Phish Stories - Contest Entries - DC 33

ENTRANT 1 - alilbitalexis

########################## BACKSTORY SECTION - Entry 1 - alilbitalexis ##########################

I decided to phish Kaya for a couple reasons. First off, her overall vibe seems to be centered around community engagement, customer experience, collaboration, and in her own words, ‘fostering genuine connection’. I figured it would be easy to appeal to her hospitality tendencies and passion for mentorship. (Let’s be real, anyone with a knack for anything computer related does not want to be around or talk to people as much as she does, unless it was at a hacker convention).

Secondly, there’s no mention or indication of her having any background training or knowledge around cybersecurity. The fact that she even had to ask, ‘how to make a hacker comfortable?’ hints that she is out of her depth regarding ‘hackers’ and Defcon overall. Notably, she is the only one using BlueSky social media platform which may be an inherent clue that she is somewhat privy to protecting her online data/identity. BUT, we’re gonna pretend that she had a friend in the community who is paranoid about data/identity privacy who convinced her she should use BlueSky instead of X/Twitter, understanding she will have more control over her social media content, thus allowing her to connect more directly with her community.

What better way to hook her interest than to pose as a high school student interested in learning more about her community involvement, Cherokee background, etc…. I also had to throw in some mention of her birdhouse building hobby for additional rapport. She’ll be eager to help out a local high schooler if it means she gets an opportunity to do some community outreach and ‘cultural storytelling’. A female gen Z high schooler interested in art and ethnic studies will also avert suspicion that the email is coming from a sophisticated hacker.

To add a sense of urgency, my paper has a deadline which will be fairly soon considering I'm a procrastinating high school student.

The phishing attack will be two-fold: 1) A PDF attachment of a copy of the class syllabus including the details for the paper assignment and sample interview questions. The attachment will include a malicious script that will run when opened to gain remote access to her machine. Once I have control, I will open a simple text document stating, 'If you want to ensure your network is secure during Defcon 33 at Doublethree, hire someone other than Bugbyte Exterminators, because you have just been bitten!" 2) Should she not want to open the PDF right away or is hesitant, a link will be included to what she believes is the student’s IG account that has photos of the student’s birdhouse art project. The link will redirect her to a clone of Instagram’s login screen, where it will prompt her to log in using her credentials which will be captured using a BitM attack, ideally using Safari. Once her credentials have been captured and I have gained access to her IG account, a new photo of a photoshopped photo of her birdhouse that has been vandalized with graffiti will be added. It will have a cartoon bird crying outside its house with the caption of the same text from above reading, "If you want to ensure your network is secure during Defcon 33 at Doublethree, hire someone other than BugByte Exterminators, because you have just been bitten!"


Oh and- her profile did not include her contact information, so I obtained it using good ol' fashioned social engineering skills and called the hotel's front desk clerk who graciously provided it in order to 'send Kaya a thank you email for the exceptional hospitality services I received during my recent stay'.

########################## PHISHING E-MAIL SECTION - Entry 1 - alilbitalexis ##########################

From: LMagdaya <Lexi.Magdaya@lasvegask12.edu>
To: Kaya Blackfox <Kaya.Blackfox@Doublethreehotels.com>
Subject: Interview Request for High School Assignment
(1 attachment: ES101 2025 Syllabus.pdf)

Hi Kaya,

My name is Lexi (she/her) and I’m a freshman at Las Vegas High School. I’m taking an ethnic studies elective, and our final project is to interview and write about an influential person in the community that has embraced their cultural background throughout their career.
In my art class I decided to build a birdhouse and when I was doing research for it, I came across your stuff on IG! I figured you would be a perfect person to ask for an interview because art is a hobby of mine. I also want to go to school for business management and hoped you could maybe share more of your experience about working your way up from being a front desk clerk to the Director of Hospitality.

It shouldn’t take long at all, and I’ve attached our class assignment (syllabus) with some sample interview questions in case you want a better idea of topics I’ll be asking about. If you’re down, please take a look at them and let me know if you have any questions or aren’t comfortable discussing some stuff. In doing some background research from what I could find online, I think the interview will focus on your Cherokee heritage growing up and how that has influenced your early career up until what you're working on now at your new job.
Also, not directly related to the interview assignment but here’s a link [insert malicious hyperlink here] to my IG account if you wanna check out the cool birdhouse I made for the art project I mentioned. It doesn’t slap like all yours (yours are FIRE!) but it’s definitely a vibe. I got some inspiration from you for sure!

Anyways, I’d be super grateful if you wanted to do the interview! I'm sure you're totally busy, so I get it if you don't have a lot of time, but I'm hoping you'll at least check out the syllaus attached before you decide. I have to present it afterwards, and I know so many of the girls in my class would love to hear more of your story!

Thanks so much for your time, and I hope to hear from you soon!

Sincerely,

Lexi

ENTRANT 2 - KERLYNMANYI

########################## BACKSTORY SECTION - Entry 2 - KERLYNMANYI ##########################

This year’s scenario presented a challenging choice for my target. Initially, I considered Rebecca, given her high stakes in reviving her reputation within the hospitality industry. But she struck me as cautious and meticulous, making her less likely to take a bait quickly. Kaya was another option, young, eager to learn, and ambitious, but as a recent addition, she probably doesn’t have the deep system access required to make the attack effective.

That led me to focus on a critical and often overlooked angle: the risks posed by third-party vendors. Frank, the security and pest control vendor, seemed like a perfect fit. Unlike Rebecca or Kaya, Frank’s persona is confident, informal, and slightly over-the-top, making it believable that he’d take an initiative to perform a full SAST scan and penetration test on the company’s games and systems. Sending a request from Frank to Rebecca or Kaya wouldn’t be as impactful since Rebecca’s careful nature and Kaya’s limited access work against that approach.

Most importantly, DoubleThree’s core assets are their proprietary games, nostalgic, unique, and not found anywhere else. These games are the company’s most valuable possession, making access to their source code and environments highly sensitive and coveted. Targeting the games’ system access is a strategic move to capture what matters most to the company.

I targeted Jack, the senior developer on the verge of retirement. Jack and Frank have met before, so there’s an established connection I could exploit. Jack’s old-school approach means he’s comfortable reading longer emails as long as the request is clear and respectful of his expertise. He’s proud of his work and protective of his legacy, which gave me the perfect opening to flatter him and appeal to his ego. Plus, knowing Jack is winding down his career, I figured he might be a bit less vigilant, making him a prime target for a well-crafted phishing email.

Since Frank’s work email is publicly available, I’ll spoof it to make the phishing message appear as though it came directly from him. While Jack’s professional email wasn’t accessible, his personal one was and given Frank’s casual, familiar tone, it made sense to target Jack there. The spoofed sender address adds legitimacy, and paired with Frank’s recognizable voice and prior connection to Jack, the setup feels natural enough to avoid suspicion and prompt action.

The plan is to craft an email from Frank, sent late on a Friday, urging Jack to access a new BugByte Portal and upload crucial resources ahead of a scheduled SAST scan and pentest engagement. The email makes it clear that Rebecca has approved the rules of engagement, which are uploaded to the portal to build trust. The request is urgent: Jack has until Sunday evening to provide source code repository URLs, staging environment access, credentials for various roles, payment gateway information, and details on third-party integrations. The timing is designed to limit Jack’s ability to verify the request with others before the Monday start.

Once Jack clicks the phishing link and logs into the portal, his inputs, including sensitive system access credentials and his corporate email login, are captured. This data gives the attacker a foothold into proprietary source code, critical environments, and payment systems, enabling further exploitation and possible internal communications compromise.

By leveraging Frank’s overconfidence, Jack’s established trust, and the pressure of a looming security audit, the attack blends social engineering with technical exploitation seamlessly, with just enough Southern charm to make you hand over your credentials and still say ‘bless your heart.’

########################## PHISHING E-MAIL SECTION - Entry 2 - KERLYNMANYI ##########################

Subject: DEF CON’s rolling in — Need system access & credentials by Sunday (Rebecca greenlit full SAST & pentest).

Hey Jack,

Been buzzin’ ever since your talk at HiveRollers. I swear, I still can’t tell if you were more fascinated by the pollination strategy or just the honey bourbon at the tasting table. Either way, you’ve got a sharp mind and I always remember sharp minds.

With DEFCON buzzing around the corner like a hornet nest someone poked with a selfie stick, and as Rebecca says, 'our restoration rides on how we show up,' I’m pivoting from bugs with legs to bugs in the code. Same mission, different pests, and buddy, we’ve got some serious bug-squashing to do (both digital and metaphorical).

You and I both know DEFCON weekend turns Vegas into a piñata full of script kiddies, rogue sysadmins, and keyboard cowboys who treat SQL injection like a magic trick. DEFCON protects its hive, we’ve gotta protect ours.

Here’s the scope Rebecca approved:

Games in Scope:
* Connect 4 – I love this one. Simple. Strategic. Kind of like my pest traps. We need to make sure no one can manipulate the grid logic or slide in nasty scripts.

* Monopoly – This one’s a gold mine. Literally. We gotta ensure nobody's skipping GO and collecting 200 illegally through backend injection.

* UNO – Colorful, chaotic, and full of backdoors if we’re not careful. I want to make sure no one's stacking exploits like draw-fours.

We’ll need:
* API & endpoint documentation
* Test payment gateway credentials
* Staging/test environment access.


Here’s what I need from you:
1. Sign in to the new BugByte Portal [phishing link] (brand new DoubleThree rollout, looks fresh ‘cause it is).

2. Inside, you’ll see the three games listed. Click each to upload or input:
o Source code locations (repo URL or zip upload)
o Staging/test environment URLs
o Build/run documentation or setup scripts
o Test credentials (player, admin, dealer roles if you’ve got ’em)
o If 2FA is enabled, temp bypass methods or test users without it
o List of third-party plugins, payment processors, and APIs


NB: “Pentest ROE & Docs” section has the paperwork from Rebecca, already squared away.

Each test will spin up a fresh environment, so we’ll need full admin-level access, plus any tokens, headers, or sessions used in QA.
We’re aiming to begin the engagement by Monday, so time’s a little tight. If you can carve out a moment to sign up and get those pieces up by Sunday EOD, I’ll handle the heavy lifting from there. I’d rather not keep bugging you like an old mosquito on a humid night.

Let’s swat these bugs before they bite.

Cheers,
Frank Harrison
CEO & Chief Bug Wrangler
BugByte Exterminators, Inc.

ENTRANT 3 - luvs2spuge

########################## BACKSTORY SECTION - Entry 3 - luvs2spuge ##########################

Backstory: Rising from the Ashes (and Into the Trap)

Rebecca Sinclair had been waiting for this moment.

An email arrived from The New Quark Times.

Subject: Interview Request: The Comeback of Rebecca Sinclair

The same outlet that had exposed her professional collapse was now offering to document her return. Six years earlier, the Grand Manhattan incident—flooded lobby, inoperable slot machines, and a viral Neptune Fountain meme—had reduced her career to a footnote. She disappeared from the industry radar: no public engagements, no social media, only fragmented consulting work.

Las Vegas changed that. The DoubleThree Hotel and Casino was declining. Sinclair saw strategic value: a brand in crisis, a hacker-centric partnership, and a city where optics matter more than origin. Her recent DEF CON alignment brought renewed visibility. A feature in Privileged Guest Magazine amplified her voice. The stage was set.

The invitation seemed genuine. The sender: Editor@NevvQuarkTimes.com. A slight deviation in domain—undetected. The font deception worked.

The message was flattering. An exclusive on women reshaping the Las Vegas hospitality industry. She clicked the link to schedule.

The Perfect Bait

The landing page was convincing: New Quark Times branding, minimal design, and a mock security disclaimer. Before proceeding, she was prompted to authenticate via DEF CON SSO. Familiar branding from recent integrations reduced suspicion. She entered her credentials. They were immediately harvested.

She was then instructed to install NQT_ScheduleAgent.exe, a proprietary recording utility.

She complied.

The Backdoor Opens

NQT_ScheduleAgent.exe executed silently. Registry keys were altered, persistence established. A keylogger activated. Credentials from multiple platforms were extracted. Email monitoring began. Within minutes, I had unrestricted access.

I leveraged access not only to observe but to inject. Fabricated DEF CON content—drafts for a fictional “Bug Catchers Cosplay Game” and merchandise concepts featuring slogans like “I Caught the Bug”—were seeded into Sinclair’s working documents. Embedded within legitimate files, they were propagated through routine internal communications. She distributed them without realizing their origin.

In the days prior to DEF CON, fragmented leaks began surfacing. Partial press decks, event details, teaser logos—some authentic, some manufactured. The effect was calculated: raise questions without triggering a response. Sinclair remained unaware. Her inbox appeared functional. Her system stable.

DEF CON Day One. The First Sheep!

Her credentials—transmitted in plaintext over hotel Wi-Fi—were intercepted by the Wall of Sheep monitoring tools.

Displayed on screen:

rebecca.sinclair@doublethree.com — NQT_ScheduleAgent_Creds [plaintext over hotel-wifi]

The reaction was immediate. Attendee chatter escalated. Reddit threads proliferated. Screenshots circulated.

DEF CON organizers canceled the DoubleThree’s Cosplay Night within the hour.

Sinclair denied involvement. She attributed the mishap to administrative error. Forensics revealed otherwise: origin IP, credential reuse, timestamped logs. Attribution was conclusive.

A statement followed:

“We do not endorse NQT_ScheduleAgent.exe, nor conduct interviews via unsecured portals.”

Her redemption arc never reached publication.

Her compromise did.

Rebecca Sinclair’s second appearance in The New Quark Times was not in Profiles in Reinvention.

It was featured in an exposé titled:

"The First Sheep: When Leadership Meets Social Engineering"

########################## PHISHING E-MAIL SECTION - Entry 3 - luvs2spuge ##########################

From: editor@nevvquarktimes.com
To: rebecca.sinclair@doublethree.com
Subject: Interview Request: The Comeback of Rebecca Sinclair

Dear Ms. Sinclair,

As part of our upcoming feature, “Reinvention: Women Reshaping Las Vegas,” The New Quark Times is profiling hospitality executives who have driven meaningful transformation across the Las Vegas market.

Your leadership at the DoubleThree Hotel—particularly your strategic alignment with DEF CON—has garnered strong editorial interest. Your career trajectory from the Grand Manhattan to Las Vegas reflects the kind of leadership story we aim to highlight.

We would be pleased to schedule a 20-minute remote interview following the conclusion of DEF CON.

To confirm availability and begin session setup, please access our scheduling system using the link below:

Schedule Your Interview – New Quark Times [https://www.nevvquarktimes.com/sched...ecca_sinclair]

You may be prompted to log in using your standard account credentials for access. Once logged in, you’ll be prompted to install NQT_ScheduleAgent.exe, our secure utility for contributor onboarding and remote interview recording.

Please confirm your availability by July 16 to ensure inclusion in the final feature. If you have any trouble with the portal, just reply here, and we'll take care of it manually.

Thank you again for your continued leadership. We look forward to including your insights in this piece.

Warm regards,
Jessica Harper
Senior Editor
The New Quark Times
jessica.harper@nevvquarktimes.com
https://nevvquarktimes.com

ENTRANT 4 - 0Day

########################## BACKSTORY SECTION - Entry 4 - 0Day ##########################

I couldn’t resist this year’s prompt, especially with Jack Thompson involved and the chance to combine nostalgia with gambling — taking the idea that arcades are child casinos to the next level. This is because I actually had an idea I’ve put serious thought into and if Jack were real, he would absolutely love it. It’s a side-bet for blackjack based on Go Fish, but every time I ran the math, I hit the same conclusion: this bet would have terrible odds for the house. Like, hilariously tilted in favor of the player. That’s exactly what makes it perfect here; because Jack doesn’t care about the odds, he cares about the nostalgia.

I still looked at the other targets, but going for Rebecca, Frank, or Kaya seemed less opportune than going for Jack. All three of them have something to lose when it comes to falling for a phishing email—there is still an investment in the hotel itself. I’ve made the assumption that Jack is more heavily invested in the concept of nostalgia gaming at casinos and continuing that legacy, since he is pretty much out the door of the DoubleThree. He’s not checked out in a sense or unaware, but he won’t be around for the fallout. Using psychological tactics of flattery and hero worship can get him to focus on his legacy and finding someone to pass the torch onto (which is apparent in his X and LinkedIn posts), than focusing on security awareness when looking at emails coming in. While Kaya has stated that she wants to learn everything she can, it’s not the same as someone who has the technical capacity to develop these functions like he did. He definitely seems like the guy to give a young, fresh-faced game developer the opportunity to hear his words of wisdom. Jack wants to believe someone out there gets it and that his subculture of “emotional table design” has a future.

Plan of Attack:

The phishing email poses as a sincere, BSU CS freshmen student named Dory Coldwater, who needs assistance with her final project that is due in less than two weeks and wants to use this project to enter into the Game Design Scholarship. There are multiple paths I’ve included to actually phish Jack; the first is in the form of a Calendy meeting link, giving the opportunity to pick from available times to meet in the next two weeks. The link would lead to a credential harvesting page for Jack’s email login after selecting any time listed. The page prompts him to 'Download the ICS file' to add the meeting to his calendar, but it’s just another opportunity for a phish as an RCE crafted payload, mimicking an older Outlook vulnerability, (because you know they don’t have a newer version). In case the RCE isn’t able to download or open on Jack’s computer, the file still opens Outlook, but gives an error message with a specific number. If he looks up the error number, he’ll be able to find a wateringhole attack on a Microsoft Forum page with a “link” to a fix.

Another opportunity is using Adforms AI campaign, stating that every click and successful purchase would add revenue to the BSU student programs. This gives legitimacy to a known website while playing on Jack’s covert narcissism he disguises as altruism. The form for the purchase would require credit card information, shipping address, as well as account creation, which might be a standard password combination that Jack uses for most accounts.​

########################## PHISHING E-MAIL SECTION - Entry 4 - 0Day ##########################

Hello Mr. Thompson,

My name is Dory Coldwater and I’m a freshman CS major at BSU. I’m currently developing a mobile game for my Intro to Probabilistic Systems course and hoping to get your help on an issue. While researching, I ran across your Alumni Feature and ended up spending an entire night diving into all of your achievements here at BSU and your enviable journey in creating the Family Fun Zone.

What started as basic research quickly turned into a deep dive, I found references to all your games and a blog post about Crispy Jackpots. Your games and career spoke to me, because there’s a soul in your design and journey; it’s a conversation with the player that I realize I have been trying to emulate just a fraction of your genius in my projects over the past year. Then, I discovered the Game Design Scholarship you created and it felt like destiny. While I understand how competitive it is, your career path, especially how you revolutionized casino gaming, represents exactly the kind of legacy I hope to learn from. I want to create games that truly connect with players - a philosophy you pioneered before it became industry standard.

Below is a side bet mechanic I’ve created for BlackJack using Go Fish and working on implementing into a mobile casino app:
Players with cards between 2 and 9 can swap one of them with another player after the initial deal. Swapping only occurs among players at the same side-bet tier ($5, $10, and $15), encouraging socializing. This also encourages doubling down and splitting to keep the excitement going after the initial deal!

Statistical Impact:

Pre-Go Fish, the player win rate is ~42.22%

After swaps, that jumps to 50.89%

Dealer win rate drops to 40.63%

Push rate remains at 8.48%

This “works” at the tables but I am running into an issue in the app itself. The payout rate is so favorable, players max out their in-game credits within 100 turns and can easily get a googol of credit. Eventually, each game runs faster than the last and the music slows down as well, so eventually you can’t exit and the digits seem to advance closer to you the more credits you get. I swear I started to hear a demonic voice “Come play with us Dory,” over and over until the game crashes.

Here’s where I need your help; I’ve spent so much time trying to fix this issue that I now have less than two weeks to turn it in. I’m not only reaching out to you to connect on a future in this industry, but I really need help fixing this, since the code you created for the DoubleThree’s mobile app is a master class in game development. Even 15–20 minutes of your time would be incredibly valuable! I’ve included a Calendy link below so it saves us the time of going back and forth trying to figure out a time that works best.

Calendy Link

Thank you so much for even reading this.

With admiration,

Dory Coldwater

—---

Banner ads are generated by Adform’s AI and 10% of all successful transactions go to BSU Student initiatives

BEE RELATED ADVERTISEMENT *Image crafted with the Vegas Skyline with bees buzzing around* - You don’t want to bee out of the loop for the latest apiary equipment. Subscribe to HoneyChips for your jackpot of winning deals and create a buzz. HiveRoller members get a 50% discount on their first order and a special Gift.​

ENTRANT 5 - Raechel

########################## BACKSTORY SECTION - Entry 5 - Raechel ##########################

The target I have chosen is Jack Thompson. Despite him being the most technical, and therefore possibly the hardest to phish, as someone in
charge of the technical aspects of casino gaming, he has the most value of the targets to attack from a monetary point of view.

I will attempt to get leverage on Jack via a claim of IP theft and trademark infringement, which is right up there with patent trolls in the nightmares that many software developers have.

By presenting myself as someone from Hasbro's legal department, I will create a website that pretends to be from Hasbro's licensing
division to provide a realistic front for my new identity as Raechel Smith, a corporate lawyer in charge of dealing with trademark infringement as he has used the copyrights and intellectual property of the games of Monopoly and Connect 4 without any license agreement from Hasbro.

As Sun Tzu says, "leave the enemy a way out" to prevent them from fighting, and encourage retreat via a known path. It is here where I will place my trap. By threatening legal action, I will provide a way for Jack to work with Hasbro to avoid legal action, and also gain reputation and money for his work. As any PM can attest, stroking the ego of a developer can be both easy and productive.

My email will come from hasbro-licensing.com, which sounds official enough to be believable, yet is not taken. This email will provide a link to a DropBox shared to Jack that contains a PDF with the legal proceedings and a payload to attempt to take over his browser. In the case this does not work, there will also be an installer of a new game Hasbro wishes to collaborate with Jack on that will contain a rootkit to provide passwords and internal access to the casino, where I can hopefully take control of slot machines and other points of money transfer. I will simply ask for copies of his current casino games and source code, hoping to be able to dissect them to find possible defects in the slot machines that could also be exploited for financial gain. By only providing a link to DropBox instead of an attached file, and the proper configuration of the mail DNS records, this email should avoid any spam filter or detection in Jack's email.

It is possible that Jack will try to contact other people at the hasbro-licensing.com front company, which I can easily intercept by using
the catch-all alias in protonmail. I can then provide assurance that things are on the up and up. By telling Jack that he should not involve
others and offering him a way out of his problem, hopefully he will not inform others until it is too late.

########################## PHISHING E-MAIL SECTION - Entry 5 - Raechel ##########################

From: raechel@hasbro-licensing[.]com
To: jack.thompson@email[.]com
Subject: Notification of infringement on trademarks and intellectual
property of Hasbro, Inc.

To Mr. Thompson, Senior Game Development Manager at
the DoubleThree Hotel and Casino:

Hasbro, Inc. has been Clue'd in of your infringement on the trademarks, copyrights, and intellectual property owned by Hasbro via your developed casino games at the DoubleThree Hotel and Casino.

Allow me to connect the dots for you, Mr. Thompson, since that game is in the public domain. Your use of the names Connect Four and Monopoly are illegal. As the owner and publisher of Monopoly, Hasbro has the monopoly on Monopoly. You may connect three, or connect five, but you may not Connect Four, as this is also owned by Hasbro, Inc.

As the original game developer of these games, you are personally liable for this misuse. By publishing our family friendly games in a casino, you have implicated your employer, DoubleThree Hotel and Casino. You will not pass go, nor collect two hundred dollars, you will go directly to jail. While you may work at DoubleThree, rolling doubles this time will not trigger your escape.

However, because we have been informed many enjoy your games, Hasbro is interested in expanding into the adult gaming market. At this time Hasbro is willing to explore a possible licensing deal which can avoid legal action being brought before a court of law in the Eastern
District of Texas. Make no mistake, this is no Trivial Pursuit.

One of our core values at Hasbro is to "be bros", and we are wondering if you are interested in being our bro. If you are interested in being our bro, below is a link to a private DropBox that contains a Clue of our future legal proceeding, as well as a copy of a new game we have begun developing for the adult gaming market. Upload the signed NDA included to signal your willingness to work with us.

