How a lying 'social engineer' hacked Wal-Mart

Organizer Chris Hadnagy (right) oversees a Defcon contest that challenges competitors like Shane MacDougall (at left) to trick companies into disclosing sensitive data.

A Wal-Mart store manager in a small military town in Canada got an urgent phone call last month from "Gary Darnell" in the home office in Bentonville, Ark.

Darnell told the manager Wal-Mart had a multi-million-dollar opportunity to win a major government contract, and that he was assigned to visit the handful of Wal-Mart stores picked as likely pilot spots. First, he needed to get a complete picture of the store's operations.

For about 10 minutes, Darnell described who he was (a newly hired manager of government logistics), the outlines of the contract ("all I know is Wal-Mart can make a ton of cash off it") and the plans for his visit.

Darnell asked the manager about all of his store's physical logistics: its janitorial contractor, cafeteria food-services provider, employee pay cycle and staff shift schedules. He learned what time the managers take their breaks and where they usually go for lunch.

Keeping up a steady patter about the new project and life in Bentonville, Darnell got the manager to give up some key details about the type of PC he used. Darnell quickly found out the make and version numbers of the computer's operating system, Web browser and antivirus software.

Finally, Darnell directed the manager to an external website to fill out a survey to prep for the upcoming visit. The manager dutifully plugged the address into his browser. His computer blocked the connection, but Darnell wasn't fazed. He said he'd call the IT department and have it unlocked.

The manager didn't think that was a concern. "Sounds good," he answered. "I'll try again in a few hours."

After thanking the manager for his help, Darnell made plans to follow up the next day. The manager promised to send Darnell over a list of good hotels in the area.

Then "Gary Darnell" hung up and stepped out of the soundproof booth he had been in for the last 20 minutes.

"All flags! All flags!" he announced, throwing his arms up in a V-for-Victory symbol.

His audience of some 100 spectators at the Defcon conference in Las Vegas burst into applause. They had been listening to both sides of the call through a loudspeaker broadcast.

"That was insane," the person next to me murmured, shaking her head in appreciation.

Darnell is actually Shane MacDougall, the champion of this year's social engineering "capture the flag" contest. He managed to capture every single data point, or "flag," on the competition checklist -- a first for the three-year-old event.

The hackers' playground: Held every July, Defcon is where hackers come to swap tips and show off cutting-edge technical exploits.

The social engineering hackathon is an old-fashioned display of con artistry. With nothing more than a phone line and a really good story, a hacker can pry secrets loose from America's biggest and most guarded corporations.

"Social engineering is the biggest threat to the enterprise, without a doubt," MacDougall said after his call. "I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness."

MacDougall would know: The security firm he runs, Tactical Intelligence in Nova Scotia, specializes in a broad range of corporate espionage defense services. He regularly conducts social-engineering audits for clients, calling their employees to see what sensitive data he can extract.

In his view, it's a battle everyone is losing. MacDougall picks his victims carefully. Sales employees are a favorite target: "As soon as they think there's money, common sense goes out the window."

When asked about the "hack," Wal-Mart (WMT, Fortune 500) said it views MacDougall's exploit as a cautionary tale.