January 9, 2023 • 35 mins
Vishing is happening constantly. Understanding what vishing is and being able to spot these tactics will help protect your information. The Audit presents three guests that won the DEFCON30 Vishing black badge. These guests are here to discuss their experience at DEFCON, as well as their knowledge on vishing. Join us to learn more. #itauditlabs #vishing #scam #security
Special Thank you to the DC30 Vishing Competition Black Badge Winners
Team Spilt Beans @_jacoff, @bngrsec, @_seahop
Shout outs to the entire Defcon community with special mentions
@SEC_Defcon@twitter, @JC_SoCal, @_snoww, @_corge
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:15):
Hello and welcome back to the Audit by IT Audit
Labs.
Nick and I are very excitedtoday to welcome guests from
Team Spilt Beans who won the DEFCON 30 Vishing Competition
Black Badge.
Please help us in welcoming tothe show Jennifer, matt and Sean
(00:40):
.
Hi guys.
Jennifer Isacoff (00:42):
Hi, thank you so much for having us Thanks for
being here.
Mandi Rae (00:47):
Jennifer, do you want to kick off introductions?
Jennifer Isacoff (00:51):
Yeah, that sounds good.
So, hey, I'm Jennifer,otherwise known as Jackoff, and
I was the team captain of SpiltBeans from DEF CON 30.
I've been practicing socialengineering for about 10 years
now, and you can follow me onTwitter at underscore jackoff
J-A-C-O-F-F.
(01:11):
And with that, I'm going topass it over to Matt.
Matt Probst (01:15):
Hey, yeah, hey, I'm Matt Benkert.
I've been pen testing for aboutthree years and I've been in
security defensive side forprobably five years before that
Relatively new to socialengineering Kind of Jennifer
forced me into the competition.
I'm just kidding, but yeah,that's about it.
(01:37):
My Twitter handle is at BNGRSEC, bangersec Sean.
Sean Hopkins (01:45):
Hey, I'm Sean Hopkins.
I've been in security for about10-ish years now.
I'm a red team lead over at aFortune 50 company and I like to
social engineer.
I did break-ins and stuff likethat in the past and you can
find me at underscore SeahopS-E-A-H-O-P.
Mandi Rae (02:04):
Great.
Thank you so much.
We're very excited to have youhere.
So let's dig in and let's talkabout DEF CON 30.
It was this past August in LasVegas.
Was this your first DEF CON?
Jennifer Isacoff (02:19):
Yeah, so for me this was the first DEF CON
I've ever been to, which waspretty exciting to walk away
with a black badge.
I'm going to say it wasdefinitely unexpected.
I know, Sean, I think you'dbeen there before, right.
Sean Hopkins (02:31):
Yeah, I've been to one previously, I think 2018.
Matt Probst (02:34):
Yeah, it was my third DEF CON.
Mandi Rae (02:39):
So this one did it blow your mind?
I was very impressed by theproduction, very impressed by
the production.
The previous year, with thepandemic, it felt a little bit
smaller and intimate, being in ahybrid, both virtual and on
site.
So this year I was so impressedwith the graphics, the music,
the parties and all thedifferent tracks you could take.
Jennifer Isacoff (03:00):
Yeah, I had an amazing time.
I know I don't have anythingelse to compare it to, but I do
want to give a shout out to thesocial engineering communities
founders, JC and Snow and theTwitter is at SEC underscore DEF
CON but I mean their wholecommunity was executed
flawlessly, as if they'd beendoing it for years and years.
Mandi Rae (03:21):
It was amazing doing it for years and years.
It was amazing.
I'd agree with that.
The experience and being in thesocial engineering area was so
exciting.
Just to set the stage forpeople listening, you walked in
a large meeting conference room,was dark and you actually got
to watch the competition live.
(03:43):
Tell me more about thecompetition.
How did you guys decide toenter, what did that look like?
And then, what was the actualexperience of vishing people
live in front of a huge audience?
Jennifer Isacoff (04:00):
Yeah.
So I'll say it was not a lastminute decision to apply, but I
did definitely strong arm theseother two guys, matt and Sean,
into joining me because I was alittle intimidated to do it by
myself initially.
But we made a YouTube video asper the requirements of the
(04:20):
admission and were selected tobe one of the competitors, which
was really exciting.
From there, we had a fewdifferent requirements and
different sections of thecompetition.
The first stage was that thejudges slash contest organizers
would give you a company, soevery single team received a
(04:43):
target company and that wasbasically all they would give
you just the name of the companyand that's it.
And from there you had to puttogether a report that included
a series of objectives that thecontest organizers identified
ahead of time, and this could bethings like what operating
system does the company use?
What's the name of theirshredding company?
(05:05):
It's a large variety ofobjectives, but you put those
together in a report, you submitit to the judges and you also
create a list of phone numbersand targets that you would like
to call for the live callingsection of the competition,
which happened actually at DEFCON.
So, aside from that preparationwork, then it brings us live to
(05:27):
the DEF CON portion, where wehad soundproof booth, which was
so incredibly helpful given theamount of people that were there
in the room in which you'dplace live calls to the people
you had previously identifiedand hope they answered so that
you could give them your pretextand get even more objectives.
Does that make?
Mandi Rae (05:47):
sense it does and it sounds incredible.
Jennifer Isacoff (05:50):
Oh my gosh, it was so much fun.
Nick Mellem (05:52):
Yeah, that's a question for Matt or Sean.
I'm also curious what your prepwork looks like as far as tools
go.
What kind of O-Center are youusing?
Do you have any goals?
Are you trying to get somethingspecific before for that report
, or what does that look like?
Sean Hopkins (06:09):
to some degree.
Uh, actually matt had a novel,find I think for the entire uh
engagement, like amongst all theteams.
Actually, matt, you want to goahead with your dns thing you
found yeah, uh, I saw I found afound.
Matt Probst (06:22):
one of the requirements was to determine
what antivirus the targetcompany was using via OSINT,
which is kind of hard to do.
I believe it comes standard inKali Linux that you can actually
(06:44):
recursively search a company'sDNS servers for specific AV
vendor strings, and then it kindof put together an assumption
that oh hey, there's lots ofhits on McAfee-owned domains.
(07:04):
They probably use McAfee.
That was one of the more funones to get.
Jennifer Isacoff (07:10):
Yeah, and I do want to say I forgot to
emphasize the fact that in thisentire competition, we were only
allowed to use open sourceintelligence, otherwise known as
OSINT gathering, in order toobtain all this information
about our target company.
We were forbidden from havingany direct contact with the
target company, which includesthings like calling them,
(07:33):
emailing or physically visitingor otherwise communicating with
them in any manner aside fromthe passive OSINT.
Ahead of the live callingcompetition that happened at DEF
CON.
Sean Hopkins (07:44):
So, and Matt's technique was probably my
favorite and definitely thecoolest from my perspective,
sean, yeah so the rest of thestuff that would go into a
normal pen test, like looking upsubdomains and things like that
, didn't really apply to thiscompetition, which was unique
for me because that was alwayspart of it was like hunting for
bad certs or subdomain takeovertype of things, but this was
(08:07):
purely a phone call, which, youknow, the normal pen testy type
of searches don't, you know,always equate to this type of
competition and this is why I'mfangirling so hard over having
the opportunity to have you guyson this podcast.
Mandi Rae (08:22):
This is epic to hear what you were able to accomplish
and the methodologies you used.
Jennifer Isacoff (08:27):
Yeah, thank you.
So much about the methodologies.
Actually, one of the judges,chris Kirst, wrote a really cool
article about I guess everysingle OSINT technique technique
that was used by the variouscompetitors in this competition,
and I'll send you that link.
But it's definitely a reallycool read.
Mandi Rae (08:47):
Great Thanks for sharing that.
We'll also include that for ouraudience so they can check it
out.
Nick Mellem (08:53):
So you guys created the YouTube video, you created
this report.
You haven't had any contact yetwith your company.
