As written by Stephanie Carruthers
The Social Engineering Capture The Flag (SECTF) is a competition that is held at DEF CON. The competition is comprised of two parts, an information gathering phase and live call phase. A target company is randomly assigned and the information gathering stage begins with research of the company (by only using open-source intelligence and no physical contact) followed by writing a report based on information found. The second phase takes place during DEF CON, the contestants make live calls to the target companies to try and gather as many flags as possible.
The flags are based on various groups of information such as: general I.T. information, vendor information, and employee information. The flags themselves are all seemingly innocuous information, such as “what operating system is in use”. However, an attacker could take that information to the next level and create a targeted attack based on that operating system.
This year marked the 5th anniversary of having the SECTF at DEF CON, and there was a twist. It was a tag team competition where two contestants, who did not know each other, were put together to form a team. This brought a whole new dynamic to the CTF, being that previous years it was always a solo competitor event.
Shortly after we were assigned our partners, we were assigned a random target company. With a few weeks to research and write up our report, my team (Schmooze Operators) found a total of 18 out of 29 flags using OSINT. The majority of our flags found were through social media websites. Instagram being the biggest supplier of information with many public pictures posted of break rooms and work stations at our target company.
When planning our background story and characters, known as the pretext, for our calls we decided the best way to take advantage of having a male and female team would be to leverage our gender stereotypes. Typically the male would be in an I.T. position and the female would be in a clerical type position. The pretext that we used while making live calls at DEF CON was that the female role was doing a security audit to keep track of what vendors have access to the company stores, and the male was auditing the computer systems to make sure everything was secure and up-to-date.
About an hour before my team’s call time, my partner became ill and was no longer able to make it to the call. At the last minute I found Steve Morlan who stepped in to become my new teammate. There was only 30 minutes to get him up to speed on our pretext and what flags we were shooting for.
During our calls I started off by providing their store number and asking the target employee to confirm I had the correct store. Once the target employee said that was correct, I stated that their store manager (I used the actual name of the store manager I found during OSINT) should have informed them that I would be calling to do a quick security audit along with my coworker in the I.T. department. Once my questions were asked, I passed the call to my teammate and he also confirmed the store number. By providing the store numbers and manager names as if they were “insider knowledge” we were able to establish trust.
Another tactic that we used was that we didn’t give them time to think. Right after I went through my quick intro and established trust, I didn’t give the employee time to transfer me to a manger or question anything, I jumped right into my questions.
We made three successful calls to our target company in less than 30 minutes. Our calls were successful from a combination of three things:
1) We played to our gender stereotypes – the male having an I.T. position, and the female having a clerical position
2) Pretending to have “insider information” – knowing the store number and store managers full name
3) “Don’t let them think” – not giving the target time to say no or process what is going on
Our calls could have possibly been more effective by asking to speak with a manager, rather then speaking with the store operator so we could have gotten more flags as some of the operators did not have answers to the some of the questions we asked.
Overall, having teams this year was fun, yet a challenge. I have to thank my fill in partner, Steve, for stepping up and rocking the schmooze. Of course, big thanks to the whole Social Engineering team, they put so much work into the SECTF and it shows, thanks for another great year!