Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:15 PM
Connect Directly

Home Depot, Other Retailers Get Social Engineered

Famed annual contest reveals how many retailers lack sufficient defenses against social engineering.

In the end, it may have been a foreshadowing of sorts: The team assigned to squeeze potentially sensitive information from Home Depot employees in cold calls during this year's Social Engineering Capture the Flag (SECTF) competition at DEF CON 22 won the famed contest.

The social engineering competition held last month in Las Vegas was in no way directly related to a report yesterday that Home Depot may have suffered a massive data breach; the home improvement chain was still investigating suspicious "activity" as of this posting. However, it was among a group of major US retailers that fell to multiple social engineering tactics during the competition.

Nine teams of partners were each assigned to one of nine US retailers unknowingly targeted in the contest: Home Depot, CVS, Costco, Lowe's, Macy's, RiteAid, Staples, Walgreens, and Walmart. The teams competed to glean as many flags as they could from their targets. Their scores were then tallied along with dossiers they submitted before DEF CON that contained intel they had gathered in advance using Google searches, social networks, and other online research (a.k.a. open-source intelligence).

Not all the data from this year's contest has been crunched and analyzed yet, so it's unclear which of the retailers yielded the most "flags" -- designated checklist items that contestants try to glean from cold-calls to their target retailer's employees. These items include the type of browser or operating system the retailer runs, the badges it uses, which social networks it blocks, and duping them into visiting a specific URL.

But the team assigned to social engineer Home Depot scored the most points based on the weighted flags, followed by the team assigned to CVS, according to Christopher Hadnagy, chief human hacker with Social-Engineer Inc. and sponsor of the contest, now in its fifth year. The third-place finishers targeted Walmart, says Hadnagy, who today shared some of the findings with Dark Reading.

However, Hadnagy says this doesn't necessarily mean Home Depot was the most insecure of the retailers. The final scores depend on multiple factors, such as the skill of the contestants, the time of day they make their calls, and the employees they get on the phone.

"The theme of this year's competition was retail, based on the Target" breach revealed this year, Hadnagy says. "We wanted to see: This [Target's breach] just happened, so retailers should probably be on high alert, and maybe the contest would be more challenging. Unfortunately, there was not one company who did well. Not one, if they were my clients, would have gotten a passing grade."

The winning team, which went by the name Schmooze Operators, actually ended up with a substitute teammate during the live contest -- a volunteer from the SE CTF audience -- after a team member fell ill. The two teammates posed as Home Depot's corporate IT department, calling multiple stores in a quest for flags, such as which hardware or software the employee was running.

Hadnagy says some Home Depot employees questioned why the "IT department" wasn't calling from a corporate phone number. "That happened more than once, which is really good. There must be some training [at Home Depot] when you notice this on caller ID."

Even so, the Schmooze Operators mostly were able to explain away the phone number discrepancy and get key information out of the employees. "But one [Home Depot] caller put a stop to the call" during one of the attempts.

[Walmart performed the worst in a high-profile social engineering contest that targeted Target, AT&T, Verizon, HP, Cisco, Mobil, Shell, FedEx, and UPS. Read Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest.]

Half the contestant teams' scores come from their initial reconnaissance -- what they can glean from open-source intelligence in advance of the live contest.

In a particularly alarming find during the recon phase, one team discovered that a retailer's public website contained a portal to its corporate intranet, which allowed access the internal network without internal credentials. The website provided a handy online instructional document on how to access the intranet with a sample login username and password that actually provides access to the intranet. "The sample username and password works," says Hadnagy, who would not name the errant retailer. "So they stopped" there and went no further. "And we're wondering why so many retailers are getting hacked."

(Source: Social-Engineer.org)
(Source: Social-Engineer.org)

Among the most commonly won flags were information about which websites the retailer blocks. If the retailer blocks Facebook, for example, that would alert an attacker not to bother using Facebook in a phishing email lure. Several retailers gave up the names of their third-party security firms, and they disclosed whether their employee badges were RFID or magnetic stripe, for instance.

Convincing the retailers to visit a URL was an easy flag, too, Hadnagy says.

Several of the retail employees said their company provides security awareness training. "The employees knew what it was, and they have it regularly. But the takeaway [from the contest] is they're not doing a good enough job when things seem fishy… knowing what to do to recognize phishing calls and emails," he says. "Nobody stopped and said, 'I'm gonna call corporate and verify this and then call you back.' We are still a country with retail organizations failing to educate our employees on how to be protected and recognize social engineering attacks."

Social-Engineer Inc. will release the final report on the SECTF on Oct. 27, and it will host a free webinar on Oct. 31 to discuss the findings.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
9/4/2014 | 2:52:06 PM
Ease of Access
Thank you for the mention of Schmooze Operators. Stephanie and I had a lot of fun participating in the competition. Perhaps the most concerning part, was the ease at which information was acquired from all of the companies. 

Social Engineering training ought to be implemented as part of the security training at all major companies. Regardless of how many millions of dollars are spent on security devices and services, the weakest link will always be the person that speaks to the public. 
<<   <   Page 2 / 2
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-23
Upwork Time Tracker doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
PUBLISHED: 2019-07-23
GNUBOARD5 has XSS that allows remote attackers to inject arbitrary web script or HTML via the &quot;board title contents&quot; parameter, aka the adm/board_form_update.php bo_subject parameter.
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...