After the success of our first community event in 2023, it was time to take things up a notch. Together with IT service provider Cronos Security we organised to host the first-ever live phishing hackathon, or better called Phishathon.
This event focused entirely on phishing, demanding participants to showcase their most creative and cunning tactics across three challenges, with only one emerging as the winner.
In this post, we'll delve into the event, highlight the key participants, detail the challenges and look at the impact made.
Spears at the ready!
For the first challenge of the Phishathon, we collaborated with Cronos Security and UZ Leuven to launch a spear-phishing campaign. Our ethical phishers and event participants were given a briefing on the target along with useful information for crafting their phishing emails. Armed with this data, the participants conducted further research and launched a series of diverse and targeted emails to the IT department of UZ Leuven.
The campaign quickly stirred up activity, generating significant interactions and even some data submissions before the emails were reported by the recipients.
The e-mails have caused quite a commotion within our organisation, but in a positive sense ofcourse. - Thomas Noppe | UZ Leuven
Top phisher of the year, Michiel, won this challenge by phishing the highest number of clicks on the links in his emails. His social engineering mail, which closely mimicked the communication style within the organization, proved to be the winning strategy.
Inspirator generator! 🪄🤖
Artificial Intelligence tools are revolutionizing society, including cybersecurity. This was the focus of our second challenge. Participants were tasked with generating relevant phishing emails targeting various industries, including construction, maritime, and scientific activities. To create their phishing emails, they utilized AI tools such as ChatGPT-4 and Gemini.
Working in groups, participants had ten minutes to craft their emails. The results were diverse but not always convincing, highlighting the enduring importance of the human touch in phishing and cybersecurity.
Our expert jury, consisting of Jonas Buyle from Cronos Security, Dieter Tinel from OutKept, and Thomas Noppe from UZ Leuven, evaluated all the submissions. After careful deliberation, cybersecurity professional Noa took the prize for this challenge with his intricate phishing email that successfully bypassed multi-factor authentication (MFA).
Hello from the other side
Have you ever been called by a phisher? Someone pretending to be your bank, a known tool or someone else? With our final challenge we wanted to highlight the ease of vishing, phone phishing, and ask our community to call up a special target.
Briefed from a secret document, every group received their target and had 10 minutes to prepare their vishing scenario. After their preparation, deciding on how they would approach the call, they received the phone number of the target.
Approaches varied significantly, and with 1st place still within reach, everything was on the line. Here, some groups stuck to their prepared strategies while others improvised. Ultimately, one team triumphed with their industry-specific phishing scenario tailored to their target.
We phished a ton!
As the event drew to a close, our jury had to decide on the overall winner based on the performance across all three challenges.
Judges Thomas Noppe (UZ Leuven), Jonas Buyle (Cronos Security), and Dieter Tinel (OutKept) awarded the top prize to ethical phisher Noa (Pixl), with Michiel (IT-Strategie) as the runner-up. Both participants excelled throughout the event, launching effective and innovative phishing campaigns. Noa impressed with his social engineering skills in the vishing challenge and demonstrated how MFA can be bypassed with the right approach. Michiel showed his spear-phishing skills in the first challenge, earning significant interactions and bounties.
We wrapped up the night with celebratory pizza and drinks, thrilled with the success of our first Phishathon. The event was a resounding success, and we can't wait to see what next year holds. We phished a ton!
Curious about the event? Watch our aftermovie 👇
Phish tales
Nasz blog to Twoje źródło informacji na temat phishingu i cyberbezpieczeństwa! Przeczytaj tutaj najnowsze wiadomości i opiniotwórcze artykuły na ten temat.
Nasza platforma symulacji phishingu to absolutna rewolucja w Twojej ofercie z zakresu cyberbezpieczeństwa, która pomoże Ci utrzymać klientów w gotowości przed ewoluującymi zagrożeniami phishingowymi. Mając po swojej stronie całą otwartą społeczność etycznych phisherów Outkept, teraz możesz rozszerzyć symulacje phishingu na każdą organizację w swoim portfolio. Zajmij się rosnącym zapotrzebowaniem, przestań odrzucać prośby o prewencję od mniejszych organizacji, twórz możliwości dodatkowych usług, produktów lub wsparcia i bądź na bieżąco z regularnymi przeglądami wpływu.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Policy for more information.