I infiltrated a Fortune 500 company with social engineering techniques (with authorization). Want to know how?
Here's the background: This fall during a security exercise at DerbyCon VII, I won the Social Engineering Capture the Flag (SECTF) contest, in which we all utilized social engineering techniques to collect information that could be used to compromise a company. It was a challenging competition against five top-notch competitors, and I am pleased to say I emerged victorious.
Before the convention, we were each assigned a Fortune 500 company in the Louisville, Kentucky, area and given three weeks to compile a report about them using open source intelligence, or OSINT, which is a means of collecting information from public sources such as search engines, company websites, and social media. At DerbyCon, we made live phone calls from a soundproof box in front of an audience to collect more information. The informational "flags" captured in the report and phone calls were then scored. (A detailed report from Defcon 24 that contains all flags available to capture is available here.)
How I Did It
For the sake of the security of my target company, I will not mention it by name, because I will discuss tactics, techniques, and descriptions of the findings.
To begin, I searched for the company name on both LinkedIn and Facebook. This provided me names to associate with the company, which provided some flags.
Using recon-ng (a software tool used to collect and analyze OSINT) to parse the metadata of publicly hosted files yielded a key piece of information: the phone number syntax on official documents. I used the following search term on Google and found a gold mine: "<REDACTED COMPANY NAME>+(123) 456-." This provided me several names, email addresses, and phone numbers.
One former employee had even emailed a mailing list for help troubleshooting the backup system about a year prior. This allowed me to move to his GitHub account and ascertain data about technologies used internally based on his comments in the code and the code itself.
Other notable findings:
1. From résumés on Indeed.com:
a. Which VoIP system was previously used, and to which system it was upgraded
b. Which type of badge reader (and thus badges) were used
c. Which security company manned the gates
2. From social media:
a. The PR team had uneventful accounts, but they followed all the C-suite executives and most of the VPs
b. An employee posted pictures of his old and new badges on Facebook
3. From Google Street View:
a. Shipping companies used
b. Dumpster company used
I submitted my report and waited for DerbyCon and my time to sit in the booth. In this phase of the competition, I called a few numbers but only reached voicemail. I kept trying. Finally, a nice woman answered, and I explained that I was from "IT security" and that we were preparing for an external audit and needed to validate some information.
I built rapport with her using the topic of craft beer, which was a common theme I observed in researching people around Louisville. I started asking basic questions from my approved pretext (that is, the ruse or scheme used), and she willingly answered. I finally told her that I had deployed a security policy and instructed her to go to a specific website, and she obliged. I thanked her and terminated the call.
I dialed more numbers. All voicemail. Then a woman in the receiving department picked up. I gave the same story, and I was forwarded to a gentleman who later revealed that he worked in IT. Note: I was spoofing an internal IT number for Microsoft Office 365 email migration issues. I explained the pretext to him, this time without mentioning craft beer. I began to ask questions similar to the previous call, and he answered. When I mentioned Bitlocker, he informed me that it was installed because he was using Windows, but a different product was used for encryption and malware protection. When I asked him to go to the website, he grew suspicious and asked for an internal ID number. I made one up and when he put me on hold to validate it, my 20 minutes expired and I terminated the call.
How Could This Have Been Prevented?
The easiest way to for this company to have prevented this infiltration is through training and simulation. A company's personnel should be wary of unsolicited phone calls and emails asking for network access or credentials. The training should be administered more frequently than once a year. I recommend quarterly training to address new threats and trends as well as to keep it fresh in team members' minds. Some technical security controls may have slowed the process down, but the administrators for those systems could also be targeted and the systems circumvented.
For the phone calls themselves, simply responding to requests by saying, "I am about to step into a quick meeting; could I call you back in X minutes?" would have stopped me in my tracks. Instead, I leveraged Dr. Robert Cialdini's 6 Principles of Persuasion and was able to convey urgency/scarcity and likeability to get the data.
People are going to fall victim to social engineering efforts. I have found that a nonpunitive company policy in response to self-reporting is a great step toward fostering a culture for preventing such attacks. People need to be empowered to report in order to allow incident response to activate early instead of after all systems have been encrypted with ransomware. Additionally, rewarding employees for reporting and helping to thwart attacks will encourage security awareness. A simple example would be a monthly drawing for the most unique phishing email forwarded to the security team.
- 10 Social Engineering Attacks Your End Users Need to Know About
- 5 Problems That Keep CISOs Awake at Night
- 7 Tips to Fight Gmail Phishing Attacks
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.