31,090

Ah, yes, yes, yes!



58

00:01:31,090 --> 00:01:31,923

I see it now.



59

00:01:31,923 --> 00:01:34,600

The Konika Minolta Bizhub C368.



60

00:01:34,600 --> 00:01:35,670

Perfect, perfect.



61

00:01:35,670 --> 00:01:37,850

I see your order was for two cases of black,



62

00:01:37,850 --> 00:01:40,110

one case of cyan, one case of magenta,



63

00:01:40,110 --> 00:01:41,660

and only half a case of yellow.



64

00:01:42,710 --> 00:01:44,500

Now, here is where I'm going to try to



65

00:01:44,500 --> 00:01:45,560

push my luck and get



66

00:01:45,560 --> 00:01:47,210

some additional details from her.



67

00:01:48,070 --> 00:01:49,910

So Sally, you know that normally



68

00:01:49,910 --> 00:01:51,120

the printer sends us the request



69

00:01:51,120 --> 00:01:53,240

for auto-shipment as it gets low on supplies.



70

00:01:53,240 --> 00:01:54,810

But unfortunately, I was surprised



71

00:01:54,810 --> 00:01:55,870

when Jimmy called us yesterday



72

00:01:55,870 --> 00:01:57,480

to tell us that you guys were running low.



73

00:01:57,480 --> 00:01:58,760

It seems our connection between



74

00:01:58,760 --> 00:02:00,110

your system and ours



75

00:02:00,110 --> 00:02:01,500

is not working quite right.



76

00:02:01,500 --> 00:02:02,333

I was wondering if you could



77

00:02:02,333 --> 00:02:03,600

do me a really, big favor



78

00:02:03,600 --> 00:02:04,760

so we can get this fixed?



79

00:02:04,760 --> 00:02:05,790

I just need you to double-check



80

00:02:05,790 --> 00:02:07,190

the IP address on the printer,



81

00:02:07,190 --> 00:02:08,140

and make sure that I have it



82

00:02:08,140 --> 00:02:09,210

right in our system.



83

00:02:09,210 --> 00:02:10,090

I would hate for the company



84

00:02:10,090 --> 00:02:11,240

to run out of supplies when you're



85

00:02:11,240 --> 00:02:12,600

up against a deadline.



86

00:02:12,600 --> 00:02:13,740

Do you think you have just a moment



87

00:02:13,740 --> 00:02:15,080

that you can help me out real quick?



88

00:02:15,080 --> 00:02:16,860

It'll just take a second.



89

00:02:16,860 --> 00:02:18,870

<v ->Uh, yeah, I guess so.</v>



90

00:02:18,870 --> 00:02:21,260

How do I check the IP address on a printer?



91

00:02:21,260 --> 00:02:22,640

<v ->Oh, it's really, really easy.</v>



92

00:02:22,640 --> 00:02:24,170

All you have to do is go over to the printer,



93

00:02:24,170 --> 00:02:26,050

on the touch screen, press the 'I'



94

00:02:26,050 --> 00:02:27,390

in the upper-right corner.



95

00:02:27,390 --> 00:02:28,280

When that comes up,



96

00:02:28,280 --> 00:02:30,210

just snap a picture with your cell phone,



97

00:02:30,210 --> 00:02:32,010

bring it back here, and you can read me



98

00:02:32,010 --> 00:02:33,570

the details of what I need.



99

00:02:33,570 --> 00:02:35,470

Do you think you could do that for me?



100

00:02:35,470 --> 00:02:36,303

<v ->Oh sure.</v>



101

00:02:36,303 --> 00:02:37,136

That seems easy enough.



102

00:02:37,136 --> 00:02:38,470

I'll be right back.



103

00:02:38,470 --> 00:02:40,130

<v ->Alright, so that's the basic idea</v>



104

00:02:40,130 --> 00:02:41,640

of a pretexting call.



105

00:02:41,640 --> 00:02:43,460

I didn't know anything about the organization,



106

00:02:43,460 --> 00:02:44,810

but giving this receptionist



107

00:02:44,810 --> 00:02:46,540

some kind of likely facts,



108

00:02:46,540 --> 00:02:47,520

like the fact that she's running



109

00:02:47,520 --> 00:02:50,520

an HP system or a large printer in the copy room,



110

00:02:50,520 --> 00:02:52,060

which most businesses have,



111

00:02:52,060 --> 00:02:53,240

that I can trick her into giving me



112

00:02:53,240 --> 00:02:54,810

some kind of information.



