Slick Aussie nabs corporate data
As a penetration tester for local security firm Securus Global, Wayne knows how to hack, but it was his pragmatism and penchant to schmooze that allowed him to pinch the data needed to steal secrets from one of the world's most iconic brands. His beguiling attack ran like clockwork and employed skills crafted since childhood.
(Telephone Booth image by Justin Moore, CC2.0)
Wayne, who didn't want his surname revealed, took part in the FBI-sanctioned DefCon Capture the Flag social-engineering competition in the US last month, where competitors were tasked with extracting sensitive information from phone operators at a nominated target organisation.
Each contestant was informed of their target ahead of time to allow them to plan their attacks using only information available on the internet. They were given a 20-minute window to call their target and use social-engineering techniques to manipulate and convince operators to disclose sufficient information for a hypothetical but successful hacking attack to be launched.
Threats, hacking or other malicious techniques were banned.
The attack was a test but the tactics and treasure were very real. The silver-tongued Australian employed everything from acumen to accent to build his masquerade as a charismatic and time-poor auditor in need of corporate information.
Wayne aimed his attack at the 24/7 IT support desk, noting that the technicians would be available throughout the competition and would have greater access than other phone operators to necessary data. He pretended to be an auditor to winkle information, such as the browser the company used, out of an unknowing tech.
"I told him at the start that I was an auditor, that I worked for the company and I had to fix holes in a KPMG report," Wayne said. "I was a higher [corporate] level than him, and that I needed his help would have made him feel important."
He briefed the technician about his faux mission and then slid into an informal schmooze to build rapport. Wayne said his Australian accent and phone number, located near the firm's corporate headquarters, added to the facade of a well-travelled executive.
"I took him for a ride," Wayne said.
By the end of the call, Wayne knew enough information — including details on the company's antivirus software, web browsers, phone systems and radio frequency identification platform — such that he could have "easily" hijacked the corporate network.
"I could make a virus and a rootkit targeted at their systems that are not detected by their antivirus, and send it in an email attachment or through a browser exploit," he said.
Wayne obtained a large number of points for his effort and was awarded second place in the competition, two points behind the victor and an impressive 61 points ahead of the third-highest score.
Other competitors opted to pitch surveys and found themselves promptly dismissed by the target.
Many cashed-up businesses and corporate giants would fall to a well-executed social-engineering attack, according to Wayne, while smaller companies would fare better because staff are typically accustom to the type of callers. He says two leading security companies were among the Fortune 500 companies that fell during the contest.
The IT officer is a target ripe for social-engineering attacks, Wayne said, because they have higher and broader access to data in order to assist staff across departments. Yet they can be conned as easily as staff with lower access rights, given the attacker can smooth talk and has knowledge of technology.
Wayne said that his target company had vigorous staff security training to prevent competitors from using similar tactics to steal secrets, but he still succeeded.
He warned security procedures may often be forgotten in the months after training and added that staff should not allow themselves to be persuaded to disclose information to callers without authorisation.