Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:15 PM
Connect Directly

Home Depot, Other Retailers Get Social Engineered

Famed annual contest reveals how many retailers lack sufficient defenses against social engineering.

In the end, it may have been a foreshadowing of sorts: The team assigned to squeeze potentially sensitive information from Home Depot employees in cold calls during this year's Social Engineering Capture the Flag (SECTF) competition at DEF CON 22 won the famed contest.

The social engineering competition held last month in Las Vegas was in no way directly related to a report yesterday that Home Depot may have suffered a massive data breach; the home improvement chain was still investigating suspicious "activity" as of this posting. However, it was among a group of major US retailers that fell to multiple social engineering tactics during the competition.

Nine teams of partners were each assigned to one of nine US retailers unknowingly targeted in the contest: Home Depot, CVS, Costco, Lowe's, Macy's, RiteAid, Staples, Walgreens, and Walmart. The teams competed to glean as many flags as they could from their targets. Their scores were then tallied along with dossiers they submitted before DEF CON that contained intel they had gathered in advance using Google searches, social networks, and other online research (a.k.a. open-source intelligence).

Not all the data from this year's contest has been crunched and analyzed yet, so it's unclear which of the retailers yielded the most "flags" -- designated checklist items that contestants try to glean from cold-calls to their target retailer's employees. These items include the type of browser or operating system the retailer runs, the badges it uses, which social networks it blocks, and duping them into visiting a specific URL.

But the team assigned to social engineer Home Depot scored the most points based on the weighted flags, followed by the team assigned to CVS, according to Christopher Hadnagy, chief human hacker with Social-Engineer Inc. and sponsor of the contest, now in its fifth year. The third-place finishers targeted Walmart, says Hadnagy, who today shared some of the findings with Dark Reading.

However, Hadnagy says this doesn't necessarily mean Home Depot was the most insecure of the retailers. The final scores depend on multiple factors, such as the skill of the contestants, the time of day they make their calls, and the employees they get on the phone.

"The theme of this year's competition was retail, based on the Target" breach revealed this year, Hadnagy says. "We wanted to see: This [Target's breach] just happened, so retailers should probably be on high alert, and maybe the contest would be more challenging. Unfortunately, there was not one company who did well. Not one, if they were my clients, would have gotten a passing grade."

The winning team, which went by the name Schmooze Operators, actually ended up with a substitute teammate during the live contest -- a volunteer from the SE CTF audience -- after a team member fell ill. The two teammates posed as Home Depot's corporate IT department, calling multiple stores in a quest for flags, such as which hardware or software the employee was running.

Hadnagy says some Home Depot employees questioned why the "IT department" wasn't calling from a corporate phone number. "That happened more than once, which is really good. There must be some training [at Home Depot] when you notice this on caller ID."

Even so, the Schmooze Operators mostly were able to explain away the phone number discrepancy and get key information out of the employees. "But one [Home Depot] caller put a stop to the call" during one of the attempts.

[Walmart performed the worst in a high-profile social engineering contest that targeted Target, AT&T, Verizon, HP, Cisco, Mobil, Shell, FedEx, and UPS. Read Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest.]

Half the contestant teams' scores come from their initial reconnaissance -- what they can glean from open-source intelligence in advance of the live contest.

In a particularly alarming find during the recon phase, one team discovered that a retailer's public website contained a portal to its corporate intranet, which allowed access the internal network without internal credentials. The website provided a handy online instructional document on how to access the intranet with a sample login username and password that actually provides access to the intranet. "The sample username and password works," says Hadnagy, who would not name the errant retailer. "So they stopped" there and went no further. "And we're wondering why so many retailers are getting hacked."

Among the most commonly won flags were information about which websites the retailer blocks. If the retailer blocks Facebook, for example, that would alert an attacker not to bother using Facebook in a phishing email lure. Several retailers gave up the names of their third-party security firms, and they disclosed whether their employee badges were RFID or magnetic stripe, for instance.

Convincing the retailers to visit a URL was an easy flag, too, Hadnagy says.

Several of the retail employees said their company provides security awareness training. "The employees knew what it was, and they have it regularly. But the takeaway [from the contest] is they're not doing a good enough job when things seem fishy… knowing what to do to recognize phishing calls and emails," he says. "Nobody stopped and said, 'I'm gonna call corporate and verify this and then call you back.' We are still a country with retail organizations failing to educate our employees on how to be protected and recognize social engineering attacks."

Social-Engineer Inc. will release the final report on the SECTF on Oct. 27, and it will host a free webinar on Oct. 31 to discuss the findings.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
Sara Peters
Sara Peters,
User Rank: Author
9/5/2014 | 11:47:32 AM
first line of defense...
At RSA I spoke to some people at Akamai who do security awareness for their insiders, and they did something that I found kind of awesome and hilarious. They gave out an award for whoever was doing the best job at securing the organization -- which was often all about preventing social engineering. Whoever won that month had the honor of having a stuffed penguin on their desk until someone else was awarded it. 

And the person who kept winning it was not somebody in IT or some executive. 
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &amp;amp; Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.