Last year at DefCon, contestants proved their social engineering schmooze was lethal to corporate America. Even after all the lessons learned from this summer's high profile hacks, many of which like HBGary were made possible by social engineering attacks, the results from the 2nd annual social engineer Schmooze Strikes Back contest were the same.
Loose lips still sink corporate ships; social engineering is no less lethal to companies. As the Social Engineering Capture the Flag report states "in the end, all of the companies would have received a failing mark in a real social engineering penetration test."
Social engineering contestants poured out the schmooze on these five different industries -- retail, airlines, food service, technology, and mobile services. Targeted companies were Apple, AT&T, Conagra Foods, Dell, Delta Airlines, IBM, McDonalds, Oracle, Symantec, Sysco Foods, Target, United Airlines, Verizon, and Walmart. Long before placing the 25-minute social engineering phone call, based on a "pretext" scenario, contestants used online resources to research and gather initial intel, develop an attack vector, and compile dossiers on their targets.
The Schmooze Strikes Back event consisted of 62 potential "flags" to capture which were pieces of sensitive info about the inner workings of the company. Each flag was worth a specific amount of points and was based upon the degree of difficulty it was to obtain. Pretext categories, who the social engineer pretends to be when speaking to the target, included posing as a customer, a potential customer, or as an employee. While faking it as an employee is the most difficult to pull off, it was also the most effective. According to the report, social engineers schmoozed every single company targeted, even if there was a bit of push-back reluctance, into visiting a specific URL. Had it been an attacker in real life and not a contest, targets could have been hit with a drive-by-download from a maliciously crafted website.
As unlikely as it might seem, retail employees were less likely to fall for a smooth talking social engineers' tactics than customer support or call center employees. Employees from retail store settings like Target, Walmart, and AT&T were more reluctant, a bit more cautious, about answering a social engineer's questions. Overall, AT&T was the most secure and Oracle was the least, but United Airlines and Delta also received low scores this year.
Large call centers or customer support representatives in the tech and airline industries proved to be the weakest links and the most susceptible to social engineer schmoozing. The reasons for this might be the potential lack of awareness training due to a high employee turnover, or simply human nature of a person wanting to help another person. Solutions might include if customer support reps politely refuse to hand over details, or pushing the caller's unusual requests up the ladder. There is considerable wisdom to both types of putting up resistance, but the reality is often the dreaded "customer is always right" mentality or why-tick-off-a-superior by kicking the problem to them. Additionally, employees are pressed for time in a high volume call center -- something that social engineers take advantage of by claiming to have alleged time constraints and hurrying the target to hand over the info without the benefit of stopping to logically analyze the situation. There is a fine line between pushing back and annoying customers. No one responded with "I have to talk to my manager." Most targets did not push back at all, but the contestants got around any reps who resisted by hanging up and calling back to find an easier target.
But charming sensitive information out of a target is not the only way in for an attacker. Charles Pavelites, a special agent with the FBI, told the Wall Street Journal, "The more information there is about you out there, the more information there is for someone to steal." And in this social networked world, where it's a necessity for companies and brands to have a social media presence, companies have a tremendous amount of information posted online.
Intel was gathered from Google, security plans and procedures on corporate websites, LinkedIn, "miscellaneous," and Facebook. Recon was also done via maps and job postings. Then there were things like personal blogs talking company dirt, the loose lips helping to sink corporate ships that required no manipulation or smooth talking for an attacker. And in real life, after determining targets and their social networking sites, an attacker could spoof emails from those sites or gather email addresses for phishing attempts.
Professional social engineer Chris Hadnagy, who organized the Schmooze Strikes Back event, said, "Some of the things that just made us drop our jaw were the amount of information that is leaked all over the web; open FTPs, documents marked "CONFIDENTIAL," vendors leaking information, and much more.' Companies with "it won't happen to us" mentalities are the "very people who will fall victim to these attacks." According to the report, "With close to 70% of the companies leaking some form of sensitive data, it is not too harsh to say that full--?scale social engineering attacks could be launched with little more than the passive information that was gathered by the social engineers." Hadnagy advised awareness training and nondisclosure agreements that are supposed to stop "information leakage."
The report concluded, "There is ample information floating out there that malicious social engineers can use to target the average company. This information can be put to use by the average, inexperienced social engineer to bear devastating results. This is consistent across all tested industries, with professional organizations appearing to be the most vulnerable." Social engineering is still lethal to corporate America.