When the phone call is more dangerous than malware

During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don’t bode well for businesses.

“Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year’s competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks,” said Chris Hadnagy, Chief Human Hacker, Social-Engineer, Inc.

“While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company’s employee-only online portal. It’s disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.”

In the SECTF, contestants attempt to capture “flags” – specific piece of information that could be used to successfully penetrate their target companies. In the first segment of the competition, contestants were given two weeks to gather as much intelligence about their target using information obtained only through Google, LinkedIn, Flickr, Facebook, Twitter, the corporate websites and other internet sites. During this information-gathering phase, contestants could attempt to capture as many of the pre-defined flags as possible, but could not contact the company or its employees.

Contestants then performed a live call portion of the event during DEF CON 21. In this segment of the competition, social engineers used pretexts established in the information-gathering phase to telephone employees of the company to further elicit information.

The flags captured during the Open Source Information (OSI) phase were obtained through information found online without any interaction with individuals at the target companies. Information gathered on the internet allowed contestants to capture more than two times the amount of points gathered in the live call portion of the contest, even though OSI flags were valued at half the points of their live call counterparts.

The two most commonly obtained flags were the browser and OS of the target companies. With these two pieces of information, the simplest way for an attacker to breach network security would be through a targeted phishing email containing files that would either release malware or lead the target into clicking to a malicious website targeting vulnerabilities specific to their browser or OS.

In addition, the flag captured during the an information gathering phase would be highly useful to a malicious attacker for developing strong pretexts – such as posing as a member of the janitorial staff – in order to gain entry into an office to collect information that may be improperly secured. Also of significance is that targets surrendered every one of the predefined flags at least once during the competition.

“Based on all of the data and our observations, we can conclude that social engineering continues to be an immense security risk to organizations,” continued Hadnagy. “This is our fifth consecutive year hosting this event, and despite numerous high-profile security breaches in the commercial sector, we have not seen consistent improvements that directly address the human factor of security. Our goal always has been, and continues to be, “Security through Education.'”

The SECTF is conducted to raise awareness of the ongoing threat posed by social engineering and to provide a live demonstration of the techniques and tactics used by the malicious attacker.

For more details about the contest, the results, and advised mitigation actions, download the report.