Some of the biggest companies-including Apple, IBM and AT&T-were easily tricked into giving up potentially sensitive information during a contest that featured a variety of social engineering attacks.
The "Social Engineering Capture the Flag" contest targeted 14 companies in five industries-retail, airlines, food service, technology and mobile services-during the DefCon conference in Las Vegas in August.
Contestants tried to ferret information out of employees at Apple, AT&T, Conagra Foods, Dell, Delta Airlines, IBM, McDonald's, Oracle, Symantec, Sysco Foods, Target, United Airlines, Verizon and Walmart using social engineering techniques, according to a postmortem report released by Social-Engineer.org Oct. 31.
Contestants had to obtain certain types of information, or "flags," from various companies during a 25-minute time period. There were more than 60 flags, representing nonsensitive data, but still information about the companies' inner workings, such as names of the food service providers in the company cafeteria, antivirus programs deployed and the browser version being used.
None of the 14 companies succeeded in keeping the information away from the attackers, according to the report. Only three employees offered any type of resistance, the report found.
"Many companies have the mentality of, 'It won't happen to us,' or 'Our people won't fall for that.' The sad truth is, those are the very people that will and do fall victim to these attacks, as demonstrated by the contest," said Chris Hadnagy of Social-Engineer.org, who organized the contest.
Of the firms tested, AT&T received the highest overall score and Oracle received the lowest. However, in a real-world situation, both companies would have failed the social engineering penetration test for giving up any information in the first place, the report said.
Contestants had two weeks to gather information and research their assigned target using passive information-gathering methods, such as Google searches and looking at social networks and Websites. The contestants compiled their data in a dossier, turned in prior to the conference, which was used to calculate part of the overall score for each contest participant. At DefCon, the contestants sat in a soundproof booth and were allowed to directly contact the company; they were given 25 minutes to collect as much information as possible.