Endpoint

11/7/2017
10:30 AM
Joe Gray
Joe Gray
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How I Infiltrated a Fortune 500 Company with Social Engineering

Getting into the company proved surprisingly easy during a contest. Find out how to make your company better prepared for real-world attacks.

I infiltrated a Fortune 500 company with social engineering techniques (with authorization). Want to know how?

Here's the background: This fall during a security exercise at DerbyCon VII, I won the Social Engineering Capture the Flag (SECTF) contest, in which we all utilized social engineering techniques to collect information that could be used to compromise a company. It was a challenging competition against five top-notch competitors, and I am pleased to say I emerged victorious.

Before the convention, we were each assigned a Fortune 500 company in the Louisville, Kentucky, area and given three weeks to compile a report about them using open source intelligence, or OSINT, which is a means of collecting information from public sources such as search engines, company websites, and social media. At DerbyCon, we made live phone calls from a soundproof box in front of an audience to collect more information. The informational "flags" captured in the report and phone calls were then scored. (A detailed report from Defcon 24 that contains all flags available to capture is available here.)

How I Did It
For the sake of the security of my target company, I will not mention it by name, because I will discuss tactics, techniques, and descriptions of the findings.

To begin, I searched for the company name on both LinkedIn and Facebook. This provided me names to associate with the company, which provided some flags.

Using recon-ng (a software tool used to collect and analyze OSINT) to parse the metadata of publicly hosted files yielded a key piece of information: the phone number syntax on official documents. I used the following search term on Google and found a gold mine: "<REDACTED COMPANY NAME>+(123) 456-." This provided me several names, email addresses, and phone numbers.

One former employee had even emailed a mailing list for help troubleshooting the backup system about a year prior. This allowed me to move to his GitHub account and ascertain data about technologies used internally based on his comments in the code and the code itself.

Other notable findings:

1. From résumés on Indeed.com:

a. Which VoIP system was previously used, and to which system it was upgraded
b. Which type of badge reader (and thus badges) were used
c. Which security company manned the gates

2. From social media:

a. The PR team had uneventful accounts, but they followed all the C-suite executives and most of the VPs
b. An employee posted pictures of his old and new badges on Facebook

3. From Google Street View:

a. Shipping companies used
b. Dumpster company used

I submitted my report and waited for DerbyCon and my time to sit in the booth. In this phase of the competition, I called a few numbers but only reached voicemail. I kept trying. Finally, a nice woman answered, and I explained that I was from "IT security" and that we were preparing for an external audit and needed to validate some information.

I built rapport with her using the topic of craft beer, which was a common theme I observed in researching people around Louisville. I started asking basic questions from my approved pretext (that is, the ruse or scheme used), and she willingly answered. I finally told her that I had deployed a security policy and instructed her to go to a specific website, and she obliged. I thanked her and terminated the call.

I dialed more numbers. All voicemail. Then a woman in the receiving department picked up. I gave the same story, and I was forwarded to a gentleman who later revealed that he worked in IT. Note: I was spoofing an internal IT number for Microsoft Office 365 email migration issues. I explained the pretext to him, this time without mentioning craft beer. I began to ask questions similar to the previous call, and he answered. When I mentioned Bitlocker, he informed me that it was installed because he was using Windows, but a different product was used for encryption and malware protection. When I asked him to go to the website, he grew suspicious and asked for an internal ID number. I made one up and when he put me on hold to validate it, my 20 minutes expired and I terminated the call. 

How Could This Have Been Prevented?
The easiest way to for this company to have prevented this infiltration is through training and simulation. A company's personnel should be wary of unsolicited phone calls and emails asking for network access or credentials. The training should be administered more frequently than once a year. I recommend quarterly training to address new threats and trends as well as to keep it fresh in team members' minds. Some technical security controls may have slowed the process down, but the administrators for those systems could also be targeted and the systems circumvented.

For the phone calls themselves, simply responding to requests by saying, "I am about to step into a quick meeting; could I call you back in X minutes?" would have stopped me in my tracks. Instead, I leveraged Dr. Robert Cialdini's 6 Principles of Persuasion and was able to convey urgency/scarcity and likeability to get the data.

People are going to fall victim to social engineering efforts. I have found that a nonpunitive company policy in response to self-reporting is a great step toward fostering a culture for preventing such attacks. People need to be empowered to report in order to allow incident response to activate early instead of after all systems have been encrypted with ransomware. Additionally, rewarding employees for reporting and helping to thwart attacks will encourage security awareness. A simple example would be a monthly drawing for the most unique phishing email forwarded to the security team.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

Joe Gray joined the US Navy directly out of high school and served for seven years as a submarine navigation electronics technician. Joe is an enterprise security consultant at Sword & Shield Enterprise Security in Knoxville, Tennessee. Joe also maintains his own blog and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page &quot;/ui/cbpc/login&quot; is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie &quot;sid&quot; generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.