Endpoint

11/7/2017
10:30 AM
Joe Gray
Joe Gray
Commentary
Connect Directly
LinkedIn
Twitter
Facebook
RSS
E-Mail vvv
100%
0%

How I Infiltrated a Fortune 500 Company with Social Engineering

Getting into the company proved surprisingly easy during a contest. Find out how to make your company better prepared for real-world attacks.

I infiltrated a Fortune 500 company with social engineering techniques (with authorization). Want to know how?

Here's the background: This fall during a security exercise at DerbyCon VII, I won the Social Engineering Capture the Flag (SECTF) contest, in which we all utilized social engineering techniques to collect information that could be used to compromise a company. It was a challenging competition against five top-notch competitors, and I am pleased to say I emerged victorious.

Before the convention, we were each assigned a Fortune 500 company in the Louisville, Kentucky, area and given three weeks to compile a report about them using open source intelligence, or OSINT, which is a means of collecting information from public sources such as search engines, company websites, and social media. At DerbyCon, we made live phone calls from a soundproof box in front of an audience to collect more information. The informational "flags" captured in the report and phone calls were then scored. (A detailed report from Defcon 24 that contains all flags available to capture is available here.)

How I Did It
For the sake of the security of my target company, I will not mention it by name, because I will discuss tactics, techniques, and descriptions of the findings.

To begin, I searched for the company name on both LinkedIn and Facebook. This provided me names to associate with the company, which provided some flags.

Using recon-ng (a software tool used to collect and analyze OSINT) to parse the metadata of publicly hosted files yielded a key piece of information: the phone number syntax on official documents. I used the following search term on Google and found a gold mine: "<REDACTED COMPANY NAME>+(123) 456-." This provided me several names, email addresses, and phone numbers.

One former employee had even emailed a mailing list for help troubleshooting the backup system about a year prior. This allowed me to move to his GitHub account and ascertain data about technologies used internally based on his comments in the code and the code itself.

Other notable findings:

1. From résumés on Indeed.com:

a. Which VoIP system was previously used, and to which system it was upgraded
b. Which type of badge reader (and thus badges) were used
c. Which security company manned the gates

2. From social media:

a. The PR team had uneventful accounts, but they followed all the C-suite executives and most of the VPs
b. An employee posted pictures of his old and new badges on Facebook

3. From Google Street View:

a. Shipping companies used
b. Dumpster company used

I submitted my report and waited for DerbyCon and my time to sit in the booth. In this phase of the competition, I called a few numbers but only reached voicemail. I kept trying. Finally, a nice woman answered, and I explained that I was from "IT security" and that we were preparing for an external audit and needed to validate some information.

I built rapport with her using the topic of craft beer, which was a common theme I observed in researching people around Louisville. I started asking basic questions from my approved pretext (that is, the ruse or scheme used), and she willingly answered. I finally told her that I had deployed a security policy and instructed her to go to a specific website, and she obliged. I thanked her and terminated the call.

I dialed more numbers. All voicemail. Then a woman in the receiving department picked up. I gave the same story, and I was forwarded to a gentleman who later revealed that he worked in IT. Note: I was spoofing an internal IT number for Microsoft Office 365 email migration issues. I explained the pretext to him, this time without mentioning craft beer. I began to ask questions similar to the previous call, and he answered. When I mentioned Bitlocker, he informed me that it was installed because he was using Windows, but a different product was used for encryption and malware protection. When I asked him to go to the website, he grew suspicious and asked for an internal ID number. I made one up and when he put me on hold to validate it, my 20 minutes expired and I terminated the call. 

How Could This Have Been Prevented?
The easiest way to for this company to have prevented this infiltration is through training and simulation. A company's personnel should be wary of unsolicited phone calls and emails asking for network access or credentials. The training should be administered more frequently than once a year. I recommend quarterly training to address new threats and trends as well as to keep it fresh in team members' minds. Some technical security controls may have slowed the process down, but the administrators for those systems could also be targeted and the systems circumvented.

For the phone calls themselves, simply responding to requests by saying, "I am about to step into a quick meeting; could I call you back in X minutes?" would have stopped me in my tracks. Instead, I leveraged Dr. Robert Cialdini's 6 Principles of Persuasion and was able to convey urgency/scarcity and likeability to get the data.

People are going to fall victim to social engineering efforts. I have found that a nonpunitive company policy in response to self-reporting is a great step toward fostering a culture for preventing such attacks. People need to be empowered to report in order to allow incident response to activate early instead of after all systems have been encrypted with ransomware. Additionally, rewarding employees for reporting and helping to thwart attacks will encourage security awareness. A simple example would be a monthly drawing for the most unique phishing email forwarded to the security team.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

Joe Gray joined the US Navy directly out of high school and served for seven years as a submarine navigation electronics technician. Joe is an enterprise security consultant at Sword & Shield Enterprise Security in Knoxville, Tennessee. Joe also maintains his own blog and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
What Israel's Elite Defense Force Unit 8200 Can Teach Security about Diversity
Lital Asher-Dotan, Senior Director, Security Research and Content, Cybereason,  5/21/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3018
PUBLISHED: 2018-05-24
The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 allows remote attackers to obtain sensitive configuration information via a direct request, as demonstrated by happyaxis.jsp. IBM X-Force ID: 84354.
CVE-2013-3023
PUBLISHED: 2018-05-24
IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 might allow remote attackers to obtain sensitive information about Tomcat credentials by sniffing the network for a session in which HTTP is used. IBM X-Force ID: 84361.
CVE-2013-3024
PUBLISHED: 2018-05-24
IBM WebSphere Application Server (WAS) 8.5 through 8.5.0.2 on UNIX allows local users to gain privileges by leveraging improper process initialization. IBM X-Force ID: 84362.
CVE-2018-5674
PUBLISHED: 2018-05-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader before 9.1 and PhantomPDF before 9.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw...
CVE-2018-5675
PUBLISHED: 2018-05-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader before 9.1 and PhantomPDF before 9.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw...