Tweet
CONTEST RUNS THROUGH JUNE 22!
Check out this year's scenario
Phish Stories
In today’s world, most successful cyberattacks begin with phishing. It’s not only the most prevalent method, but also the most effective one for someone to get malware on a machine. The sophistication of the groups employing these methods has continued to evolve over the years. In response, many businesses have adopted new training to help their workforce identify a phish when it hits their inbox. While that can help, the bad guys are usually a step ahead. Hopefully though, you’ve seen through the deception and haven’t been taken for a ride on any phish you’ve personally received.
At DEF CON, you might see examples of just how talented some of the red teamers and social engineers are when it comes to creating scenarios that can fool even the most seasoned of professionals. Leveraging Open-Source Intelligence (OSINT), some good-looking graphics, and proper grammar can make it tough on the targets.
It’s a far cry from the early days of phishing, when the promise of inheriting millions from a Nigerian prince or the lure of winning a sweepstakes were the focus of many an e-mail. No, the original phishing e-mails were not finely tuned instruments and more times than not they found their way into the trash bin. And, while that was the safest thing to do with them, I found myself chuckling at the rather inane stories sometimes associated with the particularly bad ones. Some were so bad that I wondered if they were written with the thought of getting someone to click or if the goal all along was to get someone to laugh.
It got me to thinking, “Why not form a contest to see who can craft a phishing e-mail that makes us do both? Click AND laugh?”
Contest Overview
You will be supplied with a variety of articles and profiles of potential targets within a fictional company. Your goal is to find a way to get your selected target to click while trying to make us laugh along the way. How you go about that is up to you. Remember, though, this contest is as much about creativity and writing as it is about your technical aptitude. We’ve given you the background, but it’s up to you to “fill in the blanks.”
How do I win?
The best e-mail and ultimate winner will find a way to combine clickability with laughability. We’re looking for “targeted absurdity” with these entries. Write up a hilarious backstory complete with technical chops and then back that up with a phishing e-mail that drives your target to click that link and bust a collective gut. Combining humor with a targeted phishing attempt is a delicate balance, but our winner will find a way.
Never fear, however, there are multiple ways to win in this competition. We understand that balancing both humor and clickability is a challenge. So, if you happen to be better at one or the other, you’ve still got a way to win.
We’ll select three winners after reviewing all the entries:
- The Ruler – Our Ruler is the entrant who has found a way to pair a clickable e-mail with comedic chops that leaves us rolling. They will write a creative backstory that builds a narrative to help spring into their phish. The Ruler is our overall winner.
- The Wizard – Our Wizard is the entrant who has written a phish that is most likely to cause their target to click on a link. More focused on the technical aspects of phishing, humor is optional to the Wizard.
- The Jester – Our Jester is the entrant that made us laugh the most. Creative and funny, but maybe not the most clickable or technical. The Jester will have us remember them for their ability to make the judges laugh out loud.
Each submission features two distinct documents:
- The backstory – you’ll need to fill out the assumptions you made about your target(s). The more creative you get, the better chance you have to win. This is where you can really tell a story and fill in those blanks. Tell us why you chose the target you did and tell us what happens after they click on that link! The backstory should be limited to roughly one page.
- The e-mail – again, this should be limited to no more than roughly one page.
Contest begins May 18th and participants will have until 11:59pm PST on June 22nd to submit their entry.
One entry per participant – if you submit more than one, we’re only counting and reading the first.
You will receive confirmation of your entry within 48 hours of submission. Please contact us if you do not hear back from us within that timeframe.
Illustrations and graphics are not accepted.
Please include your e-mail address and alias/hacker name (or real name if you prefer) for communication and recognition.
Scoring Criteria
Judging will be conducted by a panel and completed within 2 weeks of the end of the contest.
The panel will individually stack rank each of the entries based on the following categories:
E-Mail Clickability – The point of a phish is to get someone to click, is yours going to hook someone?
Use of Sources – We’ve given you the scenario and some sources, show us you’ve read them! There are nuggets stored throughout, some are not so obvious.
After the Click – Can you tell us what happens when someone actually clicks on the link?
E-mail Humor – Did the e-mail make us laugh?
Backstory Humor – How about the backstory? Another chance for a chuckle.
Creative Ingenuity – How creative were you? Show us some outside-the-box storytelling.
Winners will be selected in the following fashion:
Ruler – Highest score of all 6 categories
Wizard – Highest score of E-Mail Clickability + Use of Sources + After the Click + Creative Ingenuity
Jester – Highest score of E-Mail Humor + Backstory Humor + Creative Ingenuity
Only one winner per category. The Ruler will be identified first, and the remaining entries will be ranked to determine the Wizard and the Jester.
Prizes (In-Person at the Con)
Ruler – 2 Human Badges
Wizard – 1 Human Badge
Jester – 1 Human Badge
The winners will get recognition in the online program and in social media. If on-site during the conference, they will also walk the stage to be recognized at the Contest Closing Ceremony.
We will be posting ALL entries in the DEF CON Forums for everyone to enjoy along with the winners.
See last year's scenario, entries, and winners for more information.
You can follow @phishstories on X (Twitter) for updates and information. Attempts will be made to provide updates and information to other social media platforms as well including:
Defcon.social (serum@defcon.social)
Reddit (u/phishstories)
Enjoy!
What’s the point?
Having won the creative writing contest for DEF CON 30 and the People’s Choice award for DEF CON 29, I was looking for a way to expand pre-con participation in the creative writing process and incorporate a little (or a lot) humor along the way. Writing is a skill that has gotten me further in my information security career than most of my skills, save perhaps my sense of humor. Combining the two can be very helpful in gaining confidence in your own skills. This is also a contest that can help hone the craft of red teamers who are looking for ways to create scenarios that will pay off in their work in a fun, low-pressure environment.