Many companies train employees on spotting phishing emails, but how many raise awareness of voice phishing (vishing) phone calls?
The lack of awareness of social engineering over the phone was a core theme of the vishing competition at DEF CON this year.
There are more key takeaways to come, but first - you may be wondering what the vishing competition even is...
What is the DEF CON vishing competition?
The Social Engineering Community Vishing Competition (SECVC) is a place where individuals and teams compete by placing live phone calls in front of the audience to test their skills (and company defences) against voice phishing calls.
Applicants apply to be part of the competition, including submitting short videos (which were awesome) and agreeing to the terms of the contest.
Each year a theme of companies is selected to be the target of the competition. This year the theme was pizza and so the target companies were all in pizza production 🍕
The work the contestants did this year started months before the competition day, when they are given their target. They complete an Open Source Intelligence (OSINT) report and put together a pretext plan of action for the day of competition itself.
Contestants have coaches to support them and must sign up to an ethical framework.
On the day of DEF CON 31, competitors each had 22 minutes in a soundproof booth to put their OSINT and pretext plan to work by making calls to their target company.
All three elements (the OSINT, the pretext plan and the vishing on competition day) are scored separately by the judges before the event.
I was fortunate to be one of three judges this year, alongside Snow and Corgi, with the competition hosted by the inimitable JC (no, we’re not related).
What does judging involve?
Competitors work really hard in the run up to the competition and face the pressure of the booth and live audience on the day. As judges, myself, Snow and Corgi were there to assess and score all of their work to generate the scoreboard and identify the winner and runner-up. I was invited to be a guest judge by Snow and JC (the founders of the Social Engineering Community) this year.
We had 13 teams compete this year, with some impressive OSINT and pretext work before the day of competition even arrived.
In the end, Artyboy prevailed as the overall winner, having placed second last year and so returning with a vengeance. Well done, Artyboy!
As a winner, Artyboy was awarded a DEF CON Black Badge (for lifetime access to DEF CON). Having won this year, Artyboy will not be able to compete in the vishing competition next year but will be offered a role of coach to the new teams. In second place this year, Doom put in an impressive run alongside the team which came third, Mr Hackermen.
Check out the final scoreboard to see how everyone did in the end.
All competitors showed nerves of steel by taking on this challenge and hopefully everyone learned some valuables insights about themselves and social engineering. We all certainly learned from each and every one of the contestants.
What can we learn from the vishing competition?
I wanted to share some of the secrets, tips and takeaways that I saw as a judge on the panel. Hopefully, this advice will be useful for those looking to get into social engineering, either for work or to take part in the contest, as well as anyone wanting to defend their company from social engineering (read = that should be all of us).
Lesson 1: OSINT top tip
Only one team submitted an OSINT report that used more than Google as a search engine.
By their nature, search engines return and scrape different data, so do not rely on just one. Bing and DuckDuckGo are just two examples of alternatives to Google.
In the competitor OSINT reports, I saw a lot of Google Street View, but other resources were neglected. This could include Bing Maps, Apple Maps and even free satellite imaging sites. If you are able to pay a small fee, you can even get almost-real time satellite images of a target. Openstreetmap is a wealth of information too, and OpenInfrastructure maps are one of my most used resources when looking to simulate an attack for a client.
Reddit appeared to be a well used resource for all the teams, which is great and provided many contestants with a lot of information. But other sites were not leveraged, such as Tik-Tok, Threads, Facebook, Instagram and LinkedIn.
Branch out, think outside the box and try to find new and interesting resources you can leverage.
Lesson 2: Tick tock, watch the clock
Remember, time can be your enemy or your friend. Focus and consider that if you are on a call, you don’t have any time to waste. Your communication should be purposeful, with everything you say or ask playing a part in your strategy and tactics.
We saw many contestants lose track of time or waste precious moments with dead-ends and repetitions. Understandable given the pressure, but it made the difference when it came to results.
Lesson 3: Recon FTW
We have all heard the saying “location location location”, but in our world it should be “recon recon recon”. The more you do, the better your chance of success!
I witnessed several teams struggle with this, many running out of either numbers or pretexts to use. The most successful teams had names and internal language to use to build instant authority and rapport with the person they reached.
On the flipside, be careful not to overwhelm yourself. One team provided pages and pages of numbers and others struggled to pick the best numbers on the day. Even something as simple as timezones can make a huge difference to the call. The teams that did the best, picked locations that had just opened and were not busy; those that picked timezones at lunch time or closing did not so well.
Do the recon, then focus your findings so you can quickly leverage the information without digging through the weeds.
Lesson 4: Beware sunk cost fallacy
Sunk cost fallacy is that point where something isn’t working but you feel that you’ve been trying it for so long - you’ve invested time and effort - so you convince yourself that giving up would be a waste of that investment. It creeps into many areas of life, (for example, Jess speaks about the impact of sunk cost fallacy on victims of romance fraud in this video).
When it becomes clear that your course of action is not working - move on, the quicker the better.
I watched numerous calls where a team would waste about a quarter of their time on hold or trying to get through on one call. Generally, when they moved on, they started to get somewhere.
We can do this during recon too, spending hours going down rabbit holes rather than trying to get a good baseline coverage and then going deeper once that is complete. Some teams struggled to get more than 10 numbers because of this, or to win ‘easy’ points on the day, whilst going too deep and too detailed on areas that were not as valuable.
Lesson 5: Phishing is not just email
When we at Cygenta deliver awareness-raising, we always make it clear that social engineering can take place via any form of communication.
While email may still be the most common mechanism for social engineering, we are increasingly seeing attacks via social media, platforms such as WhatsApp, physical compromise, snail mail and - you got it - phone calls.
For one of the objectives in this competition, contestants had to ask their targets about cyber security awareness raising. Targets often replied by talking about phishing emails and showed awareness of being careful sharing information over email and verifying the recipient. They were describing what was happening right then, but without joining up the dots because it was happening right then on a call and not in their inbox.
If you are running cyber security awareness-raising in an organisation, make sure the scope goes beyond phishing via email. As a defender, I hope you will be able to use the lessons in this blog post to inform your approach.
After all, that's what we're all here for: making people and places more secure online. One thing I loved seeing on competition day was how much the audience applauded when targets asked security questions or shut the call down.
Final Thoughts
I would encourage anyone considering applying for the next DEF CON Social Engineering Community vishing competition to give it a go. Contestants gave excellent feedback and seemed to benefit from the experience.
Make sure you are following the Social Engineering Community twitter account for more news from the competition and plans for next year when they are announced. Keep an eye out for their report of findings coming soon, there will undoubtedly be some fascinating data and lessons we can all learn.
If you are interested in testing your skills but not quite ready to take the leap, the SE village also runs ‘cold calls’ outside of the competition. These are just 5 minute tasters of what the full contest is about. They didn’t involve any prep, gave great insights into social engineering and were a lot of fun!
Now that you've read about the competition, here are some more photos from the day:
