Endpoint
11/7/2017
10:30 AM
Joe Gray
Joe Gray
Commentary
Connect Directly
Twitter
Facebook
LinkedIn
RSS
E-Mail vvv
100%
0%

How I Infiltrated a Fortune 500 Company with Social Engineering

Getting into the company proved surprisingly easy during a contest. Find out how to make your company better prepared for real-world attacks.

I infiltrated a Fortune 500 company with social engineering techniques (with authorization). Want to know how?

Here's the background: This fall during a security exercise at DerbyCon VII, I won the Social Engineering Capture the Flag (SECTF) contest, in which we all utilized social engineering techniques to collect information that could be used to compromise a company. It was a challenging competition against five top-notch competitors, and I am pleased to say I emerged victorious.

Before the convention, we were each assigned a Fortune 500 company in the Louisville, Kentucky, area and given three weeks to compile a report about them using open source intelligence, or OSINT, which is a means of collecting information from public sources such as search engines, company websites, and social media. At DerbyCon, we made live phone calls from a soundproof box in front of an audience to collect more information. The informational "flags" captured in the report and phone calls were then scored. (A detailed report from Defcon 24 that contains all flags available to capture is available here.)

How I Did It
For the sake of the security of my target company, I will not mention it by name, because I will discuss tactics, techniques, and descriptions of the findings.

To begin, I searched for the company name on both LinkedIn and Facebook. This provided me names to associate with the company, which provided some flags.

Using recon-ng (a software tool used to collect and analyze OSINT) to parse the metadata of publicly hosted files yielded a key piece of information: the phone number syntax on official documents. I used the following search term on Google and found a gold mine: "<REDACTED COMPANY NAME>+(123) 456-." This provided me several names, email addresses, and phone numbers.

One former employee had even emailed a mailing list for help troubleshooting the backup system about a year prior. This allowed me to move to his GitHub account and ascertain data about technologies used internally based on his comments in the code and the code itself.

Other notable findings:

1. From résumés on Indeed.com:

a. Which VoIP system was previously used, and to which system it was upgraded
b. Which type of badge reader (and thus badges) were used
c. Which security company manned the gates

2. From social media:

a. The PR team had uneventful accounts, but they followed all the C-suite executives and most of the VPs
b. An employee posted pictures of his old and new badges on Facebook

3. From Google Street View:

a. Shipping companies used
b. Dumpster company used

I submitted my report and waited for DerbyCon and my time to sit in the booth. In this phase of the competition, I called a few numbers but only reached voicemail. I kept trying. Finally, a nice woman answered, and I explained that I was from "IT security" and that we were preparing for an external audit and needed to validate some information.

I built rapport with her using the topic of craft beer, which was a common theme I observed in researching people around Louisville. I started asking basic questions from my approved pretext (that is, the ruse or scheme used), and she willingly answered. I finally told her that I had deployed a security policy and instructed her to go to a specific website, and she obliged. I thanked her and terminated the call.

I dialed more numbers. All voicemail. Then a woman in the receiving department picked up. I gave the same story, and I was forwarded to a gentleman who later revealed that he worked in IT. Note: I was spoofing an internal IT number for Microsoft Office 365 email migration issues. I explained the pretext to him, this time without mentioning craft beer. I began to ask questions similar to the previous call, and he answered. When I mentioned Bitlocker, he informed me that it was installed because he was using Windows, but a different product was used for encryption and malware protection. When I asked him to go to the website, he grew suspicious and asked for an internal ID number. I made one up and when he put me on hold to validate it, my 20 minutes expired and I terminated the call. 

How Could This Have Been Prevented?
The easiest way to for this company to have prevented this infiltration is through training and simulation. A company's personnel should be wary of unsolicited phone calls and emails asking for network access or credentials. The training should be administered more frequently than once a year. I recommend quarterly training to address new threats and trends as well as to keep it fresh in team members' minds. Some technical security controls may have slowed the process down, but the administrators for those systems could also be targeted and the systems circumvented.

For the phone calls themselves, simply responding to requests by saying, "I am about to step into a quick meeting; could I call you back in X minutes?" would have stopped me in my tracks. Instead, I leveraged Dr. Robert Cialdini's 6 Principles of Persuasion and was able to convey urgency/scarcity and likeability to get the data.

People are going to fall victim to social engineering efforts. I have found that a nonpunitive company policy in response to self-reporting is a great step toward fostering a culture for preventing such attacks. People need to be empowered to report in order to allow incident response to activate early instead of after all systems have been encrypted with ransomware. Additionally, rewarding employees for reporting and helping to thwart attacks will encourage security awareness. A simple example would be a monthly drawing for the most unique phishing email forwarded to the security team.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

Joe Gray joined the US Navy directly out of high school and served for seven years as a submarine navigation electronics technician. Joe is an enterprise security consultant at Sword & Shield Enterprise Security in Knoxville, Tennessee. Joe also maintains his own blog and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.