And then the next step you showup to DEF CON and then you
start making phone calls.
Can you jump into that a littlebit, what that looks like?
Or you just go up on stage.
I wasn't there, so I'm reallycurious about how this is
looking.
Jennifer Isacoff (09:12):
So this is a good time to say that the judges
this year gave us a huge twist,which ended up being super fun.
We didn't know it at the time,until we arrived to DEF CON, but
actually so I think there's atotal of 16 teams.
Matt and Sean, do I have thatright?
Yeah, that's right and therewere only a total of eight
(09:35):
target companies, which meansthat two teams had the same
target company, and we didn'tknow until we arrived at DEF CON
.
And so what they ended up doingis a live coin toss, kind of
akin to football, with the twoteam captains or team members to
flip a coin to see who hadtheir section first, so who
(09:57):
could make their live callsfirst.
And this was really importantfor two reasons One being the
time of day, and this was reallyimportant for two reasons one
being the time of day.
So the time that we were makingour call just happened to be
around 5 pm on the East Coast onFriday afternoon, and so it was
either going to be like 4.30 pmor it was going to be like 5.30
(10:19):
pm, and so we didn't know whenour time zone was going to be
based on this coin toss.
And another reason why this issuper important is because we
don't know if our opponent hasthe exact same numbers that we
found, Because you know the DEFCON organizers didn't give you
(10:39):
any people to call directly.
This was all in your lane tofigure out who you wanted to
call and identify them ahead oftime.
So there was a potential thatyou know the other team also
found the same list of peoplethat they were going to call and
if they call them first andmight spook them, then it kind
of messes up.
It would mess up the potentialfor us.
So that was a really fun twistto find and I know I was.
(11:03):
I didn't want to go up and dothe coin toss.
Mandi Rae (11:07):
I was trembling and honestly, I have goosebumps for
you, even though we know howthis ended.
Just the way you're setting thestage like this is already a
big enough beat.
But then to be sharing and thenhave the time zones to contend
with Holy buckets.
Jennifer Isacoff (11:26):
Yeah, sean, do you want to walk?
Through what that was like.
Sean Hopkins (11:28):
Yeah, yeah.
So I fell on the sword for thecoin toss and lost it for our
team.
And then the guy who won thecoin toss he won first, of
course because end of day, youdefinitely want to kind of get a
better time.
And thankfully he went throughhis sales pitch type of campaign
and luckily none of his phonenumbers lined up to ours, but he
(11:52):
didn't have many people pick up.
So in our minds I'm like, ohman, what if no one picks up?
I mean, they're already notpicking up for him.
That could possibly be whathappens to us the entire time.
Luckily it didn't turn out thatway.
Mandi Rae (12:06):
And how does that not shake your confidence?
I think that's one of the waysI'd say you guys are incredibly
resilient and masters of yourcraft.
You had all these other thingsoutside of the competition to
contend with and you stillnailed it.
Sean Hopkins (12:20):
The trick is to go with zero confidence.
Mandi Rae (12:25):
Great approach.
I like that.
Matt Probst (12:26):
One of the things that definitely helped us while
he was on his call and we werewaiting kind of off to the side
is we had our list of oh, Idon't know 20, 25 phone numbers
and one.
We were checking every phonenumber he called.
You know we were trying tohighlight on our little
clipboard if he called it.
But also Jennifer and I weresitting there and calling our
(12:50):
numbers and if they were toanswer we would immediately hang
up and then highlight it orcircle them and say, hey, these
people answered.
We'll call these people firstbecause we know they might
answer again.
That way we didn't want towaste time kind of going down
the list top to bottom, if thatmakes sense.
Mandi Rae (13:09):
That makes a lot of sense.
Good strategy and amazingteamwork to be doing that Really
.
You said you fell on the swordwith the coin toss, but I think
you made that opportunity workto your advantage where most
people would have felt prettydefeated.
Sean Hopkins (13:24):
It did work out with how it worked out.
But also, you know, having towatch someone, you know you
watch that time, click down, youknow, and it takes, it feels
like it takes forever on theoutside, especially when you're
next and all you can see is itgetting closer to five o'clock
on a Friday and you know, justkind of had to get over that
part of it, but that was thathurt a little bit.
Mandi Rae (13:44):
I can only imagine.
Did you want to give us moreabout that?
Jennifer Isacoff (13:49):
I mean I will say, as Matt and I are standing
off to the side, kind of behinda panel waiting, he was like
walking me through breathingexercises.
I mean I cannot emphasize hownervous we all were going into
this, but once you walked intothe soundproof booth it was
honestly like your own littleoasis.
It truly was soundproof and JCand Snow are absolute geniuses
(14:13):
for having that component inthere, because one second you
had a room with over 100 peoplein it and then the next you
really could get into the zonepretty easily and that was
awesome well, what that's?
Nick Mellem (14:24):
I did not know.
You were in a soundproof room,so you go into into this room.
Are you able to see out?
Or is it you're kind ofsegregated from the world and
then people are just listeningto the call, or how is that
working?
Jennifer Isacoff (14:34):
Yeah, so it was.
If you picture it, it was offto the front left of the room
and it was facing the back ofthe room, but it was off to the
side, so you didn't see thecrowd through the window to the
side.
So you didn't see the crowdthrough the window.
What you're looking at is aperson they have for actually
placing the phone calls part ofthe social engineering community
staff and so, from ourperspective, when Sean and I
(14:58):
first walked in, really we couldsee Matt and the staff member
that was helping us place ourcalls, and you can't hear
anything aside from the headsetthat they give you and they
could speak directly to thestaff member, but outside of
that, it's nothing.
Nick Mellem (15:16):
Yeah, that's really cool.
Sean Hopkins (15:18):
You can hear some of the crowd, though when you
get a flag and it goes and theroom will erupt and you can hear
just the faintest little, likeyou know, in the background,
like through the doors, but it'snot much.
Nick Mellem (15:30):
OK, so you go into the booth with your objectives
that you're going to be judgedon, or what?
Can you speak on that a littlebit?
I'm just curious on how this isactually judged and like what
objectives you're actuallylooking for to get points.
Jennifer Isacoff (15:42):
Yeah, so I had a list of the objectives all
out in front of me.
So there is an overlap betweenthe objectives that they
required for the report ahead oftime and for the objectives
that you were going to obtainduring the live calls, but there
were slight differences.
Fun part I think I would saythey introduced new this year is
(16:05):
the ability to have wardrobechanges and you can also use
background noises and thingslike that would get you extra
points from the judges.
But so in addition to theobjectives, it was you know the
number of pretext you used perphone call any background sounds
, wardrobe changes, for example,sean and I went in first, into
(16:28):
our booth first and I waspretending to be an IT intern.
So you know I wore jeans, afunny IT catch shirt I think I
had, and I made actually made afake badge for our target
company based on our OSINTknowing what their badges look
like, with my name on it and myphoto and let's see what else.
(16:48):
I think I had a fidget spinneras well, so things like that.
And then I could speak to alsojust the general objectives that
you get from on the call ifyou'd like.
Nick Mellem (17:00):
Yeah, absolutely Please.
Jennifer Isacoff (17:01):
Yeah, so there's a list of, I think, 29.
But there is things like dothey work from home or the
office?
Do they take social engineeringtraining or security awareness
training?
Do they have security guards?
If they do, what are theirhours?
What's the Wi-Fi SSID name?
What VPN do they use?
What operating system do theyuse?
(17:23):
I mean, there is a largevariety to these questions,
which is particularly difficult,but because you have to find a
pretext that can fit the mostamount of information possible
in there.
Nick Mellem (17:36):
Yeah, that's talk about stressful in front of the
crowd and then going throughthat.
Man, I would have been with you.
I'd need those breathingexercises.
Mandi Rae (17:44):
I was going to say you guys, straight up, sound
like Superman.
You've got wardrobe changes,you've got your OSINT badge
stuff put together.
So how did those things comeinto play?
When you get someone on thephone?