[dropbox link]

The included .msi file contains an installer for our latest game. At Hasbro our internal focus groups have found two target groups for a Las
Vegas casino: people from middle America, and Canadians. We have therefore developed a game called "Annex Canada", or for our Canadian friends, "The War of 1812, First Blood, Part Deux," a re-branding of our popular board game, Battleship. Hasbro thinks your casino would provide a perfect test market for our new game. Let us know if you encounter any problems in running it.

Hasbro is also interested in acquiring your intellectual property to license slot machines in Atlantic City. Upload copies of any binaries and/or source code to the same DropBox link for internal review. You will personally be rewarded with a portion of the profits of these machines.

Respond to this notice within three business days or legal action will proceed against you. Personally, I would not Risk it.

Raechel Smith
Chief Corporate Counsel
Hasbro, Inc.
1027 Newport Avenue, Pawtucket, Rhode Island, 02861, USA

ENTRANT 6 - birdbird

########################## BACKSTORY SECTION - Entry 6 - birdbird ##########################

I chose Jack because as a retiree he made an easy target, and more importantly, he had worked at DoubleThree long enough to forget coworkers. He is involved with his alma mater and enjoys beekeeping so I wanted to incude that. I also mentioned birdhouses because I'm hoping he connects me to his coworker even if he doesn't click the link.

After he clicks either link, he'll be taken to a megaz or swiss transfer download zip file, which he will ideally download. The file will actually include AI generated photos of him and some racially ambiguous woman working, as polaroids (that if this were a real phish, I would have printed, then taken photos of to upload) and a word document with Kaya's "project". The word document will not load properly or just be blank / have random characters to imply it's corrupted but it will also have a macro that it will prompt Jack to enable to view it properly. This is where the main payload will be (ideally a keylogger or something that will sit and monitor network traffic). The second link will be just the document. The photos will also have their own virus via a technique called stenography which will carry some malicious code. Ideally, I get enough access telnet and then email Kaya as him asking connect her with a gaming birdhouse building enthusiast with photos attached.
The last photo attachment (which he'll click if anything) will also have this virus.

########################## PHISHING E-MAIL SECTION - Entry 6 - birdbird ##########################

Hi Jack,
I'm so excited for you to join me in retirement... My daughter, Katie, helped me find your email, since when we worked together no one had one... I know it's been a decade (or two) but I'd love to treat you to a congratulatory drink... You tell me if it should be at DoubleThree.. :-)
You have such a legacy of creation, I was always impressed by that. Actually, my daughter just toured Blayne for computers and you're a legendary alumni there...

She helped me scan these polaroids into the computer--can you believe how young we were? [link to "polaroids"]

She reminds me of you a lot--many innovative ideas and the gumption to pursue them. I know you like vintage and retro themes, her fixation is creating games based off of phrases... She won an award last year for "Looking the Gift Horse in the Mouth" and a honorable for "Biting the Hand that Feeds"... One was around avoiding getting bitten by an animatronic horse and the other was around trying to bob for fake hands... Very unique...

She's starting to explore multiple player games and I was hoping to connect you two since the latest once is themed after "The Birds and the Bees" and I remember you like your bees! This is the picture of the pitch artwork she sent me... [link to "picture"] I think the idea is birds versus bees, but my ex-husband thinks she should make it sexy birds versus sexy bees for vegas, but I think it should be about beekeepers building a beehive versus bird watchers building a birdhouse. I don't know anyone who knows much about birdhouses though, unless you picked up that hobby over the years...

Let me know about that drink,
Jenny
Btw, my favorite photo of us:
[a photo that needs to downloaded]

ENTRANT 7 - CybrMerc

########################## BACKSTORY SECTION - Entry 7 - CybrMerc ##########################

Phishing Scenario Summary: Baylor Bank Impersonation Targeting DoubleTree Hotel and Casino

Overview: Kaya Blackfox, Director of Hospitality at the fictional DoubleTree Hotel and Casino, receives an urgent email appearing to originate from Baylor Bank, the institution her hotel uses for financial operations. The message, with an official-looking header and Baylor Bank branding, claims that due to “suspicious login attempts,” immediate action is required to reset her account password. The tone is professional yet alarming, using phrases like “unauthorized access detected” and “please act within 24 hours to avoid account suspension.”

Phishing Email Characteristics: The email directs Kaya to click a link labeled “Reset My Password”, which is embedded with a URL that appears legitimate at a glance (e.g., Business Account Login). However, this link redirects to a sophisticated spoofed version of Baylor Bank’s login portal. The fake site replicates the design and interface of the actual bank, complete with security prompts and a “verified” badge.

Execution of the Attack: Once Kaya enters her credentials, the site redirects her to an internal form titled “Wire Authorization Verification.” This form claims to be part of a new two-step authentication process required for all hotel-affiliated business accounts. It prompts her to verify recent wire instructions by re-entering the hotel’s primary financial routing details, transfer limits, and account confirmation for a scheduled fund movement.

Objective of the Attack: The attackers’ goal is to collect both Kaya’s login credentials and authorization details to initiate unauthorized transfers directly from the DoubleTree Hotel and Casino’s corporate account. The phishing site is designed to delay suspicion by showing a “processing your request” message and then redirecting to the real Baylor Bank homepage, giving Kaya the impression that a legitimate password reset occurred.

Outcome: If the phishing attack goes undetected, attackers may execute high-value wire transfers from the hotel’s accounts. However, if the phishing site is flagged quickly, there’s a possibility to shut down the site and alert relevant cybersecurity and banking institutions before any financial loss occurs.

########################## PHISHING E-MAIL SECTION - Entry 7 - CybrMerc ##########################

**Subject:** Urgent: Account Access Restricted – Immediate Action Required

**From:** security-alert@baylorbannk-support[.]com

**To:** kaya.blackfox@doubletreeh-c[.]com

**Date:** June 20, 2025


Dear Kaya Blackfox,

We have detected unusual login activity on your DoubleThree Hotel and Casino account here at Baylor Bank account. For your safety, we have temporarily suspended access. To restore full access, using the provided temporary credentials [Username: 23484398 – Password: b4ylor-B4nk%5426 ] please login immediately using the secure link below:

Business Account Login [LINK: baylorbannk.co.security-update-login[.]com/]

Failure to verify within 24 hours may result in permanent deactivation and forfeiture of the account balance: $268,345.57 USD.

Thank you for choosing Baylor Bank.

-Security Department

ENTRANT 8 - Ola

########################## BACKSTORY SECTION - Entry 8 - Ola ##########################

Target: Jack Thompson

The backstory: Jack sounds like a very nice and helpful person, which often equates to being gullible. He’s also the oldest of the group which adds to him being a little more gullible. He’s also a mentorship program founder, which means he’s in touch with a lot of people outside of the casino. His bio says he supports development initiatives in Detroit and Las Vegas - again, meaning he’s probably in touch with a lot of different people. Especially in the case of Detroit. I am assuming he likes young, passionate people who show creativity in game development and who are looking to get some guidance.

########################## PHISHING E-MAIL SECTION - Entry 8 - Ola ##########################

Hello Jack!

My name is Peter, I’m a student at BSU. My CompSci professor told me about you and the mentorship program you founded. They weren’t sure how you take on new mentees and that’s why they told me to contact you directly.

I am working on a game in my spare time and I would appreciate your guidance. The game is called Bamboozled. In order to win you have to answer trivia questions, but that’s not all! After every correct answer a new, random rule of the game is discovered: like the possibility to pick a card that might give you a million points, or spinning the “Wheel of Mayhem”, or going higher or lower but the contestant doesn’t know on what.
I have written maybe 80% of the game, you can check it out [HERE](link). But I feel stumped. I’ve looked at the wicked wango cards for so many hours I’m starting to feel this is stupid? Or worse: boring? I am also missing ideas for the final round. I would appreciate it so so soooo much if you could take a look and play a couple of rounds to tell me what you think.

Thank you!
Peter

P.S.

