Companies still falling for social engineering attacks

Despite investing in advanced security software and protecting themselves against the latest threats, companies are still falling foul of the oldest tricks in the book, according to a report from the annual Social Engineering Capture The Flag (SETF) contest at DEF CON.

The contest in Las Vegas challenged participants to compromise organisations using "social engineering", the practice of tricking people into revealing sensitive items of information, or opening a malicious file.

Social engineers often dupe their targets into trusting them using information gathered from open-source intelligence (OSINT), a term for any publicly available sources such as websites, social media, and other online resources.

Participants in the contest were tasked with phoning up employees at large multinational companies and attempting to gain a "checklist" of sensitive information over the phone. They were scored on how many of these they were able to get out of their targets.

The competition is held annually, with phone conversations held in a soundproof booth in front of an audience.

"The bottom line is [the target corporations] did really poorly," says Michele Fincher, chief influencing agent for Social-Engineer, Inc., the firm that runs the event.

The report shows how many of the largest companies are leaving themselves wide open to unsophisticated attacks simply by failing to brief their employees on basic security.

While contestants were barred from doing any actual hacking, one of the callers was still able to access a document on one company's website that contained log-in details to the company's intranet. That means he penetrated their secure system without logging a single line of malicious code.

The scary thing was that most of the contestants gathered more than twice the amount of sensitive information from OSINT as they did from their duplicitous phone conversations.

"What that really means," Fincher said, "is that it doesn't take a skilled social engineer to dig through the net and find information."

The most common types of information gathered were Internet browser type, operating system information, information on corporate wireless access, and confirmation of a corporate VPN. Intelligence on the browser and operating systems in use could aid an attacker in crafting a targeted phishing email, or a specific type of malware.

These findings echoed the comments of Kevin Mitnick during his keynote at this year's IP EXPO, when he warned businesses about the power of social engineering attacks.

Apple scored the worst of all the companies tested, with the contestant tasked to the Cupertino-based company scoring a staggering 12,000 points. The social engineer tasked to GE, on the other hand, scored the lowest, with only 300 points.

Fincher urged companies to undertake comprehensive training programmes in social engineering response and prevention.

"There's a lot of focus on technology: It's a lot easier to put up a firewall," said Fincher. "But a conversation can be way more damaging than malware."

Image: Flickr (Andrew St. Clair)