What types of methodologies?
Sean Hopkins (18:02):
did you use to get them talking?
So what I found that worked wasso there's a couple parts to
leading up to this.
So we did a lot of work leadingup to, you know, DEF CON.
There's like homeworkassignments more or less along
the way and reports that weredue, so you had to come up
pretext, which Jennifer covered.
There's also a whole notherreport that we do, with some
(18:22):
information in it.
That kind of shows that we'renot just slacking off and it's
worth some points as well.
The thing that worked out bestwas the amount of work put up
front.
Instead of asking someone whattheir antivirus is, getting them
to confirm their antivirus is abetter way to get a response
from them.
So, for example, like, hey, youknow your computer has a McAfee
on it, right?
(18:42):
Blah, blah, blah, and they'regoing to say yes.
Versus like, oh, you know, ifyou had to approach it as hey,
what antivirus do you use,that's suspect.
You're not an insider, right?
You're someone that doesn'tknow.
If you confirm to them thatthey should have this installed,
a yes from them will get youpoints quicker than trying to
pull a thread from them thatthey might not feel comfortable
(19:02):
giving you.
Matt Probst (19:03):
Yeah, I think definitely to that point.
I mean pretty much, just toreiterate, pretty much every
single flag that we got was justconfirming what we had already
found during our OSINT report.
So, like you know, first offyou ask them like hey, your
email address is this right?
And then they would say likeyeah, this is my email address
and that's one of the flags.
(19:23):
And then like okay, are youcurrently in the office, are you
currently at home right now?
Jennifer Isacoff (19:28):
like oh, I'm at home right now, like okay,
that's another flag, and kind ofgo from there, walk through
each step, you know, kind ofconfirming what we already found
previously yeah, and I thinkone thing that really helped us
also is also new this year is jcand snow introduced a component
of having coaches that wereavailable to contestants, and so
(19:49):
we met with Corgi and I'll giveyou guys her Twitter handle for
after the show, and she offeredto help us walk through our
pretext.
So we ran through our ideas forwhat our pretext might be and
and helped us pick which oneswould be best, and emphasize the
fact that you want to pick apretext that will get you the
(20:09):
most amount of information aspossible, because what kills you
in this competition is notgetting people to answer the
phone.
Once you have someone on thephone, you need to make use of
every single second you havethem for, and when we were
practicing actually my pretext,she gave an objection that I
necessarily wasn't anticipating,but it helped me practice on
(20:32):
the fly, and during the actualDEF CON live calling, I received
that exact same objection fromone of the callers, and so I was
able to seamlessly just gothrough it because you know
Corgi and I had alreadypracticed it.
So that was also a reallyhelpful component this year.
Nick Mellem (20:49):
Yeah, I'm glad you actually brought that up,
because that was actually partof my next question was you know
you're getting these people onthe phone.
Do you have any?
How are you?
What was your strategy to keeppeople on the phone?
I know we've all made thesephone, or a lot of us have made
these phone calls before.
You know, you get people thatare super talkative, that maybe
are willing to give up thisinformation, and it's very
natural, but then you get peoplethat want to get off the phone
(21:11):
and jump off.
How did that work?
Were you able to utilize anystrategies to keep them on the
phone, or what was your goalthere?
Sean Hopkins (21:21):
So with my phone call I was the only one that got
a little bit of pushbackbecause of time of day.
So my phone call was the lastone and it was definitely like a
someone just sub of C level,right, so he's you can tell he's
in a suit and ready to go home.
So when I pick up the phone Isaid hey, I need to ask you some
questions about you know, yourcomputer or whatever.
(21:43):
And then he's like really man,like it's end of day, like he
was not wanting to do this, andI said, perfect, it'll take just
a few minutes.
And then that was just kind ofwhat led it on.
From that point was just like Iswear this will only take like
two minutes of your time and I'mout of here.
You're the last person on mylist.
Mandi Rae (22:06):
I'm curious when you guys are employing, like
overcoming objections andworking with someone like the
mental game, are you playing acharacter Like how do you get
yourself ready mentally to lookcalm and composed, to be within
this role?
Like, tell me more about that,yeah that's a good question.
Jennifer Isacoff (22:19):
That's a very good question.
I know a lot of people in thesocial engineering community not
specific to DEF CON, but justin general people that practice
social engineering reallyrecommend doing things like
improv.
I've heard very great thingsabout it.
I personally never have, and sofor me, instead of being in a
character, I kind of I go in byover preparing for everything.
(22:40):
So the people who I called Iknew absolutely everything I
could find out about them.
I knew what their family lifewas like.
I knew I mean all of it.
I knew what their job life waslike, based on their social
media.
And so I called people who areparticularly wide open so that,
you know, I could pivot tosomething like something we have
in common or something that Iknow that they enjoy to.
(23:03):
So to build more rapport,should I face some kind of
hesitancy from their end?
So and that helps me feel moresecure in the fact that you know
I'm not going to bomb, becauseI have a lot of different backup
avenues to go- yeah, researchrapport building that
relationship, establishing thattrust, like congratulations on
(23:23):
the black badge guys, it'spretty amazing.
Nick Mellem (23:25):
Yeah, thank you so much how many phone calls did
you guys make during thecompetition?
Matt Probst (23:30):
um, I think, jennifer, you made two or three
phone calls that you took upmost of the time with two people
, and sean, I think you made oneor two as well yeah, I think I
had one successful yeah when itcame down for me.
Sean Hopkins (23:44):
I was going top to bottom on mine and I just was
not getting hits.
And then I was surprised when Ithe person who picked up the
phone picked up the phone, I waslike oh crap, like um, I
thought we're just gonna wearout the time at that point yeah,
I think we had how much?
Matt Probst (23:56):
time was on the clock to begin with.
Was it 25 minutes, I think, or30 minutes, 25 yeah, yeah and
then by the time Jennifer's turnwas done, we had all but like
seven minutes left on the clock.
I think Sounds about right.
Jennifer Isacoff (24:11):
Yeah, well, I mean, you guys are making it
sound like I hogged the time.
Mandi Rae (24:15):
So what happened was?
I was going to say, it'sbecause your girl killed it yeah
.
Jennifer Isacoff (24:19):
Thanks, yeah, well, what's?
Sean Hopkins (24:21):
funny is her second call was an accident to
some degree.
We were going to actually goround Robin and her first phone
call just killed, and then allof a sudden I realized it's my
phone call.
But to get the maximum points Ihad to be, I had to do a
costume change real quick, andit wasn't one.
We didn't want to have downtime.
So I said, hey, make one morecall, I'm gonna go change real
(24:42):
quick outside, come back in.
Except her next phone call shekilled it.
So I mean, I'm like I'm notgoing to tell her to stop, you
know.
So I hopped back in the boothand we kind of have our little
back and forth and then, youknow, then it was leftover time
and that was then the last callI made after that.
Mandi Rae (24:59):
That's incredible and honestly, after being there and
seriously, when we say standingroom, room only, this was one
of the most popular events thisyear.
I personally had went in,watched in the morning, used the
restroom and sat in line for anhour and a half to get back in
the room.
So even you trying to navigatea costume change, getting out of
(25:22):
that room, out of your boothand back in such a short amount
of time is just a testament tohow prepared you guys were and
just completely badass.
Jennifer Isacoff (25:30):
Thank, you so much.
Yeah, it was so much fun.
Mandi Rae (25:34):
Nick, should we transition from DEF CON and
maybe just talk about socialengineering in general?
Nick Mellem (25:39):
I think that's a good idea.
I had mentioned before thatthis is kind of something I'm
really passionate about too, soI'm looking to pick your guys'
brains on a few things.
For example, when you're makingthese phone calls outside of
the DEF CON competition, if youget somebody that's agnostic to
the call, what kind ofinformation can you still get
from that person?
Is that something you couldjust maybe ditch and hang up on,
(26:01):
or are you staying with thatphone call and trying to still
get more information to maybecontinue down the rabbit hole?
