Social-Engineer CTF Report Released

Blog Post created by socialengineer on Oct 29, 2013

For the last five years, the team at Social-Engineer have been bringing one of the most exciting events to DEF CON - the Social Engineering Capture the Flag.  The contest was designed to help bring awareness to the world about how dangerous social engineering can be.  In our 5th year, the competition was fierce and the report is the best we have ever released.

This year a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric.

In the first segment of the competition, contestants were given two weeks to gather as much intelligence about their target using information obtained only through Google, LinkedIn, Flickr, Facebook, Twitter, the corporate websites and other internet sites. During this information-gathering phase, contestants could attempt to capture as many of the pre-defined flags as possible, but could not contact the company or its employees.

Contestants then performed a live call portion of the event during DEF CON 21. In this segment of the competition, social engineers used pretexts established in the information-gathering phase to call employees of the company to further elicit information.

Our Findings

Even though social engineering has received major press, as well as been the topic for discussions amongst the security community and corporate America, it still proves to be a major threat and the easiest way in to most companies. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company’s employee-only online portal. It’s disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.

Below are some of the statistics from the report.

Top flags gathered in the 2013 SECTF competition

1. Specific Internet browser

2. Operating system information

3. Information on corporate wireless access

4. Confirmation of a corporate Virtual Private Network (VPN)

5. Presence of an onsite cafeteria

These flags can be used by attackers to build solid pretexting, phishing emails and phone scripts that could lead to a breach of the company.


Social engineering is a risk for every company and every person.  It is the easiest vector for attack as humans want to trust other humans.  Malicious social engineers utilize inherent human traits to trick unsuspecting targets to take an action that is NOT in their best interest. Our goal always has been, and continues to be, ‘Security through Education.’”

On Tuesday, Nov. 5, 2013 1:00 p.m. ET. the Social-Engineer Team will be holding a free webinar to discuss the results as well as steps to mitigate against social engineering attacks. To register for the webcast, visit

To download a copy of the 2013 DEF CON SECTF report, please visit:

About Social-Engineer, Inc. – Security through Education

Social-Engineer, Inc. is the leading authority in the art and science of social engineering. Social-Engineer, Inc. is comprised of two segments. Social-Engineer.Org is an educational organization notable for developing the world’s first social engineering framework and offering the latest social engineering news through our blog and monthly podcast. While maintaining this educational portion of our organization, we offer professional training and services supporting customers in government and private industry through Social-Engineer.Com.

Follow Social-Engineer, Inc. (@SocEngineerInc) on Twitter at or

We want to express our gratitude to companies like Rapid7 that help us spread this message and raise awareness.