Some of the biggest companies-including Apple, IBM and AT&T-were easily tricked into giving up potentially sensitive information during a contest that featured a variety of social engineering attacks.
The “Social Engineering Capture the Flag” contest targeted 14 companies in five industries-retail, airlines, food service, technology and mobile services-during the DefCon conference in Las Vegas in August.
Contestants tried to ferret information out of employees at Apple, AT&T, Conagra Foods, Dell, Delta Airlines, IBM, McDonald’s, Oracle, Symantec, Sysco Foods, Target, United Airlines, Verizon and Walmart using social engineering techniques, according to a postmortem report released by Social-Engineer.org Oct. 31.
Contestants had to obtain certain types of information, or “flags,” from various companies during a 25-minute time period. There were more than 60 flags, representing nonsensitive data, but still information about the companies’ inner workings, such as names of the food service providers in the company cafeteria, antivirus programs deployed and the browser version being used.
None of the 14 companies succeeded in keeping the information away from the attackers, according to the report. Only three employees offered any type of resistance, the report found.
“Many companies have the mentality of, ‘It won’t happen to us,’ or ‘Our people won’t fall for that.’ The sad truth is, those are the very people that will and do fall victim to these attacks, as demonstrated by the contest,” said Chris Hadnagy of Social-Engineer.org, who organized the contest.
Of the firms tested, AT&T received the highest overall score and Oracle received the lowest. However, in a real-world situation, both companies would have failed the social engineering penetration test for giving up any information in the first place, the report said.
Contestants had two weeks to gather information and research their assigned target using passive information-gathering methods, such as Google searches and looking at social networks and Websites. The contestants compiled their data in a dossier, turned in prior to the conference, which was used to calculate part of the overall score for each contest participant. At DefCon, the contestants sat in a soundproof booth and were allowed to directly contact the company; they were given 25 minutes to collect as much information as possible.
Employees Persuaded to Visit Requested URL
All of the targeted companies’ employees were persuaded to visit a URL the callers requested, according to the report. Considering the number of times attackers compromise a company by infecting one machine with malware downloaded from a dodgy Website, the fact that the employees were easily persuaded to go to the link is worrying, according to the report.
One contestant who called an AT&T retail outlet had difficulty getting the employee to provide any information, which was a positive sign, since it meant the employee was thinking about what was appropriate to divulge. However, in the end the contestant was able to get the information desired by simply calling a different AT&T employee at that same location.
Many of the firms gave up the information online, allowing contestants to collect their flags even before the phone call. Open FTP servers and internal and external Web pages yielded a lot of information, making it much easier for the contestants to create convincing phone scripts.
It’s one thing to teach employees policies, but it’s better to teach them what to do when they are asked to violate policy, Jim Stickley, CTO of TraceSecurity, told eWEEK in an earlier interview. Stickley uses social engineering tactics when auditing security measures at banks and credit unions around the country. Instead of teaching, “Don’t give out private information over the phone,” employees need to be told to say they can’t do that, and to offer to transfer the call to a senior manager, Stickley said.
This year’s report drew nearly identical conclusions as last year’s report, which also found that companies were not adequately training their employees and motivated attackers could use publicly available tools to dig up a wealth of data in a reconnaissance mission. The barrier of entry for social engineering attacks “is very low,” the report concluded.
Despite investing millions of dollars in security annually, the companies involved are doing a poor job of training employees to spot and rebuff attempts to disclose information or to perform certain tasks, the report concluded. Employees contacted by phone were inclined to be helpful, especially if the caller claimed to be a customer and facilitated the social engineering attack, according to the report.