Social Engineering Grows Up

Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new tag team rules to reflect realities of the threat.

The wildy popular DEF CON Social Engineering contest this year in Las Vegas will feature a new twist: Each contestant will be assigned a teammate to whom they must hand-off during the live event where they cold-call targeted corporations.
We needed to create an event like the real world, says Christopher Hadnagy, chief human hacker at
Social-Engineer.org
, and organizer of the contest, now in its fifth year. In the 30 minutes [of the live call], you have to tap out at least twice so that each teammate will have a role in the live call. The contest aims to wring as much potentially revealing information about the company from the unsuspecting call recipient. Contestants squeeze as many predetermined flags out of employees at major US corporations, everything from the type of browser they are using to the name of their cleaning/janitorial service.
The pretense could be that the caller needs to hand the call to his manager or another colleague, for example, to provide more legitimacy for the call -- something Hadnagy and his team at Social-Engineer.org say is becoming more and more common in social engineering exploits. These are realistic vectors, he says of the two-person call approach. Phony Microsoft tech support scams do this often, says Hadnagy.
As end users get more savvy about phishing emails, the bad guys have upped their game: Now they are starting to employ a combination of phishing, followed by voicemail or vice versa, so it adds a level of truthfulness to their message, says Michele Fincher, chief influencing agent at Social-Engineer.org, and a former psychology professor at the US Air Force Academy.
Fincher points to a recent phishing campaign that spoofed Verizons technical support phone number, calling potential victims and sending them to a malicious website. They [attackers] are using multiple channels -- calling, emailing, and legitimate-looking websites, making it harder for targets to dismiss them as phish, she says.
Social-Engineer.org is opening up the SE Capture the Flag contest today, in conjunction with a newly
redesigned website launch
for the organization thats better aimed at providing resources and research for businesses, students, and other visitors.
Weve gotten much more serious about the mission. It used to be it was a fun thing and a hobby I did because I enjoyed it, and its all still true. But we started to see how social engineering is being used in the world and how companies are getting completely hacked with SE, and how little resources there are out there now on it, Hadnagy says.
The new site comes with a more friendly appearance to make it more inviting to visitors. We made it less dark and hackerish looking and appealing for research and search, he says. We had customers saying my boss was a little afraid of their visiting the site because he wasnt sure if it was a good or bad hacker site, for example, he says.
Among the trends Hadnagy has seen with social engineering awareness is that its not just penetration testers wanting to learn more about it. Hes had more law enforcement officers, senior managers, and professors, for example, take his social engineering training classes.
Also new with this years SE CTF: Prospective contestants must submit 60- to 90-second videos showing their talents for social engineering. We hope this will give us the best contestants and help us choose people who are committed to be part of this, Hadnagy says. More than 170 people signed up for last years contest, he says, so interest is growing. The first year, we were begging for contestants.
The 20 finalists will each be assigned a teammate via an email introduction, and will have about to month to strategize their game plans for the live-call part of the contest. The contest includes a reconnaissance phase prior to DEF CON, where the contestants research their assigned target corporation using open-source information; they are not permitted to contact the company in advance. This is all done without any hacking at all, says Hadnagy.
Hadnagy and Fincher will handle the judging this year, using a Web-based judging application that makes the process more objective. They have not yet selected the Fortune 500 US corporations for the contest, but previous contests have targeted AT&T, Cisco, HP, Target, Mobil, and Walmart, among others.
Famed former hacker Kevin Mitnick attends the contest each year, and he will give a talk at the Social Engineering Village. Hadnagy says hes working on some other celebrity speakers to participate as well, but he cant reveal who just yet. Keith Alexander, NSA director and chief of the US Cyber Command, shocked Hadnagy and other attendees in 2012 by unexpectedly dropping into the SE CTF room during the contest.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Social Engineering Grows Up