What does that look like foryou guys?
Jennifer Isacoff (26:09):
Yeah.
So I would say specific to theDEF CON competition if you get
someone on the call, you need touse every single minute and you
know you never just hang upbecause it's a lost cause,
unless it's truly a lost causeand they start to question you
or they hang up themselvesBecause the odds of you getting
another person aren'tnecessarily in your favor.
(26:31):
Outside of DEF CON and just ingeneral for social engineering
practices, I would say it's notalways a lost cause for somebody
who might seem as thoughthey're disinterested interested
In fact, a lot of the times youcan use that in your favor,
saying things like you know it'sonly going to take a few
minutes of your time and thenemphasizing whatever benefit it
(26:51):
will be to them, because a lotof the times somebody doesn't
want to be on the phone with youbecause they have other things
to do.
You know they don't want tospend their time talking to
somebody about something whenthey have 50 other things they
have to do before they leave forthe day.
So if you can emphasize howit's going to benefit them to
talk to you for five minutes,you can get them to give you
more information than youprobably would have gotten
(27:13):
otherwise.
Sean Hopkins (27:14):
And the biggest benefit to help you help them is
to let them think they'rehelping you.
So, like, don't make it seemlike you want to bark an order.
Pretend that you are some.
You know like they can help youwith your task for the day that
was proving useful forJennifer's pretext.
Jennifer Isacoff (27:31):
Yeah, I was just a lowly IT intern and I
needed to check a box, OtherwiseI'd get in trouble.
Nick Mellem (27:37):
Yeah, so you're trying to create that
relatability to them?
Mandi Rae (27:40):
Yeah, and a sense of urgency for yourself and your
own livelihood, especially asyou guys were talking, and
depending on what level ofpeople you're engaging with.
I think sometimes those who arein the most position of power
are most empathetic to the lowlyIT person and honestly just
want to check this off theirlist to move on, and that's
(28:01):
where we find our opportunityright.
Matt Probst (28:04):
Yeah, I think that's a good point.
Jennifer, one of your pushbacksyou got initially was like the
guy said, hey, I just got a newcomputer.
I don't know if I'm the rightperson.
And you said, well, hey, you'reon my list.
Do you mind if I ask you thesequestions anyways?
That way you know you don'tkeep getting these phone calls,
because you're just going tokeep getting the phone calls.
Nick Mellem (28:32):
So that that you know, kind of helps him out so
he doesn't get annoyed in thefuture.
Um, going forward, you know,absolutely.
Yeah, man, that's a great point.
You know, I guess for theaudience.
You know how should, how should, how could we better train
somebody at a company to, uh,you know, spot somebody actually
wishing them?
Do you have any advice for acompany?
How, how would you trainsomebody?
Is there anything that comes tothe top of your mind?
Jennifer Isacoff (28:50):
Yes, definitely Sean go ahead.
Sean Hopkins (28:56):
We saw a few of the good practices happen during
some of the other fishingengagements or fishing
engagements.
For example, someone calledthis person from a non-void
phone right inside of theircompany, right?
So they're getting a call froma stranger.
And this person said, hey, letme look you up inside of our gal
(29:17):
or our internal person lookup.
And that was one thing thatstopped that call completely was
because the validation thatthat number and that person did
not exist would have been just acomplete standstill, right?
So that would be a slighttechnical implementation plus a
user's awareness type ofimplementation as well.
Jennifer Isacoff (29:36):
Yeah, for sure .
And so you know.
I typically say, first andforemost, avoid answering calls
from numbers that you can'tidentify.
When in doubt, just let it goto voicemail and then you can't
identify, when in doubt, justlet it go to voicemail and then
you can listen to the messagecarefully.
But a lot of times it's notnecessarily practical.
Maybe it's part of your job toanswer unknown numbers, for
example someone in sales.
So what I would recommend ispretending to be immediately
(30:00):
busy and basically asking themfor their callback number,
asking them for their name andany other department or other
information about them, and thenhang up, say you're busy, you
can't talk now and independentlyverify, so never call back the
number that they actually giveyou.
Go and research another, what itshould be.
(30:21):
So, for example, if you get acall from somebody claiming to
be from your bank, what itshould be.
So, for example, if you get acall from somebody claiming to
be from your bank indicatingthat there's a fraudulent charge
on your credit card, you needto do X, y and Z to make sure
it's remedied.
You say, okay, what departmentyou're calling from, what's your
name, and then you have to goand you hang up and then you go
to your credit card and you lookat the number on the back of
(30:41):
the credit card that's meant forfraud and you call that number
on the back of their credit card.
That's meant for fraud and youcall that number.
So never trust somebody who'scalling you immediately you have
to verify who they are andsearch independently for that
information and, sorry, go ahead, sean.
Sean Hopkins (31:00):
And kind of tie into that.
And if there's usually a senseof urgency, it's probably fake.
Jennifer Isacoff (31:05):
Yeah, I mean this and you know it can come in
so many different forms.
So scammers use things likedeadlines, intimidation and,
like Sean said, the sense ofurgency.
But they can also be verypolite and confident in their
way to trick you.
And so if you think you'redivulging too much information,
you probably are and just hangup.
(31:25):
You can be polite to the personand say you have to go.
But hang up is your best option.
And from a training perspective,I recommend you train users to
recognize all different types ofinformation that is potentially
sought after by bad actorssought after by bad actors.
(31:47):
And most people know not togive their username and password
to their personal accounts tosomebody over the phone.
But they may not know that it'salso bad to give away things
like physical building accessdetails.
You know your supervisor's name, the department.
All of that can be usefulinformation for a bad actor.
But it's not necessarilyinnately evil.
When somebody calls you andasks you that, it can seem very
(32:09):
benign.
So educating users that of thepotential use to those kind of
that kind of information can bevery beneficial to help them
recognize if it's a phishingattempt.
Mandi Rae (32:21):
This is all such valuable and good information.
Those threat actors are tryingto evoke an emotion, right?
Oh yes, always.
Well, your strategies areimpressive.
Your award won is definitelysomething to be recognized.
Before we wrap up today, we arecurious what is the craziest
(32:42):
story you can share on therecord?
Is it something in yourprofessional life, social
engineering, or doing it as asport?
Is it something from DEF CON?
Does anything come to mind?
Sean Hopkins (32:54):
Yeah, I guess I got some war stories, I guess.
So I was on a red team thathacked how can I say this that
hacked non-commercial entities,and so they would send us out
into the field and we'd beplaying war games with military
and one time I was a human relayto perform this hack over like
(33:16):
a radio frequency.
So I'm crawling through somegrass and then all of a sudden I
see like the camp of military,their lights light up and I'm
like, oh, I should probably getback to the car, crawl my way
back to the car and we'resitting in an SUV and all of a
sudden a Hummer comes up rightbehind us, or a, just not a
Hummer, it's a, anyways, bigmilitary vehicle, bigger gun on
(33:37):
the back, and all of a suddenjust starts lighting up the
place.
Just, we didn't know it wasfake rounds.
So we're sitting in the carwith this giant gun behind us
shooting and we thought we werejust in the biggest world of
trouble.
Turns out we weren't, but wehad to sit there for like 10
minutes while they had their wargames go on and just be lit up
by gunfire all around us.
(33:57):
That's terrifying.
It didn't take too long tofigure out if they were fake
rounds or blank rounds.
The first few you're like oh,that'll get this car.
Nick Mellem (34:10):
Yeah, that's awesome.
Mandi Rae (34:11):
That's a great story.
I want to thank our guests, uh,jennifer at underscore jack off
J A C O F F Twitter handle,sean at underscore C, hop S
S-E-A-H-O-P and Matt atBangerSEC that's B-N-G-R-S-E-C
(34:36):
if you want to get a hold ofthem.
You've been listening to theaudit and we thank you for
joining us.
If you want more information,please visit our website at
itauditlabscom, and we can'twait to chat with you guys again
on the next podcast.