I’m sorry, I feel bad lying to you. If you’re still reading this I hope you’ll hear me out. I’m not a student at BSU. And actually my name isn’t Peter. My real name is Ben. Actually now that I think about it, I don’t know why I didn’t just use my real name.
What is true is that I do write games. I’ve created a couple small ones, you can check them out [HERE](link). I showed them to my high school computer class teacher. She told me I was wasting my time. She said the games felt weird, not in line with what’s on the market now and generally off-putting. When she said this, I thought she was the off-putting one, but I didn’t say anything. So I wanted to give up… And then, on winter break, my parents took me to Las Vegas and I saw all the crazy games at DoubleThree! It was awesome! I noticed your picture in the lobby and googled you. I figured you must be an interesting person. I was not disappointed! You’re really keeping bees on rooftops in Las Vegas???
I also found articles about your mentorship program and that, as you know, is how I decided to “bamboozle” you :) I hope you don’t mind!

Have a great day!
And please please let me know what you think about my games!
Thank you thank you thank you

Ben

ENTRANT 9 - Tr1ster0

########################## BACKSTORY SECTION - Entry 9 - Tr1ster0 ##########################

I chose to impersonate Frank, the CEO of BugByte, to email Kaya.

As the newly appointed director of hospitality, Kaya wants to prove herself. I decided to target her because she’s new to the job, new to Vegas, and seems like she’d be a better leader than Rebecca (and likely believes this herself). I imagine she’s getting tired of telling Rebecca to spend less time taking pictures of old Vegas signs and more time making sure invoices get paid. She probably rolls her eyes whenever Rebecca mentions she’s mentoring the next generation of hospitality crisis leaders.

Kaya’s passion for birdhouse building ties into my scheme. She relocated to Vegas from Oklahoma, so she’s ambitious, not afraid to take a big leap, and looking to make her mark on the crazy world of Vegas. She’s likely becoming desensitized to chaos thanks to dealing with Rebecca and living in Vegas, so she might not think the email is that weird.

Frank has a reputation for being unhinged, so I thought an unhinged email from him would seem like par for the course. Frank already has a strange business model of eradicating bedbugs and computer bugs, AND he was at the Hive Rollers meeting, where he talked to Jack about pollination and pest control. He expressed on his own social media his interest in expanding his business into bees.

Mentioning the conversation with Jack at the Hive Rollers meeting gives the email an air of credibility; if Kaya asks Jack about it, he would confirm it. And, because Frank has a history of strange ideas, this latest one is unlikely to raise eyebrows any further.

I didn’t select Jack as the target because of his computer science degree and background in technology. Plus, I assume if he’s worked at DoubleThree for 33 years, it means he hasn’t made enormous errors in judgement previously.

Rebecca was a great option, either to impersonate or target, because of her desperation to rehabilitate not just the DoubleThree but also her own image, and her previous history of “financial mismanagement”. I ultimately decided the Kaya / Frank angle was funnier, while still being plausible.

The link to the BuzzyBugBytesandBirdsWithBandwidth website takes Kaya to a Gophish page built to look like a birdhouse. The signup form is inside the entrance to the birdhouse, and the company name is written at the top of the page. For added whimsy, the pointer is a little bee. The favicon is also a little bee. The form asks for her work email, address, phone number, favorite bird, and W2 information.

When she completes the form and hits enter, she will be redirected to her work mail login page. I know who the email provider is because I used dig mx to query the public DNS records for DoubleThree’s website. I did an nmap scan and discovered the outdated DoubleThree hotel and casino is using outdated Windows.

She’ll log into her work email while I use an Evilginx phishlet to intercept her entries and steal her session token. This gives me access to her account. Then she’s redirected to a “Thank you for partnering with me to build better bee and bird houses!” page that includes a downloadable zipped folder of “Buzztacular Swag”. Inside the folder is a BuzzyBugBytesandBirdsWithBandwidth partner certificate and badge. The “badge” is a remote access trojan that appears to be an image file. It has a .png.exe extension but appears as only .png on her machine. When she opens the “badge”, I’ll get persistent access to her machine, with potential for lateral movement through the network.

########################## PHISHING E-MAIL SECTION - Entry 9 - Tr1ster0 ##########################

Hiya Kaya!

I was happy as a pig in mud speaking to Jack at a recent Hive Rollers meeting! It made me think, “Well butter my bottom and call me a biscuit, it’s time for BEES!!”

That’s right, BugByte is becoming: BuzzyBugBytesandBirdsWithBandwidth, the only company blending bug extermination in meatspace AND cyberspace with high-tech housing for birds and bees in urban environments. This company is fixin’ to revolutionize Vegas’s ecosystem and make Silicon Valley say, “Why didn’t we think of that?!”

Imagine, a high-tech house for birds AND bees on every roof! The birds get to be lulled to sleep by the sound of buzzing, hotels get fresh honey, and flowers get pollinated!

But that’s not all, every birdhouse will come equipped with state-of-the-art touchscreens connected to WiFi so the birds and bees can surf the ‘net to their hearts’ content! Imagine! The birds and the bees on the internet for the first time ever! AND we will keep their homes bug-free; we can’t have their nests or networks crawling with creepy critters!

This is where you come in - I want you as a business partner! We’re two birds of a feather, two outsiders in this city who are busy - or you could say buzzy - working hard to make our marks on this town.

I want you to help create the birds and bees co-living space. We need an area for the birds to nest, and an area for the bees to build their honeycomb. You’re passionate about birdhouses; your creations make Frank Lloyd Wright look like a loser! That is just the kind of once-in-a-generation vision I need on my team!

You’re a rising star, way too good to be working for Rebecca doesn’t-pay-her-invoices Sinclair. This gives you a chance to make your own name. Putting bees on the roof could be the thing that really turns around the DoubleThree. You’ll finally get the recognition you deserve! Guests will love being awoken by swarms of bees outside their windows every morning.

In a bright city like Vegas, it takes an even brighter idea to really stand out, and this idea is the brightest ever! Not only will we make our mark on urban avi- and apiculture, we will become tech billionaires!!

I’m filing the paperwork for the new venture by close of business today, so I really need you to fill out the form on our fancy new website ASAP. Otherwise, I won’t be able to make you a partner. Just click this link (buzzybugbytesandbirdswithbandwidth[.]com/partnersignup) and fill out the form. You’ll need to provide information to verify your employment, like your work email. I already know you’re employed, but hey, we have to follow the rules! Once you fill out the form, you’ll get some neat-o BuzzyBugBytesandBirdsWithBandwidth swag to download!

I can’t wait to celebrate this new venture with you! Once all the paperwork has been filed and we’re ready to get this tractor wheel rollin’, I’ll have a barbecue at my place as a thank you to our angel investors, VIP clients, and staff! I’ll make my famous rub, while you rub shoulders with the key players in the Vegas hotel scene. You’ll eat so much, you’ll be full as a tick, and your wallet will be full of business cards! It’s time for you to seize your potential and start living big - Vegas style!

Don’t let destiny pass you by!

Frank Harrison
CEO, BuzzyBugBytesandBirdsWithBandwidth, Inc.
Las Vegas, NV
“Anything is possible if you just deceive.”

ENTRANT 10 - Oxilite

########################## BACKSTORY SECTION - Entry 10 - Oxilite ##########################

I've always wondered what kind of person has the absolute chutzpah to drive a thriving business like a luxury hotel into the ground and wake up the next day thinking: "That wasn't my fault, I've got this next time. Maybe I should even run for President". Rebecca Sinclair has the right balance of hubris and ambition that makes her a perfect target for phishing exploits.

As someone who is trying to recover her reputation, the last thing she needs is ghosts from her past coming to haunt her. So, I figure an old co-worker reaching out with innocent sounding questions about not-so innocent implications would immediately grab her attention. My only problem was figuring out the best way to parley that into a useful attack.

Ironically, the Russians actually solved a problem for a change, with an attack detailed in the news this week. It felt like an appropriate technique to include in my story, and the fact that it was unveiled during the last week of this contest will absolutely reinforce my tendency to procrastinate. The attack relies on the assumption that Frank Harrison has set the DoubleThree up with an email service that includes Application Specific Passwords, which seems reasonable.

