A Bank receives a call from someone claiming to have found a credit card in a public place and they want to report it. By route and policy, the bank closes the account and sends a text to the owner of the card. As that text goes out the original card holder gets a call from the bank asking about the found card and saying they are going to send a new card, but they need to confirm the account. The person that claimed to be from the bank then calls the real bank and says they just got a text about a lost card and uses the information they just collected to get a new card sent to them at a different address.
Both of these scenarios are real and, according to Shawn Hall, Director of Strategy & Fraud Prevention at Pindrop, happen every day. We are going to take a closer look at phone fraud in a series of articles that will dive into some more concerning aspects.
It was with this in mind that we spent the day with the people in the Social Engineering Village and sat in on Day two of their Capture the Flag event during Def Con 25. To say that we were impressed with the people, the event, and what we learned would be a massive understatement. The competition operates on a very simple concept. A contestant sits in a sound dampening booth with a microphone and headphones one of the judges executes a call using a phone list and a spoof number (of numbers) that is provided by the contestant. The contestant has 20 minutes to gather information, or Flags, using a pretext (or story) to get the highest score possible. Three judges in total (Shawn Hall from Pindrop, Chris "loganWHD" Hadnagy from Social-Engineer and Michelle Fincher (also from Social-Engineer) score the contestant based on a predetermined set of Flags. To make things interesting, a couple of hundred people sit and watch while this is all going on. But wait, there’s more! Each contestant is given a target and must submit an intelligence report which includes their research on the company before the onstage calls begin. They are also bound by more than a few rules and restrictions, things that a real fraud caller would not have. Oh, each contestant must also submit a short video explaining why they should be picked for the competition, and some of the ones we saw were very impressive.
Although we did not sit in on Day one of the competition, we did hear about it. The room, which was fairly large, was filled to capacity with people sitting on the floor and standing in the aisles. There were no seats left and there was a line out the door. Sadly, this interest in the competition did not sit well with Caesar’s or the Fire Marshall. For day two standing was not allowed nor was sitting on the floor. Def Con and the SE Village’s staff was able to get additional chairs so that more people could watch the event. Even with that, there was still quite a line waiting outside of the room and there was no saving seats for anyone. If you got up, you lost your seat even for a quick trip to the bathroom (and there was no going in a bottle either, as we were informed).
The first contestant did not have much luck as they went through several calls with no answer. Finally, when they did get through the person that picked up actually knew the person the contestant was claiming to be. The call ended with the recipient threatening to call the police and report the fraud and the number that was calling. The second call that answered also did not go well with the person on the other end giving an excuse for why they could not talk at all and things were pretty much over.
The next person up in the both had a little better luck when the person that answered the call began rattling off information that had not even be asked. However, time ran out before more information could be gathered about the target.
The third person in the booth had some very interesting pretexts for calling and one of them even succeeded in getting information out of the Network Operations Center before they appeared to become suspicious and the information gathering was over. One of the more interesting pretexts was to fake a call from the inside and act as if the person you are calling called you. This type of attack would allow you to build a rapport with the target through a shared frustration and while it worked, it did not yield much information in this case.
The next couple of contestants did not fair that well, but did illustrate there are some places that do teach their associates how to handle phone fraud. They also found one that seemed to handle it by not having any working numbers. There was even one no-show, which prompted the judges to pick a name from a group of volunteers to fill the last spot.
The highlight of the day was when the last regular contestant took to the booth. This contestant came very well prepared. They had a number of target numbers, spoof numbers and pretexts lined up for their run. However, they did not need more than the first number they called. Within a few minutes they had built up a rapport with the person on the other end of the phone and had them volunteering information that was beyond what the caller was asking for. The contestant continued to pull very odd information from the target and even had them visiting different websites that he gave to them. There was time for another call after that bonanza of data, but time did run out before the contestant was able to get too much… although if there had been more time he would have repeated the earlier performance. When the final call was over, they received more than one standing ovation from the judges and the crowd.
The event was very entertaining and informative to watch. The crowd was almost as engaged as the contestants were. The judges kept things rolling along while the Social Engineering team kept the crowd under control (there was no recording allowed during the calls, and the crowd had to keep quite as well). However, more than the entertainment factor the contest highlighted (very clearly) was the gap in awareness and training for phone calls. We saw companies that ranged from very good awareness and training to people that either did not know, or did not care. Phone fraud (and how to prevent it) is an area of security that needs a lot more focus than it has been getting recently. When you look at the numbers, incidents of phone fraud have risen 113% year over year. That is a staggering number. In thinking about the event, it was very easy to see how a small group of malicious individuals could gather basic information about a corporation and then begin a campaign on them to gather intelligence for a breach or find way to get money out of them in one form or another. Remember that the contestants were limited to only 20 minutes and had multiple restrictions on them. An attacker will have more time, more people, and no restrictions on what they can do to get what they want.
Another area of concern that stood out was how different areas of a company can have such a wide gap in training for phone fraud. While your core staff, security team, network operations center, and techs might have very solid training, other areas might not. Some of this is due to high turnover rates or the lack of training of education needed to perform a job. This leaves big holes in a company’s protection against fraud and while companies will spend money to bolster their data security stance, they tend to leave this area much more exposed.
We will be going over the winners of the Capture the Flag event in more detail in part two of this series. We hope to include information-gathering methods on the assigned companies, how they came up with their pretexts, and how they maintained the conversation with the targets.
We would like to thank Shawn Hall, Chris Hadnagy, Michelle Fincher, and everyone at the Social Engineering Village for the hospitality and for a great and eye-opening event.