All ten targeted companies (Google, Microsoft, Apple, Cisco, BP, Shell, Ford, PG&E, Coke, and Pepsi) "failed" the test. "Not one company shut us down, although certain employees within the company did. But we (participants) were able to call right back and get another employee that was more willing to comply," says Christopher Hadnagy, developer and community member of Social-Engineer.org (the organization that made the contest happen) and operations manager with Offensive Security, a penetration testing company that also offers training in that department.
ZDNet reports that Social-Engineer.org plans to release a report in a couple of weeks, in which results and details of the specific attacks will be revealed. But, in the meantime, they refuse to reveal which companies fared worse than others in the contest.
They do say that out of some 50 employees approached via phone by the contestants, only 3 became suspicious and terminated the call without divulging any information, and - interestingly enough - all three were women.
"One woman said 'this question sounds fishy to me' and hung up within the first 20 seconds," recounts Hadnagy. "We all clapped."
Among those who failed to recognize the calls for what they are, there were those who even shared software version numbers with the attackers when prompted - a fact that would allow criminals to tailor further attacks in such a way as to exploit known and unknown vulnerabilities in the software.
The final report is eagerly awaited not only by the security community and forward-thinking businesses that recognize the danger that such attacks present to their functioning, but by law enforcement and U.S. federal agencies as well.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.