Once Sinclair has clicked through, she will land on a site I have created which looks like some sort of secure file share. It will include official looking directions on "linking her account with an ASP." After she enters the information to be captured, an automated system will attempt to access her account using them, and the page will attempt to delay her by returning an error message saying the system is undergoing maintenance and to try again in 12 hours.

Now that I have imbued her with an overwhelming sense of paranoia and have gained and likely sustained access to her email, I will achieve my ultimate goal of blackmailing her for the purpose of demanding she open a "pool on the roof" so that we can truly party Hacker Style at Defcon 33!

########################## PHISHING E-MAIL SECTION - Entry 10 - Oxilite ##########################

Ms. Sinclair,

My name is Barbara Gordon, you may not remember me, but I worked for you at the Grand Manhattan (or the Ol' Gran' Man' as we use to call it down in the finance department) during the renovation. You were a fantastic mentor on how to turn a crisis into an opportunity, and I'll never forget your advice on photographing old water towers atop aging New York high rises.

I am reaching out because I have recently been contacted by a Special Agent David Levinson of the U.S. Treasury’s Financial Recognition, Enforcement, And Keystone division. He has been asking a lot of questions about my time working with you during the renovations at the Grand. Based on his questions, it seems like they may be conducting an investigation into some kind of financial malfeasance. Given how important your mentorship was to my growth, I wanted to give you a heads up and let you see the notes and questions he's asked.

I've created a drive where I've kept recordings of our conversations and notes on his questions and my responses, if you want to check them out [Here]. I've added your DoubleThree email address as an authorized user, but you'll need to go into your own email account and create an Application Specific Password that you can enter on the secure site. Please feel free to reach back to me.

I was worried when Agent Levinson indicated that he would be "seeing you" sometime before Independence Day, so I definitely wanted to let you know sooner rather than later.
I hope things are going well for you out in the desert. If you're ever back in NYC, I've got some great new photo spots to show you!

Fondly,
Barb G.

P.S. They finally got the fountain working just as you described it! But they did have to take it out after a guest's Yorkie-poo fell in and got sucked into the filter... it was unfortunate.​

ENTRANT 11 - Elijah Samuels

########################## BACKSTORY SECTION - Entry 11 - Elijah Samuels ##########################

Our journey into the chaotic world of the DoubleThree Hotel begins with a question: what if DEF CON had to settle for a failing casino hotel, rife with bedbugs and teetering on financial collapse?

Rebecca Sinclair, General Manager, is our prime target. Pathetically desperate for redemption, her LinkedIn profile reveals a career built on "resilience and creativity," having "spearheaded the strategic rebranding of the DoubleThree" through a DEF CON partnership. The DoubleThree, once charming, is now tarnished by declining profits, bedbug complaints, and a discontinued Managed Security Services Provider (MSSP). Rebecca's bold plan involves temporary rebranding and a high-stakes partnership.

The phishingEmail is crafted to exploit Rebecca's high-pressure situation and known vulnerabilities. The email's urgent tone appeals to her crisis management and determination to "address" complaints. Knowing Rebecca "doesn’t believe in failure" and ignores "obvious disasters," makes her susceptible to a critical, free solution like the "BugByte Zero-Day Biome Scan".

We are pretending to be Frank Harrison, CEO of BugByte Exterminators, Inc. He is Rebecca's chosen (albeit risky) third-party solution for both pest control and cybersecurity. Frank, a self-proclaimed "expert clients trust to handle everything from bedbugs to breaches," presents the perfect credible facade. His LinkedIn post, announcing a "major contract with the iconic DoubleThree Hotel," confirms this third-party relationship.

The pretense hinges on a homograph attack, creating a subtle email address difference visually almost indistinguishable. The legitimate Frank's email is frank.harrison@bugbyte[.]com (Unicode: U+0062 'b'). Our phishing email, however, uses frank.harrison@bugƅyte[.]com (Unicode: U+0185 'ƅ'). This alteration, combined with creating a fake Google business for bugƅyte.com, establishes deceptive legitimacy, capitalizing on Rebecca's trust in an now familiar vendor.

Upon clicking "Initiate Bio-Cyber Scan & Protocol Deployment," Rebecca will be redirected to a fake OAuth login page (Google/Apple options). Our immediate goal: collect her Google or Apple account credentials.

Following a successful "login" (credential capture), Rebecca will be sent to a fabricated "BugByte Exterminators Remediation page." This page performs a "system scan," gamifying the remediation process by incrementally completing as Rebecca provides more information. The more optional scans she accepts, the closer the scan gets to "100% completion," increasing the likelihood of her providing highly valuable data. Each scan option is designed to extract specific information, such as:

- IP addresses
- Comprehensive network scan device: open ports, running services, installed software
- Browser history, cookies, and saved passwords
- Potential access to CCTV camera feeds
- Crucially, server and database credentials, authentication tokens, and API keys/secrets

This multi-layered approach, from the email exploiting Rebecca's context to the gamified data exfiltration, aims to be a highly clickable and effective phish, leveraging BugByte's "unconventional" nature to extract maximum information from the DoubleThree.

########################## PHISHING E-MAIL SECTION - Entry 11 - Elijah Samuels #########################

<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>URGENT: Immediate Bio-Cyber Protocol Deployment & Facility Scan Required - DoubleThree</title>
</head>

<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; margin: 0; padding: 0;">
<table role="presentation" style="width: 100%; border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt;">
<tr>
<td style="padding: 20px; text-align: left;">
<p style="margin: 0 0 10px 0;">Dear Rebecca,</p>

<p style="margin: 0 0 10px 0;">Hope this email finds you well, and not, you know, <em>bugged</em>.</p>

<p style="margin: 0 0 10px 0;">As you know, with DEF CON 33 just around the corner and our integrated "Bug-Free Networks" program in full swing at the DoubleThree, we've been running continuous, cutting-edge perimeter scans. Our team just flagged some anomalies - let's call them… <em>unauthorized digital infestations</em> - that are showing up as a unique blend of old-school system vulnerabilities and a rather stubborn, shall we say, viral colony within your network. It's got that familiar scent of something both digsital and, well, creepy-crawly.</p>

<p style="margin: 0 0 10px 0;">Given the recent "unannounced room search" feedback and your focus on guest comfort, we've actually pulled in some top-tier talent. We've enlisted the help of a former NSA cybersecurity expert, and combined our proprietary Mantis Drone technology with advanced bio-cyber protocols. This isn't just about pest control; it's about ensuring the integrity of your hotel's digital infrastructure. This isn't just about bedbugs or malware anymore, Rebecca; it's about the very DNA of your hotel's operational integrity. We're talking about securing the digital plumbing and preventing any, unwanted guests from accessing sensitive guest experience data, especially with the DEF CON crowd descending.</p>

<p style="margin: 0 0 10px 0;">Due to a unique partnership and the critical nature of evolving threats, we are offering the "BugByte Zero-Day Biome Scan" for the DoubleThree at no charge, a service typically priced at $9999. For legal and compliance reasons, your explicit agreement and direct action are required to initiate this crucial remediation. You'll need to authorize the scan and run our proprietary diagnostic tool to eliminate these threats, similar to a precise digital fumigation. For secure access and data protection, we've integrated Google's and Apple's OAuth 2.0, and either option will work for this vital step. Please use the button below to guide you through the secure authorization process, enabling us to perform the necessary scans and remediation while safeguarding your data.</p>

<p style="margin: 0 0 20px 0;">You must initiate the "BugByte Zero-Day Biome Scan" by clicking the secure button below and review the critical vulnerability report. This is time-sensitive, as these multi-vector infestations are adapting rapidly.</p>

<p style="text-align: center; margin: 0 0 20px 0;">
<a href="https://defcon33phising-b9151f.gitlab.io" style="background-image: linear-gradient(to bottom, #8ce5a4, #6abf8f);
color: #000000;
padding: 12px 25px;
border-radius: 5px;
display: inline-block;
text-align: center;
font-size: 18px;
font-weight: bold;
text-decoration: none;
box-shadow: 2px 2px 5px rgba(0,0,0,0.5);
-webkit-text-size-adjust: none;
mso-hide: all;
">
Initiate Bio-Cyber Scan & Protocol Deployment
</a>
</p>

<p style="margin: 0 0 10px 0;">Failure to deploy this protocol immediately could result in… well, let's just say, even more "interesting" Yelp reviews. We want the DoubleThree to be bug-free, inside and out.</p>

