After the success of our first community event in 2023, it was time to take things up a notch. Together with IT service provider Cronos Security we organised to host the first-ever live phishing hackathon, or better called Phishathon.
This event focused entirely on phishing, demanding participants to showcase their most creative and cunning tactics across three challenges, with only one emerging as the winner.
In this post, we'll delve into the event, highlight the key participants, detail the challenges and look at the impact made.
For the first challenge of the Phishathon, we collaborated with Cronos Security and UZ Leuven to launch a spear-phishing campaign. Our ethical phishers and event participants were given a briefing on the target along with useful information for crafting their phishing emails. Armed with this data, the participants conducted further research and launched a series of diverse and targeted emails to the IT department of UZ Leuven.
The campaign quickly stirred up activity, generating significant interactions and even some data submissions before the emails were reported by the recipients.
The e-mails have caused quite a commotion within our organisation, but in a positive sense ofcourse. - Thomas Noppe | UZ Leuven
Top phisher of the year, Michiel, won this challenge by phishing the highest number of clicks on the links in his emails. His social engineering mail, which closely mimicked the communication style within the organization, proved to be the winning strategy.
Artificial Intelligence tools are revolutionizing society, including cybersecurity. This was the focus of our second challenge. Participants were tasked with generating relevant phishing emails targeting various industries, including construction, maritime, and scientific activities. To create their phishing emails, they utilized AI tools such as ChatGPT-4 and Gemini.
Working in groups, participants had ten minutes to craft their emails. The results were diverse but not always convincing, highlighting the enduring importance of the human touch in phishing and cybersecurity.
Our expert jury, consisting of Jonas Buyle from Cronos Security, Dieter Tinel from OutKept, and Thomas Noppe from UZ Leuven, evaluated all the submissions. After careful deliberation, cybersecurity professional Noa took the prize for this challenge with his intricate phishing email that successfully bypassed multi-factor authentication (MFA).
Have you ever been called by a phisher? Someone pretending to be your bank, a known tool or someone else? With our final challenge we wanted to highlight the ease of vishing, phone phishing, and ask our community to call up a special target.
Briefed from a secret document, every group received their target and had 10 minutes to prepare their vishing scenario. After their preparation, deciding on how they would approach the call, they received the phone number of the target.
Approaches varied significantly, and with 1st place still within reach, everything was on the line. Here, some groups stuck to their prepared strategies while others improvised. Ultimately, one team triumphed with their industry-specific phishing scenario tailored to their target.
As the event drew to a close, our jury had to decide on the overall winner based on the performance across all three challenges.
Judges Thomas Noppe (UZ Leuven), Jonas Buyle (Cronos Security), and Dieter Tinel (OutKept) awarded the top prize to ethical phisher Noa (Pixl), with Michiel (IT-Strategie) as the runner-up. Both participants excelled throughout the event, launching effective and innovative phishing campaigns. Noa impressed with his social engineering skills in the vishing challenge and demonstrated how MFA can be bypassed with the right approach. Michiel showed his spear-phishing skills in the first challenge, earning significant interactions and bounties.
We wrapped up the night with celebratory pizza and drinks, thrilled with the success of our first Phishathon. The event was a resounding success, and we can't wait to see what next year holds. We phished a ton!
Curious about the event? Watch our aftermovie 👇
Nuestro blog es tu fuente principal para todo lo relacionado con phishing y ciberseguridad. Lee aquí las últimas noticias y artículos de opinión sobre estos temas.
Nuestra plataforma de simulación de phishing ético es un cambio de juego absoluto para tu oferta de ciberseguridad, manteniendo a tus clientes alerta contra amenazas de phishing en evolución. Con toda la comunidad abierta de phishers éticos de OutKept a tu lado, ahora puedes expandir las simulaciones de phishing a cualquier organización en tu portafolio. Aprovecha la creciente demanda, no rechaces más solicitudes de prevención de organizaciones más pequeñas, crea oportunidades para servicios, productos o soporte adicionales, y mantente al tanto con evaluaciones de impacto regulares.
.png){kind=logo}
