Employees Persuaded to Visit Requested URL
All of the targeted companies' employees were persuaded to visit a URL the callers requested, according to the report. Considering the number of times attackers compromise a company by infecting one machine with malware downloaded from a dodgy Website, the fact that the employees were easily persuaded to go to the link is worrying, according to the report. One contestant who called an AT&T retail outlet had difficulty getting the employee to provide any information, which was a positive sign, since it meant the employee was thinking about what was appropriate to divulge. However, in the end the contestant was able to get the information desired by simply calling a different AT&T employee at that same location.It's one thing to teach employees policies, but it's better to teach them what to do when they are asked to violate policy, Jim Stickley, CTO of TraceSecurity, told eWEEK in an earlier interview. Stickley uses social engineering tactics when auditing security measures at banks and credit unions around the country. Instead of teaching, "Don't give out private information over the phone," employees need to be told to say they can't do that, and to offer to transfer the call to a senior manager, Stickley said. This year's report drew nearly identical conclusions as last year's report, which also found that companies were not adequately training their employees and motivated attackers could use publicly available tools to dig up a wealth of data in a reconnaissance mission. The barrier of entry for social engineering attacks "is very low," the report concluded. Despite investing millions of dollars in security annually, the companies involved are doing a poor job of training employees to spot and rebuff attempts to disclose information or to perform certain tasks, the report concluded. Employees contacted by phone were inclined to be helpful, especially if the caller claimed to be a customer and facilitated the social engineering attack, according to the report.
Many of the firms gave up the information online, allowing contestants to collect their flags even before the phone call. Open FTP servers and internal and external Web pages yielded a lot of information, making it much easier for the contestants to create convincing phone scripts.