Skip to comments.How a Lying 'Social Engineer' Hacked Wal-Mart
Posted on 08/09/2012 9:01:47 PM PDT by grundle
AS VEGAS (CNNMoney) -- A Wal-Mart store manager in a small military town in Canada got an urgent phone call last month from "Gary Darnell" in the home office in Bentonville, Ark.
Darnell told the manager Wal-Mart had a multi-million-dollar opportunity to win a major government contract, and that he was assigned to visit the handful of Wal-Mart stores picked as likely pilot spots. First, he needed to get a complete picture of the store's operations.
For about 10 minutes, Darnell described who he was (a newly hired manager of government logistics), the outlines of the contract ("all I know is Wal-Mart can make a ton of cash off it") and the plans for his visit.
Darnell asked the manager about all of his store's physical logistics: its janitorial contractor, cafeteria food-services provider, employee pay cycle and staff shift schedules. He learned what time the managers take their breaks and where they usually go for lunch.
Keeping up a steady patter about the new project and life in Bentonville, Darnell got the manager to give up some key details about the type of PC he used. Darnell quickly found out the make and version numbers of the computer's operating system, Web browser and antivirus software.
Finally, Darnell directed the manager to an external website to fill out a survey to prep for the upcoming visit. The manager dutifully plugged the address into his browser. His computer blocked the connection, but Darnell wasn't fazed. He said he'd call the IT department and have it unlocked.
The manager didn't think that was a concern. "Sounds good," he answered. "I'll try again in a few hours."
(Excerpt) Read more at ca.finance.yahoo.com ...
This guy gets a call from company headquarters from a guy he’s never met and he falls for it? The first thing he should have said was “I’ll call my boss and get back to you.”
“Social Engineering is how the Gizmodo writer was hacked. I guess indont know what it means in this instance..
Your advice is excellent. Some people are too trusting because they’ve neever been victimized before. Plus, people like to try to please authority figures - well, most people do.
It’s a contest where contestants call up businesses to try to extract information. The information is not used for malice, and no one gets hurt.
If your business is selling donuts or hot dogs, maybe. Not in my business, pal.
The article at the link has a link to the contest website, which states the rules. Only certain kinds of businesses can be used, and only certain kinds of questions can be asked. And the phone call is listened to live by dozens of people, including the judges of the contest. The contest has a reputation of being helpful, not hurtful.
That's all it needs to be.
Until you can replace the humans with bots, that will be the situation!
Something like 70% of security breaches are done completely on the human side. For more details, I strongly recommend the book “The Art of Deception” by Kevin Mitnick. He famously did something very similar to this Walmart “attack”, only to a manufacturer of helicopters for the DoD.
Salesman have been getting information from competitors about the competitors key accounts for decades.
The guy in this story may be a little slicker than that but is this any different than a salesman calling the order desk of a competitor and posing as a customer to get key competitor information?
But it must be true the Nigerian prince said it was.