"One of them said the questions [asked of her] sounded 'fishy'" and that she couldn't answer the questions for security reasons, says Chris Hadnagy, founder of social-engineer.org, which sponsored the Social Engineering Capture The Flag contest in Las Vegas last week. "We all clapped -- we thought that [reaction] was great. Unfortunately, the contestant [then] got a different lady at a different location of the company and was successful."
Success was the overwhelmingly disturbing trend in the contest, where around 17 people had 25 minutes to social-engineer by phone information out of a specific company they were assigned to. Each contestant had been assigned a "target" company in advance of the contest, and were allowed to gather as much information as they could passively (no phone calls, email, or direct contact) before the big showdown in Vegas.
They scored points based on the predesignated "flags" they were able to capture -- everything from finding out who supplies the company's in-house caf food to the type of browser and version they use, their antivirus program, and who handles the trash dumpsters. The flag that brought home the highest number of points was getting the employee to visit a URL, and each of the target company's employees that were given the URL visited it.
All of the contestants were able to social-engineer information out of their targeted companies, some posing as journalists, IT survey-takers, and businessmen, for instance. The list of companies targeted in the contest included Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart. The contest organizers won't reveal which company's employees gave up what information, but the bottom line is that it worked better than the organizers had anticipated.
"I didn't expect it to go as well as it did. In this day and age, I thought more companies would be a lot more security-conscious and not give out such detailed information," says Hagnagy, who is also operations manager for Offensive-Security.com. "From a security professional's standpoint, it was discouraging that this is a massive subset of corporate America -- oil, retail, manufacturing, phone, and security companies. It's a little scary."
Hagnagy says in all cases but one, where the contestant was unable to get a person on the phone at all, the social engineering exploits worked. The contestants each came up with their own pretext for the call, using their own styles and personas. "Every company where we were able to contact a human, they were successful at social-engineering them," he says.
He says the fact that some of the employees visited a URL at the urging of the social engineering caller raises a red flag. "The fact that we can make them go to a URL after we asked them what type of browser they had" is worrisome, according to Hagnagy. The outcome would have been severe if an attacker were able to the same with a malicious page, according to Hagnagy.
Meanwhile, the contestants were limited to what they could gather from the target firm: They weren't allowed to do anything illegal, including get credit card or social security numbers, passwords, or to make the target feel "at risk" in any way, and they weren't allowed to pose as any government agency, law enforcement, or legal entity as a ruse to get information.
The winner of the contest, "Scott," used the pretext of a businessman. "Believing he was who he said he was" was a winning recipe, Hagnagy says. Another pretext that worked for contestants was asking for help. "The magic words, 'Can you please help me?' triggers a sort of automatic response in the human psyche," he says.
Dave Marcus, research and communications director for McAfee Labs, says the contest should serve as teaching moment for companies. But it's not all about training employees, he says. "This is exceptionally difficult. You can social-engineer anybody provided that you know enough about them and are persistent enough," he says. "I think rather than having some generic walk-through course on this, you should put employees into scenario-based training ... have them sit through getting socially engineered and have them go through what it's like to get phished on the phone versus some slide deck saying, 'This is social engineering.'"
Marcus, who spoke at Defcon about a social engineering project of his own using social networks, says it's not difficult to build a profile of a person based on their Tweets, blogs, and other online activity in order to social-engineer them.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.