Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:15 PM
Connect Directly

Home Depot, Other Retailers Get Social Engineered

Famed annual contest reveals how many retailers lack sufficient defenses against social engineering.

In the end, it may have been a foreshadowing of sorts: The team assigned to squeeze potentially sensitive information from Home Depot employees in cold calls during this year's Social Engineering Capture the Flag (SECTF) competition at DEF CON 22 won the famed contest.

The social engineering competition held last month in Las Vegas was in no way directly related to a report yesterday that Home Depot may have suffered a massive data breach; the home improvement chain was still investigating suspicious "activity" as of this posting. However, it was among a group of major US retailers that fell to multiple social engineering tactics during the competition.

Nine teams of partners were each assigned to one of nine US retailers unknowingly targeted in the contest: Home Depot, CVS, Costco, Lowe's, Macy's, RiteAid, Staples, Walgreens, and Walmart. The teams competed to glean as many flags as they could from their targets. Their scores were then tallied along with dossiers they submitted before DEF CON that contained intel they had gathered in advance using Google searches, social networks, and other online research (a.k.a. open-source intelligence).

Not all the data from this year's contest has been crunched and analyzed yet, so it's unclear which of the retailers yielded the most "flags" -- designated checklist items that contestants try to glean from cold-calls to their target retailer's employees. These items include the type of browser or operating system the retailer runs, the badges it uses, which social networks it blocks, and duping them into visiting a specific URL.

But the team assigned to social engineer Home Depot scored the most points based on the weighted flags, followed by the team assigned to CVS, according to Christopher Hadnagy, chief human hacker with Social-Engineer Inc. and sponsor of the contest, now in its fifth year. The third-place finishers targeted Walmart, says Hadnagy, who today shared some of the findings with Dark Reading.

However, Hadnagy says this doesn't necessarily mean Home Depot was the most insecure of the retailers. The final scores depend on multiple factors, such as the skill of the contestants, the time of day they make their calls, and the employees they get on the phone.

"The theme of this year's competition was retail, based on the Target" breach revealed this year, Hadnagy says. "We wanted to see: This [Target's breach] just happened, so retailers should probably be on high alert, and maybe the contest would be more challenging. Unfortunately, there was not one company who did well. Not one, if they were my clients, would have gotten a passing grade."

The winning team, which went by the name Schmooze Operators, actually ended up with a substitute teammate during the live contest -- a volunteer from the SE CTF audience -- after a team member fell ill. The two teammates posed as Home Depot's corporate IT department, calling multiple stores in a quest for flags, such as which hardware or software the employee was running.

Hadnagy says some Home Depot employees questioned why the "IT department" wasn't calling from a corporate phone number. "That happened more than once, which is really good. There must be some training [at Home Depot] when you notice this on caller ID."

Even so, the Schmooze Operators mostly were able to explain away the phone number discrepancy and get key information out of the employees. "But one [Home Depot] caller put a stop to the call" during one of the attempts.

[Walmart performed the worst in a high-profile social engineering contest that targeted Target, AT&T, Verizon, HP, Cisco, Mobil, Shell, FedEx, and UPS. Read Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest.]

Half the contestant teams' scores come from their initial reconnaissance -- what they can glean from open-source intelligence in advance of the live contest.

In a particularly alarming find during the recon phase, one team discovered that a retailer's public website contained a portal to its corporate intranet, which allowed access the internal network without internal credentials. The website provided a handy online instructional document on how to access the intranet with a sample login username and password that actually provides access to the intranet. "The sample username and password works," says Hadnagy, who would not name the errant retailer. "So they stopped" there and went no further. "And we're wondering why so many retailers are getting hacked."

(Source: Social-Engineer.org)
(Source: Social-Engineer.org)

Among the most commonly won flags were information about which websites the retailer blocks. If the retailer blocks Facebook, for example, that would alert an attacker not to bother using Facebook in a phishing email lure. Several retailers gave up the names of their third-party security firms, and they disclosed whether their employee badges were RFID or magnetic stripe, for instance.

Convincing the retailers to visit a URL was an easy flag, too, Hadnagy says.

Several of the retail employees said their company provides security awareness training. "The employees knew what it was, and they have it regularly. But the takeaway [from the contest] is they're not doing a good enough job when things seem fishy… knowing what to do to recognize phishing calls and emails," he says. "Nobody stopped and said, 'I'm gonna call corporate and verify this and then call you back.' We are still a country with retail organizations failing to educate our employees on how to be protected and recognize social engineering attacks."

Social-Engineer Inc. will release the final report on the SECTF on Oct. 27, and it will host a free webinar on Oct. 31 to discuss the findings.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
9/4/2014 | 2:52:06 PM
Ease of Access
Thank you for the mention of Schmooze Operators. Stephanie and I had a lot of fun participating in the competition. Perhaps the most concerning part, was the ease at which information was acquired from all of the companies. 

Social Engineering training ought to be implemented as part of the security training at all major companies. Regardless of how many millions of dollars are spent on security devices and services, the weakest link will always be the person that speaks to the public. 
<<   <   Page 2 / 2
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...