Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:15 PM
Connect Directly

Home Depot, Other Retailers Get Social Engineered

Famed annual contest reveals how many retailers lack sufficient defenses against social engineering.

In the end, it may have been a foreshadowing of sorts: The team assigned to squeeze potentially sensitive information from Home Depot employees in cold calls during this year's Social Engineering Capture the Flag (SECTF) competition at DEF CON 22 won the famed contest.

The social engineering competition held last month in Las Vegas was in no way directly related to a report yesterday that Home Depot may have suffered a massive data breach; the home improvement chain was still investigating suspicious "activity" as of this posting. However, it was among a group of major US retailers that fell to multiple social engineering tactics during the competition.

Nine teams of partners were each assigned to one of nine US retailers unknowingly targeted in the contest: Home Depot, CVS, Costco, Lowe's, Macy's, RiteAid, Staples, Walgreens, and Walmart. The teams competed to glean as many flags as they could from their targets. Their scores were then tallied along with dossiers they submitted before DEF CON that contained intel they had gathered in advance using Google searches, social networks, and other online research (a.k.a. open-source intelligence).

Not all the data from this year's contest has been crunched and analyzed yet, so it's unclear which of the retailers yielded the most "flags" -- designated checklist items that contestants try to glean from cold-calls to their target retailer's employees. These items include the type of browser or operating system the retailer runs, the badges it uses, which social networks it blocks, and duping them into visiting a specific URL.

But the team assigned to social engineer Home Depot scored the most points based on the weighted flags, followed by the team assigned to CVS, according to Christopher Hadnagy, chief human hacker with Social-Engineer Inc. and sponsor of the contest, now in its fifth year. The third-place finishers targeted Walmart, says Hadnagy, who today shared some of the findings with Dark Reading.

However, Hadnagy says this doesn't necessarily mean Home Depot was the most insecure of the retailers. The final scores depend on multiple factors, such as the skill of the contestants, the time of day they make their calls, and the employees they get on the phone.

"The theme of this year's competition was retail, based on the Target" breach revealed this year, Hadnagy says. "We wanted to see: This [Target's breach] just happened, so retailers should probably be on high alert, and maybe the contest would be more challenging. Unfortunately, there was not one company who did well. Not one, if they were my clients, would have gotten a passing grade."

The winning team, which went by the name Schmooze Operators, actually ended up with a substitute teammate during the live contest -- a volunteer from the SE CTF audience -- after a team member fell ill. The two teammates posed as Home Depot's corporate IT department, calling multiple stores in a quest for flags, such as which hardware or software the employee was running.

Hadnagy says some Home Depot employees questioned why the "IT department" wasn't calling from a corporate phone number. "That happened more than once, which is really good. There must be some training [at Home Depot] when you notice this on caller ID."

Even so, the Schmooze Operators mostly were able to explain away the phone number discrepancy and get key information out of the employees. "But one [Home Depot] caller put a stop to the call" during one of the attempts.

[Walmart performed the worst in a high-profile social engineering contest that targeted Target, AT&T, Verizon, HP, Cisco, Mobil, Shell, FedEx, and UPS. Read Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest.]

Half the contestant teams' scores come from their initial reconnaissance -- what they can glean from open-source intelligence in advance of the live contest.

In a particularly alarming find during the recon phase, one team discovered that a retailer's public website contained a portal to its corporate intranet, which allowed access the internal network without internal credentials. The website provided a handy online instructional document on how to access the intranet with a sample login username and password that actually provides access to the intranet. "The sample username and password works," says Hadnagy, who would not name the errant retailer. "So they stopped" there and went no further. "And we're wondering why so many retailers are getting hacked."

Among the most commonly won flags were information about which websites the retailer blocks. If the retailer blocks Facebook, for example, that would alert an attacker not to bother using Facebook in a phishing email lure. Several retailers gave up the names of their third-party security firms, and they disclosed whether their employee badges were RFID or magnetic stripe, for instance.

Convincing the retailers to visit a URL was an easy flag, too, Hadnagy says.

Several of the retail employees said their company provides security awareness training. "The employees knew what it was, and they have it regularly. But the takeaway [from the contest] is they're not doing a good enough job when things seem fishy… knowing what to do to recognize phishing calls and emails," he says. "Nobody stopped and said, 'I'm gonna call corporate and verify this and then call you back.' We are still a country with retail organizations failing to educate our employees on how to be protected and recognize social engineering attacks."

Social-Engineer Inc. will release the final report on the SECTF on Oct. 27, and it will host a free webinar on Oct. 31 to discuss the findings.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
9/4/2014 | 2:52:06 PM
Ease of Access
Thank you for the mention of Schmooze Operators. Stephanie and I had a lot of fun participating in the competition. Perhaps the most concerning part, was the ease at which information was acquired from all of the companies. 

Social Engineering training ought to be implemented as part of the security training at all major companies. Regardless of how many millions of dollars are spent on security devices and services, the weakest link will always be the person that speaks to the public. 
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-06
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
PUBLISHED: 2020-06-06
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.