Thanks, team Spilt Beans.
(34:57):
Great job this year.
Thank you so much for having me.
Take care guys Take care.
Eric Brown (35:06):
Want security leadership without the headcount
.
As an extension of the team, ITAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
remediation to improve cyberposture while reducing risk.
(35:28):
Contact IT Autolabs to find outmore.
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:15):
Hello and welcome back to the Audit by IT Audit
Labs.
Nick and I are very excitedtoday to welcome guests from
Team Spilt Beans who won the DEFCON 30 Vishing Competition
Black Badge.
Please help us in welcoming tothe show Jennifer, matt and Sean
(00:40):
.
Hi guys.
Jennifer Isacoff (00:42):
Hi, thank you so much for having us Thanks for
being here.
Mandi Rae (00:47):
Jennifer, do you want to kick off introductions?
Jennifer Isacoff (00:51):
Yeah, that sounds good.
So, hey, I'm Jennifer,otherwise known as Jackoff, and
I was the team captain of SpiltBeans from DEF CON 30.
I've been practicing socialengineering for about 10 years
now, and you can follow me onTwitter at underscore jackoff
J-A-C-O-F-F.
(01:11):
And with that, I'm going topass it over to Matt.
Matt Probst (01:15):
Hey, yeah, hey, I'm Matt Benkert.
I've been pen testing for aboutthree years and I've been in
security defensive side forprobably five years before that
Relatively new to socialengineering Kind of Jennifer
forced me into the competition.
I'm just kidding, but yeah,that's about it.
(01:37):
My Twitter handle is at BNGRSEC, bangersec Sean.
Sean Hopkins (01:45):
Hey, I'm Sean Hopkins.
I've been in security for about10-ish years now.
I'm a red team lead over at aFortune 50 company and I like to
social engineer.
I did break-ins and stuff likethat in the past and you can
find me at underscore SeahopS-E-A-H-O-P.
Mandi Rae (02:04):
Great.
Thank you so much.
We're very excited to have youhere.
So let's dig in and let's talkabout DEF CON 30.
It was this past August in LasVegas.
Was this your first DEF CON?
Jennifer Isacoff (02:19):
Yeah, so for me this was the first DEF CON
I've ever been to, which waspretty exciting to walk away
with a black badge.
I'm going to say it wasdefinitely unexpected.
I know, Sean, I think you'dbeen there before, right.
Sean Hopkins (02:31):
Yeah, I've been to one previously, I think 2018.
Matt Probst (02:34):
Yeah, it was my third DEF CON.
Mandi Rae (02:39):
So this one did it blow your mind?
I was very impressed by theproduction, very impressed by
the production.
The previous year, with thepandemic, it felt a little bit
smaller and intimate, being in ahybrid, both virtual and on
site.
So this year I was so impressedwith the graphics, the music,
the parties and all thedifferent tracks you could take.
Jennifer Isacoff (03:00):
Yeah, I had an amazing time.
I know I don't have anythingelse to compare it to, but I do
want to give a shout out to thesocial engineering communities
founders, JC and Snow and theTwitter is at SEC underscore DEF
CON but I mean their wholecommunity was executed
flawlessly, as if they'd beendoing it for years and years.
Mandi Rae (03:21):
It was amazing doing it for years and years.
It was amazing.
I'd agree with that.
The experience and being in thesocial engineering area was so
exciting.
Just to set the stage forpeople listening, you walked in
a large meeting conference room,was dark and you actually got
to watch the competition live.
(03:43):
Tell me more about thecompetition.
How did you guys decide toenter, what did that look like?
And then, what was the actualexperience of vishing people
live in front of a huge audience?
Jennifer Isacoff (04:00):
Yeah.
So I'll say it was not a lastminute decision to apply, but I
did definitely strong arm theseother two guys, matt and Sean,
into joining me because I was alittle intimidated to do it by
myself initially.
But we made a YouTube video asper the requirements of the
(04:20):
admission and were selected tobe one of the competitors, which
was really exciting.
From there, we had a fewdifferent requirements and
different sections of thecompetition.
The first stage was that thejudges slash contest organizers
would give you a company, soevery single team received a
(04:43):
target company and that wasbasically all they would give
you just the name of the companyand that's it.
And from there you had to puttogether a report that included
a series of objectives that thecontest organizers identified
ahead of time, and this could bethings like what operating
system does the company use?
What's the name of theirshredding company?
(05:05):
It's a large variety ofobjectives, but you put those
together in a report, you submitit to the judges and you also
create a list of phone numbersand targets that you would like
to call for the live callingsection of the competition,
which happened actually at DEFCON.
So, aside from that preparationwork, then it brings us live to
(05:27):
the DEF CON portion, where wehad soundproof booth, which was
so incredibly helpful given theamount of people that were there
in the room in which you'dplace live calls to the people
you had previously identifiedand hope they answered so that
you could give them your pretextand get even more objectives.
Does that make?
Mandi Rae (05:47):
sense it does and it sounds incredible.
Jennifer Isacoff (05:50):
Oh my gosh, it was so much fun.
Nick Mellem (05:52):
Yeah, that's a question for Matt or Sean.
I'm also curious what your prepwork looks like as far as tools
go.
What kind of O-Center are youusing?
Do you have any goals?
Are you trying to get somethingspecific before for that report
, or what does that look like?
Sean Hopkins (06:09):
to some degree.
Uh, actually matt had a novel,find I think for the entire uh
engagement, like amongst all theteams.
Actually, matt, you want to goahead with your dns thing you
found yeah, uh, I saw I found afound.
Matt Probst (06:22):
one of the requirements was to determine
what antivirus the targetcompany was using via OSINT,
which is kind of hard to do.
I believe it comes standard inKali Linux that you can actually
(06:44):
recursively search a company'sDNS servers for specific AV
vendor strings, and then it kindof put together an assumption
that oh hey, there's lots ofhits on McAfee-owned domains.
(07:04):
They probably use McAfee.
That was one of the more funones to get.
Jennifer Isacoff (07:10):
Yeah, and I do want to say I forgot to
emphasize the fact that in thisentire competition, we were only
allowed to use open sourceintelligence, otherwise known as
OSINT gathering, in order toobtain all this information
about our target company.
We were forbidden from havingany direct contact with the
target company, which includesthings like calling them,
(07:33):
emailing or physically visitingor otherwise communicating with
them in any manner aside fromthe passive OSINT.
Ahead of the live callingcompetition that happened at DEF
CON.
Sean Hopkins (07:44):
So, and Matt's technique was probably my
favorite and definitely thecoolest from my perspective,
sean, yeah so the rest of thestuff that would go into a
normal pen test, like looking upsubdomains and things like that
, didn't really apply to thiscompetition, which was unique
for me because that was alwayspart of it was like hunting for
bad certs or subdomain takeovertype of things, but this was
(08:07):
purely a phone call, which, youknow, the normal pen testy type
of searches don't, you know,always equate to this type of
competition and this is why I'mfangirling so hard over having
the opportunity to have you guyson this podcast.
Mandi Rae (08:22):
This is epic to hear what you were able to accomplish
and the methodologies you used.
Jennifer Isacoff (08:27):
Yeah, thank you.
So much about the methodologies.
Actually, one of the judges,chris Kirst, wrote a really cool
article about I guess everysingle OSINT technique technique
that was used by the variouscompetitors in this competition,
and I'll send you that link.
But it's definitely a reallycool read.
Mandi Rae (08:47):
Great Thanks for sharing that.
We'll also include that for ouraudience so they can check it
out.
Nick Mellem (08:53):
So you guys created the YouTube video, you created
this report.
You haven't had any contact yetwith your company.
And then the next step you showup to DEF CON and then you
start making phone calls.
Can you jump into that a littlebit, what that looks like?
Or you just go up on stage.
I wasn't there, so I'm reallycurious about how this is
looking.
Jennifer Isacoff (09:12):
So this is a good time to say that the judges
this year gave us a huge twist,which ended up being super fun.
