Last week, Social-Engineer.org released the results of their DEF CON 22 Social Engineer Capture the Flag (SECTF) competition. The goal of the contest is to raise awareness of social engineering techniques and tactics using live real-word demonstrations. SECTF contestants are tasked with discovering “flags” of information about target companies using only open source information found online and a series of live phone calls.
In a webinar on October 31, SECTF organizers Chris Hadnagy and Michelle Fincher, discussed the contest and results. “One of the things we get asked often is how do we come up with our flags” said Hadnagy. “We look for questions that are very close to the line, not too personal or too destructive, but would prove a social engineering test to be accurate.” Questions this year included “What anti-virus system is used?” and “Who handles trash disposal?” among others.
Hadnagy noted that this year, for the first time, the social media site Instagram became a major source of information. “A lot of employees post their pictures, their badges, company events to Instagram,” said Hadnagy. “Even worse,” added Fincher, “a lot of people still are leaving geo-location enabled on their camera, so not only are we seeing pictures of the inside of break rooms, we’re seeing exactly where they were taken.”
During the live portion of the contest, contestants were given 30 minutes to make calls to the target companies. This year, teams were not allowed to spoof phone numbers, and had to play in teams. Hadnagy pointed out that several of the targets sounded unsure about the callers’ credentials. However, contestants who provided any quick justification, regardless of strength, were able to obtain compliance. The winning team pointed to confident and fast paced questioning as their strategy.
The SECTF competition is a great example of why companies need to secure their phone channel. Even without spoofing phone numbers, in the end, every flag was surrendered at least once by each of the nine target companies. The most commonly obtained flag this year was whether there was a wireless network in place, which has implications for the development of technical intrusions or eavesdropping of corporate networks.
The key take-away here is that social engineering is not always the endgame, but can be used as the entry point to perpetrate a technical or online attack. Fraudsters today are working across channels, combining online and phone tactics to get access to sensitive company information needed to plan a sophisticated attack.