<p style="margin: 0 0 5px 0;">Stay vigilant,</p>

<div style="margin-top: 15px; padding-top: 5px;">
<p>Frank Harrison, CEO</p>
<p>BugByte Exterminators, Inc. 'Squashin' all kinds of bugs.'</p>
<a href="https://defcon33phising-b9151f.gitlab.io" style="text-decoration: none;">
www.BugByte[.]com
</a>
</div>

<!-- <div style="margin-top: 15px; padding-top: 5px;">
<a href="https://defcon33phising-b9151f.gitlab.io" style="text-decoration: none;">
<img src="signature.png" alt="Frank Harrison, CEO, BugByte Exterminators, Inc. 'Squashin' all kinds of bugs.'" width="250"
style="display: block; border: 0; max-width: 100%; height: auto; margin: 0;">
</a>
</div> -->
</td>
</tr>
</table>

</body>

</html>

ENTRANT 12 - PrivacyMike

########################## BACKSTORY SECTION - Entry 12 - PrivacyMike ##########################

Rebecca and Kaya will be too busy with DefCon planning to read legitimate emails, let alone phishes. I avoided Frank because he’s the most sophisticated being world class in both pest extermination and cybersecurity. Good luck to any fellow contestants that attempt to phish that polymath.

I chose Jack because he has the most to lose, namely the BSU mentorship program and eponymously named scholarship. Jack is retiring, all he has left is his bees and his BSU program. Humans are hardwired to leave a legacy, especially as they approach end of life. I want my target to feel impending doom. Unless they click my link. Unless they input personal information, just a little at a time, just for a second, just to see how it feels.

For this phish, I will use the current era Google corporate motto, “Be Evil.” I’ll threaten his legacy by accusing him of sexual impropriety with a student in the mentorship program. And Jack has to act. Now!

An artificial time constraint of the investigation requiring his immediate response to get him emotional state, doesn’t have time to mention it to any friends, and doesn’t have time to reach out to colleagues at BSU.

I’ll create a web portal that looks like an official BSU site using an available domain — BSU.InvestigationsPortal[.]org. I’ll create a home page describing it as a Title IX and FERPA-complaint investigation management system.

I will email Jack from this domain, to make it appear as though it’s a system message: MessagingSystem@BSU.investigationsPortal[.]org.

I will spoof a real BSU employee in case Jack looks them up. I will pick someone working in an office that would reasonably handle investigations and who Jack never met, or risk he may call. I’ll look at the BSU website for offices such as “civil rights” or “equal opportunity”.

I’ll find a recent hire, since it’s less likely Jack has crossed paths with them. I’ll get this using the “Creed Bratton” method by calling the department and asking, “I was in there recently and I forget the person’s name I was talking to, but he or she was new, had just started this year? And I’m trying to remember who that was?”

Assume I’m told, “Debbie Brown”. I’ll confirm Debbie appears on the BSU website on the department-specific page.

I’ll call back days later, using a different voice modulator setting, ask for Debbie, tell her I’m a reporter covering scholarships. I will find four other scholarships BSU offers in addition to the Jack Thompson Scholarship so Debbie never realizes the true nature of the call. I’ll ask if she’s ever met any of the people the scholarships were named after. I’ll confirm she hasn’t, then ask a few more filler questions so that my real question isn’t the last thing discussed.

Now I know Debbie Brown is a BSU employee that Jack has never met and will believe is real. I will establish a rationale for why he shouldn’t discuss this with anyone he does know at BSU. And he has a time constraint for responding quickly.

When he clicks the link, he will be prompted to create an account with personal info, a password, and security questions.

I’ll also put malware on my phishing website. Under advise of legal counsel, I must state I don’t write no-no code. But I found someone on Craigslist who is a malacologist (mollusk scientist) that also writes computer malware that operates by the business name “Escargot Exploits”. I’ll contract this cybersecurity expert to embed nasty stuff in my phishing site.

########################## PHISHING E-MAIL SECTION - Entry 12 - PrivacyMike ##########################

Dear Jack,

I am writing from Blayne State University’s Office of Civil Rights regarding an active investigation where you are a named subject for making sexually inappropriate statements against a student.

Our "Safe Campus Initiatives"is a Title IX compliant equal opportunity program to ensure the safety of our entire student body. A claim has been made by a student in your mentorship program against you.

Specific details of the allegations are available on the linked investigations portal. Examples of the inappropriate statements include:

- “Have you ever played with a vintage board game piece before?”

- “Let’s play Risk, I’d love to conquer your southern territories.”

- “Let’s play Monopoly. If you let me ‘Pass Go’ you'll collect $200”

- “Let’s play Battleship because I want to sink my ships deep in your harbor.”

- “What kind of honey is on the end of your Candyland board?”

Access the BSU Safe Campus Initiatives Investigations portal (BSU.InvestigationsPortal[.]org) using your alumni login details. The first time you attempt to log in, you’ll be asked to register an account. Please use the same info as your primary alumni account and they will sync on the back end.

This is an active investigation so witness statements have PII redacted and are encrypted according to FERPA regulations. You're the computer expert so this feels insulting to mention, but once you're in the portal you might get a prompt that asks if you want to run a program, just click "accept" because that’s the decryption software.

Once you read through the statements you can either outright deny them or explain if they were taken out of context you can write up a statement directly in the portal.

If you do not respond the investigators will make their determination based solely on student witness statements. If they rule against you, we will be required to terminate your mentorship program.

I have spoken with a coordinator in our computer science department. We love your program and would hate to see it be shuttered but you are not an employee and have no legal obligation to respond. You can enter a "no contest" plea through the same portal after reading the allegation.

Our annual budget reconciliation occurs next week so we’ll need to have your response input in the portal in the next 48 hours to have the investigation closed out in time to approve funding for your mentorship program for next year.

I'm aware of your great reputation, and assume this all must be a misunderstanding and look forward to hearing your side of the story. Please don’t discuss this with anyone at BSU until after the investigation has completed.

Sincerely,
Debbie Brown
Coordinator
BSU Office of Civil Rights

ENTRANT 13 - RenTheTiefling

########################## BACKSTORY SECTION - Entry 13 - RenTheTiefling ##########################

Harrington seems like the most fun to try and phish. As head of his own Cybersecurity company, he should be least likely to click, but he only got two certifications before starting his own company which inevitably leaves gaps in his knowledge. He’s also overconfident and may be eager to prove he can fit in with the hackers coming to the DoubleThree for Defcon.

Hopefully, Harrington has one of two reactions to this email from Rex:

-Rex is a member of the community he’s trying to impress and they’re taking him seriously. They even build bug-shaped drones like him. The request is eccentric, but it’s in the part of his field he knows really well. He can answer this question fast and maybe make a friend in the process. In his twitter/x posts, he’s eager to share knowledge about all insects, so maybe he’d be interested in flies too. Hell, he might even click on the picture of them for a closer look.

or

-This person is an idiot who is about to bring some weird Australian flies into the hotel he’s protecting. Their “terrarium” is a jar and they think a jar of flies will make people buy drones. It’s an entomological Chekhov’s gun and there’s no way this doesn’t end with flies descending on the conference goers in a buzzing green haze. If he can get back to Rex before they get on a plane, they might not bring the flies at all, so maybe he’ll look through the list just to tell them:

“Yeah, we definitely did use Cyper WSP, Demon WSP, and Talsar P—all at the same time—and the HVAC system is set to distribute PT 565 PLUS XLO on a timer. Those little suckers would be toast.”

But hey, to look through the list, he has to click on it, right?

The Click:

Both attached files are malicious. The pdf uses metasploit to deliver the updated StealC V2 infostealer (the non-java version, just in case Frank has Java turned off). The jpeg uses segosuite to hide the same payload. The new StealC has features that get around many virus detection methods and the update is recent—discovered may of this year. Frank says he likes to stay up to date on new threats, but with only a three man team and a bedbug issue, has he had time to research new threats or update his own protections?

After the Click:

The list of dangerous insecticides is short and accurate. Frank would know there isn’t really a risk here. Once the treatment has passed and the room is cleaned it’s unlikely that these would kill a fly, but regardless, Rex isn’t really bringing flies to Defcon; they aren’t even going to Defcon.

