Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/3/2014
07:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Home Depot, Other Retailers Get Social Engineered

Famed annual contest reveals how many retailers lack sufficient defenses against social engineering.

In the end, it may have been a foreshadowing of sorts: The team assigned to squeeze potentially sensitive information from Home Depot employees in cold calls during this year's Social Engineering Capture the Flag (SECTF) competition at DEF CON 22 won the famed contest.

The social engineering competition held last month in Las Vegas was in no way directly related to a report yesterday that Home Depot may have suffered a massive data breach; the home improvement chain was still investigating suspicious "activity" as of this posting. However, it was among a group of major US retailers that fell to multiple social engineering tactics during the competition.

Nine teams of partners were each assigned to one of nine US retailers unknowingly targeted in the contest: Home Depot, CVS, Costco, Lowe's, Macy's, RiteAid, Staples, Walgreens, and Walmart. The teams competed to glean as many flags as they could from their targets. Their scores were then tallied along with dossiers they submitted before DEF CON that contained intel they had gathered in advance using Google searches, social networks, and other online research (a.k.a. open-source intelligence).

Not all the data from this year's contest has been crunched and analyzed yet, so it's unclear which of the retailers yielded the most "flags" -- designated checklist items that contestants try to glean from cold-calls to their target retailer's employees. These items include the type of browser or operating system the retailer runs, the badges it uses, which social networks it blocks, and duping them into visiting a specific URL.

But the team assigned to social engineer Home Depot scored the most points based on the weighted flags, followed by the team assigned to CVS, according to Christopher Hadnagy, chief human hacker with Social-Engineer Inc. and sponsor of the contest, now in its fifth year. The third-place finishers targeted Walmart, says Hadnagy, who today shared some of the findings with Dark Reading.

However, Hadnagy says this doesn't necessarily mean Home Depot was the most insecure of the retailers. The final scores depend on multiple factors, such as the skill of the contestants, the time of day they make their calls, and the employees they get on the phone.

"The theme of this year's competition was retail, based on the Target" breach revealed this year, Hadnagy says. "We wanted to see: This [Target's breach] just happened, so retailers should probably be on high alert, and maybe the contest would be more challenging. Unfortunately, there was not one company who did well. Not one, if they were my clients, would have gotten a passing grade."

The winning team, which went by the name Schmooze Operators, actually ended up with a substitute teammate during the live contest -- a volunteer from the SE CTF audience -- after a team member fell ill. The two teammates posed as Home Depot's corporate IT department, calling multiple stores in a quest for flags, such as which hardware or software the employee was running.

Hadnagy says some Home Depot employees questioned why the "IT department" wasn't calling from a corporate phone number. "That happened more than once, which is really good. There must be some training [at Home Depot] when you notice this on caller ID."

Even so, the Schmooze Operators mostly were able to explain away the phone number discrepancy and get key information out of the employees. "But one [Home Depot] caller put a stop to the call" during one of the attempts.

[Walmart performed the worst in a high-profile social engineering contest that targeted Target, AT&T, Verizon, HP, Cisco, Mobil, Shell, FedEx, and UPS. Read Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest.]

Half the contestant teams' scores come from their initial reconnaissance -- what they can glean from open-source intelligence in advance of the live contest.

In a particularly alarming find during the recon phase, one team discovered that a retailer's public website contained a portal to its corporate intranet, which allowed access the internal network without internal credentials. The website provided a handy online instructional document on how to access the intranet with a sample login username and password that actually provides access to the intranet. "The sample username and password works," says Hadnagy, who would not name the errant retailer. "So they stopped" there and went no further. "And we're wondering why so many retailers are getting hacked."

(Source: Social-Engineer.org)
(Source: Social-Engineer.org)

Among the most commonly won flags were information about which websites the retailer blocks. If the retailer blocks Facebook, for example, that would alert an attacker not to bother using Facebook in a phishing email lure. Several retailers gave up the names of their third-party security firms, and they disclosed whether their employee badges were RFID or magnetic stripe, for instance.

Convincing the retailers to visit a URL was an easy flag, too, Hadnagy says.

Several of the retail employees said their company provides security awareness training. "The employees knew what it was, and they have it regularly. But the takeaway [from the contest] is they're not doing a good enough job when things seem fishy… knowing what to do to recognize phishing calls and emails," he says. "Nobody stopped and said, 'I'm gonna call corporate and verify this and then call you back.' We are still a country with retail organizations failing to educate our employees on how to be protected and recognize social engineering attacks."

Social-Engineer Inc. will release the final report on the SECTF on Oct. 27, and it will host a free webinar on Oct. 31 to discuss the findings.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
SteveMorlan
100%
0%
SteveMorlan,
User Rank: Apprentice
9/4/2014 | 2:52:06 PM
Ease of Access
Thank you for the mention of Schmooze Operators. Stephanie and I had a lot of fun participating in the competition. Perhaps the most concerning part, was the ease at which information was acquired from all of the companies. 

Social Engineering training ought to be implemented as part of the security training at all major companies. Regardless of how many millions of dollars are spent on security devices and services, the weakest link will always be the person that speaks to the public. 
<<   <   Page 2 / 2
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.