113

00:02:54,810 --> 00:02:56,380

Now if you've ever gotten one of those calls,



114

00:02:56,380 --> 00:02:58,500

that says, "Hey, this is John from Microsoft,



115

00:02:58,500 --> 00:03:00,340

and your Windows machine has been reporting



116

00:03:00,340 --> 00:03:01,820

that it's been infected with malware.



117

00:03:01,820 --> 00:03:03,100

I'm calling you to help clean it up.



118

00:03:03,100 --> 00:03:05,500

I just need you to do step one two and three,"



119

00:03:05,500 --> 00:03:07,490

this is a pretexting call.



120

00:03:07,490 --> 00:03:08,670

In fact, this is one of the more common



121

00:03:08,670 --> 00:03:10,350

pretexts out there.



122

00:03:10,350 --> 00:03:11,840

The reason why I even use this example



123

00:03:11,840 --> 00:03:13,940

of a Windows machine calling out with Malware,



124

00:03:13,940 --> 00:03:15,230

is because I had the conversation



125

00:03:15,230 --> 00:03:16,950

with my mom earlier this week.



126

00:03:16,950 --> 00:03:18,220

She had gotten one of these calls



127

00:03:18,220 --> 00:03:19,270

a couple of days ago,



128

00:03:19,270 --> 00:03:20,760

and they were telling her that her computer



129

00:03:20,760 --> 00:03:22,150

was infected with malware



130

00:03:22,150 --> 00:03:24,330

and that her Windows machine was calling out.



131

00:03:24,330 --> 00:03:26,040

And so she started playing along with them



132

00:03:26,040 --> 00:03:28,010

for about 20 minutes, eating up their time



133

00:03:28,010 --> 00:03:29,560

because she knew it was false.



134

00:03:29,560 --> 00:03:31,070

She knew it was a pretext and they were trying



135

00:03:31,070 --> 00:03:32,070

to get to a scam.



136

00:03:32,070 --> 00:03:33,530

And try to coerce her for money,



137

00:03:33,530 --> 00:03:35,440

or to get remote control of her computer.



138

00:03:35,440 --> 00:03:36,870

Now how'd she know this?



139

00:03:36,870 --> 00:03:37,920

Because she's one of those people



140

00:03:37,920 --> 00:03:39,930

in the 10 percent that doesn't run Windows.



141

00:03:39,930 --> 00:03:41,020

She has an iMac.



142

00:03:41,020 --> 00:03:42,720

And so for her, it wasn't something



143

00:03:42,720 --> 00:03:43,680

that she was going to fall for



144

00:03:43,680 --> 00:03:46,020

because she knew she didn't have a Windows machine.



145

00:03:46,020 --> 00:03:47,390

You want to make sure that you do



146

00:03:47,390 --> 00:03:48,980

good user training with your staff



147

00:03:48,980 --> 00:03:51,280

so they understand never to give information out



148

00:03:51,280 --> 00:03:52,113

over the phone.



149

00:03:52,113 --> 00:03:53,810

Even information that seems innocent,



150

00:03:53,810 --> 00:03:55,430

like a model number for a printer



151

00:03:55,430 --> 00:03:56,950

or an IP address of a printer,



152

00:03:56,950 --> 00:03:59,440

can be used as part of a further attack.



153

00:03:59,440 --> 00:04:00,400

And so we want to make sure



154

00:04:00,400 --> 00:04:03,130

we train our employees to not fall for pretext



155

00:04:03,130 --> 00:04:05,040

and don't fill in the gaps for other people



156

00:04:05,040 --> 00:04:06,050

when they're calling you



157

00:04:06,050 --> 00:04:07,460

or even if they're doing it in person,



158

00:04:07,460 --> 00:04:09,590

because pretexting is a way that we give



159

00:04:09,590 --> 00:04:11,880

some amount of information that seems true



160

00:04:11,880 --> 00:04:13,640

so that you'll give us more information



161

00:04:13,640 --> 00:04:14,943

to fill in the gaps.