How a Single Phone Call Can Compromise Your Company

I’d read about social engineering for a few years before I first stepped into the Social Engineering Village at DEF CON 20. But I didn’t grasp the power of this type of attack until I watched a live call during which employees of major companies simply offered up all the information needed to breach their systems – no technology required. I was hooked. In case you’re not familiar with social engineering, it’s defined simply as “any act that influences a person to take an action that may or may not be in their best interest.”

A couple of years later, I decided to participate in the Social Engineering Capture the Flag competition at DEF CON. My first attempt, I gave 100 percent effort, but during the call phase of the competition, in front of hundreds of people, I got zero points because I could not get anyone on the phone. Despite that, I decided to sign up yet again this year. Armed with determination and a lot of OSINT (open source intelligence), I lucked out this year and had two successful calls in the 20 minutes. 

Remembering how powerful it was to hear that first social engineering call, I wanted to share my call and bring this learning to a broader audience. Recording the live calls was not an option because of Nevada’s two-party consent laws, but Chris Hadnagy from Social-Engineer.Org and the Social-Engineer Podcast agreed to record a reenactment of the call that helped me win the competition.

We’ve changed details that would identify the person or company. The point of this exercise is not to point fingers or shame anyone, but to educate on how to spot these types of attacks and defend against them. I don’t believe I’m immune to these types of attacks, and if you believe you are, you are probably experiencing the Dunning-Kruger effect.

Nuff said. Enjoy the video:

That was fun, right? But you might be wondering, “How can I protect myself against modern attacks?”

As the hard shell of the corporate network has eroded with the rise of laptops and cloud services over the past decade, people and applications are the primary attack vectors companies need to worry about. The application security part is why I started working at Veracode, and the people part is why I’m interested in social engineering.

To protect yourself and your company against social engineering, learn how to spot potential social engineering attacks and how to deflect them. There are some great trainings out there, including Chris Hadnagy’s company Social-Engineer.com. To protect against digital impersonation, for example, after a social engineer has stolen a password, you should strongly consider an identity and access management solution that supports 2-factor authentication, such as CA Advanced Authentication. To protect your web and internal applications, check out the Veracode Application Security Platform, which helps you identify vulnerabilities in the code you write or include in your software.

Comments or questions? Post below of find me on Twitter @chris_kirsch.