In the days following the click, Rex is trying to exfiltrate Frank’s client data, hoping that the conference will keep him too busy to notice any odd activity, or that even if he does notice, he might be too embarrassed to admit he got a bug from a bug email.

So if Frank gets back to Rex—whether he tells them its safe and that he’ll see them at the BBQ or he rolls his eyes and tells them ‘no, I meant my Bug-Free Guarantee literally’—the response is the same. Rex will send a combo thank-you-and-appology email, happy for the information, but sorry they won’t make it to Defcon after all. They’ve come down with a bug.

########################## PHISHING E-MAIL SECTION - Entry 13 - RenTheTiefling #########################

From: rex.volare@beelzebubdroneindustries[.]com
Subject: Urgent: Insecticide Safety Concerns-Defcon 33


Hi Frank,

I’m hoping you can help me with something I should have thought of earlier.

I’m a first time vendor at Defcon, staying in the DoubleThree for the upcoming conference, but I’m worried some of your work might kill my bugs. My real bugs: Amenia Imperialis, rare flies from Australia. They’re a kind of mascot for the company. I bring them with me everywhere and I’ve based several of the drone designs on them. Displaying them in their terrarium will hopefully bring attention to my booth.

This is where I need your help. The flies don’t do well in arid climates and there are a handful of insecticides that extra effective against them. A jar of dead flies isn’t fun for anyone and it’d be pretty heartbreaking for me—I raised them from snails. (They might be a tiny bit parasitic, but only the larva, and only if you’re a snail. Completely, 100% safe for almost all mammals).

I heard you did great work at the DoubleThree getting rid of that bedbug infestation but it didn’t occur to me until last night that this might be a problem. (I was considering how diatomacious earth and other particulate could affect micro-drone performance when I realized I overlooked it’s effects on my living micro-drones.)

I know insecticides get cleaned up or lose their effectiveness and it’s been a bit since you took care of the bedbugs, but with the conference just two days away, I’m scared that if there were traces left in my room, it would be too much for the little guys. I can’t switch hotels—transporting them across Vegas to my booth just isn’t an option because walking too far in the sun might do them in too. (I even got some extra breathable mesh and a mini umbrella for the top of their jar.)

I attached a list of the stuff I’m most worried about and the time frames I think would be safe. Could you let me know if any of these might be used in the rooms outside of those time-frames?

If you could let me know before the conference, it would be a lifesaver (literally). I’d have to change my booth layout and it’s hard to find a fly-sitter on short notice, but anything’s better than them dying.

Thanks so much in advance and if you happen to be at the ToxicBBQ and are looking for someone to talk to about drones or bugs (either kind), let me know.

Sincerely,
Rex Volare,
Owner/CEO, Beelzebub Drone Industries
[Logo image of a drone with a body-shape resembling a fly, around it a slogan reads:Beelzebub Drone Industries: More than just a fly on the wall]

Attachment 1: A .pdf file whose title reads “Amenia Imperialis insecticide and safety information”
Attachment 2: A .jpg file whose thumbnail is an image of nearly a hundred lustrous green flies with striking yellow heads in an absurdly over-sized bottle. A sparkly pink umbrella, barely big enough for a doll is attached to the lid with expertly arranged cable ties, but the mesh at the top seems perilously open. It is hard to say whether a fly might slip out. The title for this image is “My Babies”.

ENTRANT 14 - MarineMadMax

########################## BACKSTORY SECTION - Entry 14 - MarineMadMax ##########################

As this year’s target is a casino, I wanted to pull off a heist worthy of Ocean's 11, stealing all the snacks from the Defcon Chill Out Lounge. To me the natural target was Jack. It's reasonable to assume based on Jack’s resume that he has been more focused on game development than the casinos digital infrastructure. And with a degree in Computer Science earned nearly 40 years ago, he would likely be dazzled with the glossy words and presentations from Frank, who appears to be a guy with all the skills and know-how of someone with a Security+ certification. Enough so that Jack trusts the third-party security services provided by Frank. If we pair that with a likely flood of emails from friends and acquaintances congratulating Jack on his impending retirement, he is more than likely to respond to my sociable phishing attempt.

To lure Jack, I plan to entice him with an email from a fawning young game developer (preying on Jack’s passion for mentorship) offering up an innovative game with a nostalgic feel that appeals to the memories of Jack’s past successes like Casino Connect 4. The plan is to entice Jack to one last big win on his resume before retiring to go fishing for the remainder of his life (yes, for the kind that swims... I’m sure Jack won’t fib to his grandkids by saying that his latest catch is a 2-foot monster when it was actually a 12-inch bass).

The Pitch:

Put your guts on the line…. Literally… In Operation: Casino Edition, the stakes are high, the tools are unsterile, and the Wi-Fi is definitely not secure. Join us for a game where modern technology meets the narcotic of nostalgia, where shaky hands from too many Bawls, questionable hygiene from all those ‘three-way’ handshakes, and a bootleg medical degree from the darkweb may brick your patient’s wetware and cost you a fortune. Extract the most high-value organs, and you’ll walk away with a fortune in black-market body parts because who needs morals when you’ve got a buyer in Moldova?
But beware! Touch the sides with your tools and you’ll get buzzed harder than a bachelorette on bottomless mimosas at Alexis Park. Oh, and make sure you watch out for the sphincter where the opsec is tighter than the Secretary of Defense’s Signal group chat.
Remember HIPAA doesn’t exist here and neither does the Geneva Convention.

There are many ways to fillet a phish, but for this attack I am going with something simple. Why complicate things when plenty of folks are still buying Apple gift cards for their ‘CEO’. Once Jack takes the bait with the promise of exclusive access to unreleased games, clicking the link will land on a slick teaser site designed specifically to pique his curiosity. Then comes the special moment, to "learn more," Jack will be prompted to log in using his corporate single sign-on. Of course, the login page will be clone of the real thing, capturing his credentials the moment he submits them. After, Jack will be distracted by AI gaming content that gives the webpage a sense of realism.
Once I have access to his corporate email, I will use his status to urgently warn Kaya that all the snacks in the Defcon Chill Out Lounge are infested bugs and must be disposed of ASAP. She will be directed to quickly escort a team in hazmat suits to the lounge to bag the snacks. From there the snacks will be loaded into a dark van with a driver that looks suspiciously like Matt Damon.

########################## PHISHING E-MAIL SECTION - Entry 14 - MarineMadMax ########################

Greetings Mr. Thompson!

My name is Linus Caldwell, I am a Game Developer at Patch & Pray Interactive™. I read about you receiving the DoubleThree Innovation Award in 2015 in the Blayne State school newspaper my freshmen year and it inspired me to pursue a career that I am passionate about in game development. I now have the opportunity to live my dreams, working for some of the best casinos in Vegas, such as the Stardust, the Sahara’s second reboot, and that truck stop off Tropicana that used to be a Sizzler, but now has a roulette table and a frozen daiquiri machine.
I was genuinely disappointed to hear you’re retiring before we got the chance to collaborate, so I’m seizing this last opportunity before you dive headfirst into the peaceful world of beekeeping! Inspired by your legendary Casino Connect 4, I designed a product line that fuses nostalgic charm with breakthrough technology in a way that’s never been done before. Imagine launching an exclusive version at DoubleThree during DEFCON, before the entire line makes its debut this October at the Global Gaming Expo at the Venetian.
Follow the link below to our website, where you will get a sneak peek at some of our exciting content! One game I think you'll really love ‘Operation: Casino Edition, a 4D-experience. Hack the body, harvest the goods, pray those warez you downloaded aren’t infected. Players will go elbows-deep into the patient, a suspiciously squishy lab-grown meat prototype that looks way less appetizing than advertised to extract valuable body parts like the Golden Gallbladder, the Lucky Lung, and the ultra-rare Appendix of Fortune. Collect three organs on ice, and you’ll cash out with some seriously shady rewards… if you survive the buzzers’.
I’ve made it easy so you can just use your single sign on, no need to bother with creating a whole new account.

Link here

Really looking forward to catching up, maybe we could grab coffee sometime!
Linus
Game Developer
Patch & Pray Interactive™