We didn't know it at the time,until we arrived to DEF CON, but
actually so I think there's atotal of 16 teams.
Matt and Sean, do I have thatright?
Yeah, that's right and therewere only a total of eight
(09:35):
target companies, which meansthat two teams had the same
target company, and we didn'tknow until we arrived at DEF CON
.
And so what they ended up doingis a live coin toss, kind of
akin to football, with the twoteam captains or team members to
flip a coin to see who hadtheir section first, so who
(09:57):
could make their live callsfirst.
And this was really importantfor two reasons One being the
time of day, and this was reallyimportant for two reasons one
being the time of day.
So the time that we were makingour call just happened to be
around 5 pm on the East Coast onFriday afternoon, and so it was
either going to be like 4.30 pmor it was going to be like 5.30
(10:19):
pm, and so we didn't know whenour time zone was going to be
based on this coin toss.
And another reason why this issuper important is because we
don't know if our opponent hasthe exact same numbers that we
found, Because you know the DEFCON organizers didn't give you
(10:39):
any people to call directly.
This was all in your lane tofigure out who you wanted to
call and identify them ahead oftime.
So there was a potential thatyou know the other team also
found the same list of peoplethat they were going to call and
if they call them first andmight spook them, then it kind
of messes up.
It would mess up the potentialfor us.
So that was a really fun twistto find and I know I was.
(11:03):
I didn't want to go up and dothe coin toss.
Mandi Rae (11:07):
I was trembling and honestly, I have goosebumps for
you, even though we know howthis ended.
Just the way you're setting thestage like this is already a
big enough beat.
But then to be sharing and thenhave the time zones to contend
with Holy buckets.
Jennifer Isacoff (11:26):
Yeah, sean, do you want to walk?
Through what that was like.
Sean Hopkins (11:28):
Yeah, yeah.
So I fell on the sword for thecoin toss and lost it for our
team.
And then the guy who won thecoin toss he won first, of
course because end of day, youdefinitely want to kind of get a
better time.
And thankfully he went throughhis sales pitch type of campaign
and luckily none of his phonenumbers lined up to ours, but he
(11:52):
didn't have many people pick up.
So in our minds I'm like, ohman, what if no one picks up?
I mean, they're already notpicking up for him.
That could possibly be whathappens to us the entire time.
Luckily it didn't turn out thatway.
Mandi Rae (12:06):
And how does that not shake your confidence?
I think that's one of the waysI'd say you guys are incredibly
resilient and masters of yourcraft.
You had all these other thingsoutside of the competition to
contend with and you stillnailed it.
Sean Hopkins (12:20):
The trick is to go with zero confidence.
Mandi Rae (12:25):
Great approach.
I like that.
Matt Probst (12:26):
One of the things that definitely helped us while
he was on his call and we werewaiting kind of off to the side
is we had our list of oh, Idon't know 20, 25 phone numbers
and one.
We were checking every phonenumber he called.
You know we were trying tohighlight on our little
clipboard if he called it.
But also Jennifer and I weresitting there and calling our
(12:50):
numbers and if they were toanswer we would immediately hang
up and then highlight it orcircle them and say, hey, these
people answered.
We'll call these people firstbecause we know they might
answer again.
That way we didn't want towaste time kind of going down
the list top to bottom, if thatmakes sense.
Mandi Rae (13:09):
That makes a lot of sense.
Good strategy and amazingteamwork to be doing that Really
.
You said you fell on the swordwith the coin toss, but I think
you made that opportunity workto your advantage where most
people would have felt prettydefeated.
Sean Hopkins (13:24):
It did work out with how it worked out.
But also, you know, having towatch someone, you know you
watch that time, click down, youknow, and it takes, it feels
like it takes forever on theoutside, especially when you're
next and all you can see is itgetting closer to five o'clock
on a Friday and you know, justkind of had to get over that
part of it, but that was thathurt a little bit.
Mandi Rae (13:44):
I can only imagine.
Did you want to give us moreabout that?
Jennifer Isacoff (13:49):
I mean I will say, as Matt and I are standing
off to the side, kind of behinda panel waiting, he was like
walking me through breathingexercises.
I mean I cannot emphasize hownervous we all were going into
this, but once you walked intothe soundproof booth it was
honestly like your own littleoasis.
It truly was soundproof and JCand Snow are absolute geniuses
(14:13):
for having that component inthere, because one second you
had a room with over 100 peoplein it and then the next you
really could get into the zonepretty easily and that was
awesome well, what that's?
Nick Mellem (14:24):
I did not know.
You were in a soundproof room,so you go into into this room.
Are you able to see out?
Or is it you're kind ofsegregated from the world and
then people are just listeningto the call, or how is that
working?
Jennifer Isacoff (14:34):
Yeah, so it was.
If you picture it, it was offto the front left of the room
and it was facing the back ofthe room, but it was off to the
side, so you didn't see thecrowd through the window to the
side.
So you didn't see the crowdthrough the window.
What you're looking at is aperson they have for actually
placing the phone calls part ofthe social engineering community
staff and so, from ourperspective, when Sean and I
(14:58):
first walked in, really we couldsee Matt and the staff member
that was helping us place ourcalls, and you can't hear
anything aside from the headsetthat they give you and they
could speak directly to thestaff member, but outside of
that, it's nothing.
Nick Mellem (15:16):
Yeah, that's really cool.
Sean Hopkins (15:18):
You can hear some of the crowd, though when you
get a flag and it goes and theroom will erupt and you can hear
just the faintest little, likeyou know, in the background,
like through the doors, but it'snot much.
Nick Mellem (15:30):
OK, so you go into the booth with your objectives
that you're going to be judgedon, or what?
Can you speak on that a littlebit?
I'm just curious on how this isactually judged and like what
objectives you're actuallylooking for to get points.
Jennifer Isacoff (15:42):
Yeah, so I had a list of the objectives all
out in front of me.
So there is an overlap betweenthe objectives that they
required for the report ahead oftime and for the objectives
that you were going to obtainduring the live calls, but there
were slight differences.
Fun part I think I would saythey introduced new this year is
(16:05):
the ability to have wardrobechanges and you can also use
background noises and thingslike that would get you extra
points from the judges.
But so in addition to theobjectives, it was you know the
number of pretext you used perphone call any background sounds
, wardrobe changes, for example,sean and I went in first, into
(16:28):
our booth first and I waspretending to be an IT intern.
So you know I wore jeans, afunny IT catch shirt I think I
had, and I made actually made afake badge for our target
company based on our OSINTknowing what their badges look
like, with my name on it and myphoto and let's see what else.
(16:48):
I think I had a fidget spinneras well, so things like that.
And then I could speak to alsojust the general objectives that
you get from on the call ifyou'd like.
Nick Mellem (17:00):
Yeah, absolutely Please.
Jennifer Isacoff (17:01):
Yeah, so there's a list of, I think, 29.
But there is things like dothey work from home or the
office?
Do they take social engineeringtraining or security awareness
training?
Do they have security guards?
If they do, what are theirhours?
What's the Wi-Fi SSID name?
What VPN do they use?
What operating system do theyuse?
(17:23):
I mean, there is a largevariety to these questions,
which is particularly difficult,but because you have to find a
pretext that can fit the mostamount of information possible
in there.
Nick Mellem (17:36):
Yeah, that's talk about stressful in front of the
crowd and then going throughthat.
Man, I would have been with you.
I'd need those breathingexercises.
Mandi Rae (17:44):
I was going to say you guys, straight up, sound
like Superman.
You've got wardrobe changes,you've got your OSINT badge
stuff put together.
So how did those things comeinto play?
When you get someone on thephone?
What types of methodologies?
Sean Hopkins (18:02):
did you use to get them talking?
So what I found that worked wasso there's a couple parts to
leading up to this.
So we did a lot of work leadingup to, you know, DEF CON.
There's like homeworkassignments more or less along
the way and reports that weredue, so you had to come up
pretext, which Jennifer covered.
