At the recent Def Con security conference in Las Vegas, participants in a hacking contest showed how easily criminals can use social engineering attacks to steal a lot of sensitive information.
One popular event at Def Con is the Capture the Flag social engineering contest, in which participants are given two weeks to research target companies before performing their attacks live in front of conference attendees.
At last year’s contest, all 14 targeted businesses volunteered at least one piece of sensitive information to the social engineer, and few employees put up any sort of resistance to the attacks. This year, 10 companies were targeted and all of them gave up at least a few pieces of data.
The winner of the 2012 competition was Shane MacDougall, principal partner at security firm Tactical Intelligence, who used a social engineering attack against Wal-Mart to capture data from every category in the contest’s checklist. Though participants are forbidden from attempting to extract Social Security numbers, account information or other items that could cause legal problems, McDougall called a Wal-Mart store in Canada and learned a lot of information that could be used for crime, including:
- The store’s janitorial services contractor
- Its employee pay cycle
- Its staff shift schedules
- When managers take their breaks and where they go for lunch
- The type of PC used by the store manager
- The make and version number of the computer’s operating system, and
- The machine’s web browser and antivirus software.
How did McDougall conduct his social engineering attack? He impersonated a high-ranking Wal-Mart executive, calling the manager of the store and telling him his location was chosen to be part of a pilot program that could help the retail giant win a multi-million-dollar government contract. He then directed the manager to an online survey created to collect the information McDougall was trying to obtain.
The manager never questioned the validity of the call, even after the company’s web filter initially blocked the survey’s URL. McDougall’s social engineering ploy succeeded in part because of his genial small talk, CNN Money reports.
Protect against social engineering attacks
What can businesses do to prevent sensitive information from being willingly handed over to criminals? Since the attacks rely on tricking users, staff training is the biggest key to preventing social engineering attacks.
Some of the training techniques experts recommend include appealing to user’s personal lives and letting them know about the threats they face individually. A personal touch can do a lot to put security at the top of people’s minds.
Some IT departments have also had success conducting social engineering tests similar to the Def Con contest on their organization’s own employees. That could help convince stubborn users that they’re vulnerable to the threat.
When conducting training, don’t forget about execs and upper management — those people are often the biggest targets for social engineers because they hold the most valuable information.