Retail Fail: Walmart, Target Fared Worst In DefCon Social Engineering Contest

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/240007096/retail-fail-walmart-target-fared-worst-in-defcon-social-engineering-contest.html

By Kelly Jackson Higgins
Dark Reading
Sep 10, 2012

Walmart was the toughest nut to crack in last year's social engineering 
competition at the DefCon hacker conference in Las Vegas, but what a 
difference a year makes: this year, the mega retailer scored the worst 
among the ten major U.S. corporations unknowingly targeted in the 
contest.

The third annual DefCon Social Engineering Capture the Flag Contest held 
at the DefCon 20 conference in late July featured 20 men and women 
contestants going head-to-head to squeeze as much specific information, 
or "flags," out of employees at Walmart, AT&T, Verizon, Target, HP, 
Cisco, Mobil, Shell, FedEx, and UPS, in cold-calls. For the first time, 
men and women were pitted against one another at the event to compete 
for the most flags they could get from a specific company, and their 
individual scores were then tallied along with the dossiers they 
submitted prior to DefCon. The dossiers are reports created by the 
contestants using intel they gathered prior to the live event using 
passive information-gathering methods like Google searches, social 
networks, and other online research.

"Last year, the retailers just shut us down big-time, but this year, 
retail was the most forthcoming," says Chris "Logan" Hadnagy, a 
professional social engineer with social-engineer.org who heads up the 
contest. Walmart and Target ended up with the highest scores, which 
means they did the worst, he says, with Walmart gaining the dubious 
distinction of performing the worst by exposing the most information 
both online and when its employees were cold-called by the social 
engineering contestants.

Contestants posed as everything from fellow employees to office-cleaning 
service providers, using these phony personae as pretexts to schmooze 
the employees to give up seemingly benign but actually very valuable 
information that can expose an organization to attack. One disturbing 
trend: every employee who was asked to visit a URL during the call did 
so. "Not every company was asked, but every one that was, went there. It 
was a crazy thing: [even if] they were staunch in not answering 
questions, but if the caller asked them to go to this URL and said 
something like 'I assume you're using IE7,' they would say yes or no and 
go to the URL," Hadnagy says.

[...]


--
#HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia
with no keynotes, no labs - just three tracks filled with our most
popular speakers from the last decade: http://conference.hitb.org/