There's also a whole notherreport that we do, with some
(18:22):
information in it.
That kind of shows that we'renot just slacking off and it's
worth some points as well.
The thing that worked out bestwas the amount of work put up
front.
Instead of asking someone whattheir antivirus is, getting them
to confirm their antivirus is abetter way to get a response
from them.
So, for example, like, hey, youknow your computer has a McAfee
on it, right?
(18:42):
Blah, blah, blah, and they'regoing to say yes.
Versus like, oh, you know, ifyou had to approach it as hey,
what antivirus do you use,that's suspect.
You're not an insider, right?
You're someone that doesn'tknow.
If you confirm to them thatthey should have this installed,
a yes from them will get youpoints quicker than trying to
pull a thread from them thatthey might not feel comfortable
(19:02):
giving you.
Matt Probst (19:03):
Yeah, I think definitely to that point.
I mean pretty much, just toreiterate, pretty much every
single flag that we got was justconfirming what we had already
found during our OSINT report.
So, like you know, first offyou ask them like hey, your
email address is this right?
And then they would say likeyeah, this is my email address
and that's one of the flags.
(19:23):
And then like okay, are youcurrently in the office, are you
currently at home right now?
Jennifer Isacoff (19:28):
like oh, I'm at home right now, like okay,
that's another flag, and kind ofgo from there, walk through
each step, you know, kind ofconfirming what we already found
previously yeah, and I thinkone thing that really helped us
also is also new this year is jcand snow introduced a component
of having coaches that wereavailable to contestants, and so
(19:49):
we met with Corgi and I'll giveyou guys her Twitter handle for
after the show, and she offeredto help us walk through our
pretext.
So we ran through our ideas forwhat our pretext might be and
and helped us pick which oneswould be best, and emphasize the
fact that you want to pick apretext that will get you the
(20:09):
most amount of information aspossible, because what kills you
in this competition is notgetting people to answer the
phone.
Once you have someone on thephone, you need to make use of
every single second you havethem for, and when we were
practicing actually my pretext,she gave an objection that I
necessarily wasn't anticipating,but it helped me practice on
(20:32):
the fly, and during the actualDEF CON live calling, I received
that exact same objection fromone of the callers, and so I was
able to seamlessly just gothrough it because you know
Corgi and I had alreadypracticed it.
So that was also a reallyhelpful component this year.
Nick Mellem (20:49):
Yeah, I'm glad you actually brought that up,
because that was actually partof my next question was you know
you're getting these people onthe phone.
Do you have any?
How are you?
What was your strategy to keeppeople on the phone?
I know we've all made thesephone, or a lot of us have made
these phone calls before.
You know, you get people thatare super talkative, that maybe
are willing to give up thisinformation, and it's very
natural, but then you get peoplethat want to get off the phone
(21:11):
and jump off.
How did that work?
Were you able to utilize anystrategies to keep them on the
phone, or what was your goalthere?
Sean Hopkins (21:21):
So with my phone call I was the only one that got
a little bit of pushbackbecause of time of day.
So my phone call was the lastone and it was definitely like a
someone just sub of C level,right, so he's you can tell he's
in a suit and ready to go home.
So when I pick up the phone Isaid hey, I need to ask you some
questions about you know, yourcomputer or whatever.
(21:43):
And then he's like really man,like it's end of day, like he
was not wanting to do this, andI said, perfect, it'll take just
a few minutes.
And then that was just kind ofwhat led it on.
From that point was just like Iswear this will only take like
two minutes of your time and I'mout of here.
You're the last person on mylist.
Mandi Rae (22:06):
I'm curious when you guys are employing, like
overcoming objections andworking with someone like the
mental game, are you playing acharacter Like how do you get
yourself ready mentally to lookcalm and composed, to be within
this role?
Like, tell me more about that,yeah that's a good question.
Jennifer Isacoff (22:19):
That's a very good question.
I know a lot of people in thesocial engineering community not
specific to DEF CON, but justin general people that practice
social engineering reallyrecommend doing things like
improv.
I've heard very great thingsabout it.
I personally never have, and sofor me, instead of being in a
character, I kind of I go in byover preparing for everything.
(22:40):
So the people who I called Iknew absolutely everything I
could find out about them.
I knew what their family lifewas like.
I knew I mean all of it.
I knew what their job life waslike, based on their social
media.
And so I called people who areparticularly wide open so that,
you know, I could pivot tosomething like something we have
in common or something that Iknow that they enjoy to.
(23:03):
So to build more rapport,should I face some kind of
hesitancy from their end?
So and that helps me feel moresecure in the fact that you know
I'm not going to bomb, becauseI have a lot of different backup
avenues to go- yeah, researchrapport building that
relationship, establishing thattrust, like congratulations on
(23:23):
the black badge guys, it'spretty amazing.
Nick Mellem (23:25):
Yeah, thank you so much how many phone calls did
you guys make during thecompetition?
Matt Probst (23:30):
um, I think, jennifer, you made two or three
phone calls that you took upmost of the time with two people
, and sean, I think you made oneor two as well yeah, I think I
had one successful yeah when itcame down for me.
Sean Hopkins (23:44):
I was going top to bottom on mine and I just was
not getting hits.
And then I was surprised when Ithe person who picked up the
phone picked up the phone, I waslike oh crap, like um, I
thought we're just gonna wearout the time at that point yeah,
I think we had how much?
Matt Probst (23:56):
time was on the clock to begin with.
Was it 25 minutes, I think, or30 minutes, 25 yeah, yeah and
then by the time Jennifer's turnwas done, we had all but like
seven minutes left on the clock.
I think Sounds about right.
Jennifer Isacoff (24:11):
Yeah, well, I mean, you guys are making it
sound like I hogged the time.
Mandi Rae (24:15):
So what happened was?
I was going to say, it'sbecause your girl killed it yeah
.
Jennifer Isacoff (24:19):
Thanks, yeah, well, what's?
Sean Hopkins (24:21):
funny is her second call was an accident to
some degree.
We were going to actually goround Robin and her first phone
call just killed, and then allof a sudden I realized it's my
phone call.
But to get the maximum points Ihad to be, I had to do a
costume change real quick, andit wasn't one.
We didn't want to have downtime.
So I said, hey, make one morecall, I'm gonna go change real
(24:42):
quick outside, come back in.
Except her next phone call shekilled it.
So I mean, I'm like I'm notgoing to tell her to stop, you
know.
So I hopped back in the boothand we kind of have our little
back and forth and then, youknow, then it was leftover time
and that was then the last callI made after that.
Mandi Rae (24:59):
That's incredible and honestly, after being there and
seriously, when we say standingroom, room only, this was one
of the most popular events thisyear.
I personally had went in,watched in the morning, used the
restroom and sat in line for anhour and a half to get back in
the room.
So even you trying to navigatea costume change, getting out of
(25:22):
that room, out of your boothand back in such a short amount
of time is just a testament tohow prepared you guys were and
just completely badass.
Jennifer Isacoff (25:30):
Thank, you so much.
Yeah, it was so much fun.
Mandi Rae (25:34):
Nick, should we transition from DEF CON and
maybe just talk about socialengineering in general?
Nick Mellem (25:39):
I think that's a good idea.
I had mentioned before thatthis is kind of something I'm
really passionate about too, soI'm looking to pick your guys'
brains on a few things.
For example, when you're makingthese phone calls outside of
the DEF CON competition, if youget somebody that's agnostic to
the call, what kind ofinformation can you still get
from that person?
Is that something you couldjust maybe ditch and hang up on,
(26:01):
or are you staying with thatphone call and trying to still
get more information to maybecontinue down the rabbit hole?
What does that look like foryou guys?
Jennifer Isacoff (26:09):
Yeah.
So I would say specific to theDEF CON competition if you get
someone on the call, you need touse every single minute and you
know you never just hang upbecause it's a lost cause,
unless it's truly a lost causeand they start to question you
or they hang up themselvesBecause the odds of you getting
another person aren'tnecessarily in your favor.
