This blog is the eighth post in our 12 Days of HaXmas blog series and was co-written by Patrick Laverty, Whitney Maxwell, Robby Stewart, Emilie St-Pierre, and Jonathan Stines.

Santa, there’s a problem! Social engineering attacks are on the rise, with naughty children trying to trick you into believing they are actually good children and getting the best toys. We can’t let this happen, so we are putting some of our best people on it to help.

In fact, four Rapid7 pen testers recently gathered at the brand-new Layer 8 conference in Rhode Island to present on social engineering and open source intelligence (OSINT) gathering. In this post, we will detail their findings and tell you what you need to know about the current state of social engineering.


First, a little background. Have you heard of the Open Systems Interconnection (OSI) model? It’s a description of how computers talk to each other, all the way from physical wires in the wall to the computer to the operating system and applications we use. There are seven layers in this OSI model to describe this process, and each layer has been under attack by grinches and hackers for years.

Fortunately, defenders have gotten better at protecting these layers with defenses such as firewalls, network segmentation, and multi-factor authentication. These defenses have forced naughty children to move along each time new defenses are introduced, and now more than ever, these naughties are even moving beyond the seven layers to what can be called an unofficial eighth layer: the human. Yes, that even includes you, Santa! Attackers are constantly targeting people and elves using all available social engineering methods, including phishing, vishing, smishing, and any other types of “ishing” you can think of.

Whitney Maxwell: “The Size and Impact of Digital Footprints”

Whitney Maxwell talked about “The Size and Impact of Digital Footprints” regarding information disclosure and how it affects all users online. Data collection is invisible, privacy notices are difficult to understand, and sensitive data regarding health, finances, or children are collected for behavioral advertising. The majority of users show concern for information privacy, but few have adopted protective behaviors.

Whitney’s research concluded that personal information is readily available online and easily acquired, regardless of age or demographic. Protecting personal information should begin with identifiers such as email addresses and phone numbers, since they were proven to reveal information across all levels of sensitivity. Whitney’s research project allows users to understand exactly what types of information are exposed and how they can be discovered. Little other research has attempted to extensively research individuals using a small number of identifiers and analyze the resulting information exposure. Furthermore, her project has adopted and modified the FICO metric to create a new PIVA metric that encapsulates the vulnerability and extent of exposed information to educate users and provide insight into areas of greatest risk.

Emile St-Pierre and Robby Stewart: “Proven Methodology for Open Source Intelligence Gathering and Social Engineering”

Emilie St-Pierre and Robby Stewart gave us a glimpse into their thought process and how they use OSINT to conduct social engineering attacks with their “Proven Methodology for Open Source Intelligence Gathering and Social Engineering.” In one example, they shared how using a reconnaissance tool led them to discover that their target, a global economy, used regional domains (think a .us or a .cn) for every country except Germany. By registering the .de address, they were able to impersonate a real employee in Germany and set up an inbox for that user. Using an email template from the security vendor they had in place, they then created a pretext with a “secure message” coming through from that employee that ultimately led them to internal access. By looking through a target’s external presence and selecting the right pretext, the path to compromise is fairly easy.

Jonathan Stines: “How to Make Vishing Suck Less”

Jonathan Stines provided quick-fire tips with “How to Make Vishing Suck Less.” In this presentation, he shared his top techniques for increasing the success and outcome when performing a telephone pretexting exercise. He described the background of why we are not as effective as we would like to be and how the social dynamics of talking on the telephone have changed over the years. Jonathan also provided real-world methods to increase the buying temperature of recipients, including how to build your own automated caller ID spoofer.

More conference fun

The Layer 8 conference was not the only place where Rapid7 pen testers excelled, as Whitney was crowned the champion of the Social Engineering Capture the Flag competition at the DEF CON held in Las Vegas. Competitors in this annual conference are put in a soundproof box for 20 minutes in front of an audience of hundreds, while they make vishing calls to a pre-arranged target company and try to get as much information out of employees as possible. Some valuable information may include how long the employee has been at the company, what operating system they use on their laptop, what company they use for custodial services, and whether they will load a URL in their computer as described by the contestant. Whitney captured most flags and the most points during this competition, earning herself the coveted DEF CON “Black Badge,” which confers lifetime free admission to the conference!

The Rapid7 penetration testing team focuses on social engineering on a daily basis, staying up-to-date on the latest attack types and methodologies and using this information to help our clients, the community, and yes, even you, Santa!