(26:31):
Outside of DEF CON and just ingeneral for social engineering
practices, I would say it's notalways a lost cause for somebody
who might seem as thoughthey're disinterested interested
In fact, a lot of the times youcan use that in your favor,
saying things like you know it'sonly going to take a few
minutes of your time and thenemphasizing whatever benefit it
(26:51):
will be to them, because a lotof the times somebody doesn't
want to be on the phone with youbecause they have other things
to do.
You know they don't want tospend their time talking to
somebody about something whenthey have 50 other things they
have to do before they leave forthe day.
So if you can emphasize howit's going to benefit them to
talk to you for five minutes,you can get them to give you
more information than youprobably would have gotten
(27:13):
otherwise.
Sean Hopkins (27:14):
And the biggest benefit to help you help them is
to let them think they'rehelping you.
So, like, don't make it seemlike you want to bark an order.
Pretend that you are some.
You know like they can help youwith your task for the day that
was proving useful forJennifer's pretext.
Jennifer Isacoff (27:31):
Yeah, I was just a lowly IT intern and I
needed to check a box, OtherwiseI'd get in trouble.
Nick Mellem (27:37):
Yeah, so you're trying to create that
relatability to them?
Mandi Rae (27:40):
Yeah, and a sense of urgency for yourself and your
own livelihood, especially asyou guys were talking, and
depending on what level ofpeople you're engaging with.
I think sometimes those who arein the most position of power
are most empathetic to the lowlyIT person and honestly just
want to check this off theirlist to move on, and that's
(28:01):
where we find our opportunityright.
Matt Probst (28:04):
Yeah, I think that's a good point.
Jennifer, one of your pushbacksyou got initially was like the
guy said, hey, I just got a newcomputer.
I don't know if I'm the rightperson.
And you said, well, hey, you'reon my list.
Do you mind if I ask you thesequestions anyways?
That way you know you don'tkeep getting these phone calls,
because you're just going tokeep getting the phone calls.
Nick Mellem (28:32):
So that that you know, kind of helps him out so
he doesn't get annoyed in thefuture.
Um, going forward, you know,absolutely.
Yeah, man, that's a great point.
You know, I guess for theaudience.
You know how should, how should, how could we better train
somebody at a company to, uh,you know, spot somebody actually
wishing them?
Do you have any advice for acompany?
How, how would you trainsomebody?
Is there anything that comes tothe top of your mind?
Jennifer Isacoff (28:50):
Yes, definitely Sean go ahead.
Sean Hopkins (28:56):
We saw a few of the good practices happen during
some of the other fishingengagements or fishing
engagements.
For example, someone calledthis person from a non-void
phone right inside of theircompany, right?
So they're getting a call froma stranger.
And this person said, hey, letme look you up inside of our gal
(29:17):
or our internal person lookup.
And that was one thing thatstopped that call completely was
because the validation thatthat number and that person did
not exist would have been just acomplete standstill, right?
So that would be a slighttechnical implementation plus a
user's awareness type ofimplementation as well.
Jennifer Isacoff (29:36):
Yeah, for sure .
And so you know.
I typically say, first andforemost, avoid answering calls
from numbers that you can'tidentify.
When in doubt, just let it goto voicemail and then you can't
identify, when in doubt, justlet it go to voicemail and then
you can listen to the messagecarefully.
But a lot of times it's notnecessarily practical.
Maybe it's part of your job toanswer unknown numbers, for
example someone in sales.
So what I would recommend ispretending to be immediately
(30:00):
busy and basically asking themfor their callback number,
asking them for their name andany other department or other
information about them, and thenhang up, say you're busy, you
can't talk now and independentlyverify, so never call back the
number that they actually giveyou.
Go and research another, what itshould be.
(30:21):
So, for example, if you get acall from somebody claiming to
be from your bank, what itshould be.
So, for example, if you get acall from somebody claiming to
be from your bank indicatingthat there's a fraudulent charge
on your credit card, you needto do X, y and Z to make sure
it's remedied.
You say, okay, what departmentyou're calling from, what's your
name, and then you have to goand you hang up and then you go
to your credit card and you lookat the number on the back of
(30:41):
the credit card that's meant forfraud and you call that number
on the back of their credit card.
That's meant for fraud and youcall that number.
So never trust somebody who'scalling you immediately you have
to verify who they are andsearch independently for that
information and, sorry, go ahead, sean.
Sean Hopkins (31:00):
And kind of tie into that.
And if there's usually a senseof urgency, it's probably fake.
Jennifer Isacoff (31:05):
Yeah, I mean this and you know it can come in
so many different forms.
So scammers use things likedeadlines, intimidation and,
like Sean said, the sense ofurgency.
But they can also be verypolite and confident in their
way to trick you.
And so if you think you'redivulging too much information,
you probably are and just hangup.
(31:25):
You can be polite to the personand say you have to go.
But hang up is your best option.
And from a training perspective,I recommend you train users to
recognize all different types ofinformation that is potentially
sought after by bad actorssought after by bad actors.
(31:47):
And most people know not togive their username and password
to their personal accounts tosomebody over the phone.
But they may not know that it'salso bad to give away things
like physical building accessdetails.
You know your supervisor's name, the department.
All of that can be usefulinformation for a bad actor.
But it's not necessarilyinnately evil.
When somebody calls you andasks you that, it can seem very
(32:09):
benign.
So educating users that of thepotential use to those kind of
that kind of information can bevery beneficial to help them
recognize if it's a phishingattempt.
Mandi Rae (32:21):
This is all such valuable and good information.
Those threat actors are tryingto evoke an emotion, right?
Oh yes, always.
Well, your strategies areimpressive.
Your award won is definitelysomething to be recognized.
Before we wrap up today, we arecurious what is the craziest
(32:42):
story you can share on therecord?
Is it something in yourprofessional life, social
engineering, or doing it as asport?
Is it something from DEF CON?
Does anything come to mind?
Sean Hopkins (32:54):
Yeah, I guess I got some war stories, I guess.
So I was on a red team thathacked how can I say this that
hacked non-commercial entities,and so they would send us out
into the field and we'd beplaying war games with military
and one time I was a human relayto perform this hack over like
(33:16):
a radio frequency.
So I'm crawling through somegrass and then all of a sudden I
see like the camp of military,their lights light up and I'm
like, oh, I should probably getback to the car, crawl my way
back to the car and we'resitting in an SUV and all of a
sudden a Hummer comes up rightbehind us, or a, just not a
Hummer, it's a, anyways, bigmilitary vehicle, bigger gun on
(33:37):
the back, and all of a suddenjust starts lighting up the
place.
Just, we didn't know it wasfake rounds.
So we're sitting in the carwith this giant gun behind us
shooting and we thought we werejust in the biggest world of
trouble.
Turns out we weren't, but wehad to sit there for like 10
minutes while they had their wargames go on and just be lit up
by gunfire all around us.
(33:57):
That's terrifying.
It didn't take too long tofigure out if they were fake
rounds or blank rounds.
The first few you're like oh,that'll get this car.
Nick Mellem (34:10):
Yeah, that's awesome.
Mandi Rae (34:11):
That's a great story.
I want to thank our guests, uh,jennifer at underscore jack off
J A C O F F Twitter handle,sean at underscore C, hop S
S-E-A-H-O-P and Matt atBangerSEC that's B-N-G-R-S-E-C
(34:36):
if you want to get a hold ofthem.
You've been listening to theaudit and we thank you for
joining us.
If you want more information,please visit our website at
itauditlabscom, and we can'twait to chat with you guys again
on the next podcast.
Thanks, team Spilt Beans.
(34:57):
Great job this year.
Thank you so much for having me.
Take care guys Take care.
Eric Brown (35:06):
Want security leadership without the headcount
.
As an extension of the team, ITAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
remediation to improve cyberposture while reducing risk.
(35:28):
Contact IT Autolabs to find outmore.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.