Every year in Las Vegas, hundreds of attendees at hacker conference DEF CON gather to watch teams of social engineers compete to see who can extract the most data from unwitting employees picking up their phones.
Some permutation of Social Engineering Community (SEC) voice phishing (“vishing”) contest and its signature sound booth has been a fixture of DEF CON for over a decade. But 2024 was the third year spouses JC Carruthers and Stephanie “Snow” Carruthers were in charge.
JC is the president of security firm Snowfensive, while Snow is the global lead of cyber range and cyber crisis management at IBM X-Force. They also happen to be experienced social engineers and penetration testers who have sought to expand the contest by bringing in new sponsors like Microsoft and initiatives like coaching for qualifying teams.
“One of the biggest things that I’ve learned is people just assume social [engineering] is not gonna work. They’re like, ‘No, we do training for this,’” Snow told IT Brew. “When you go back and look at what’s covered in that only one-hour-a-year training, it’s bad. It doesn’t cover any of the tactics competitors are always doing.”
The concept is relatively simple: The organizers assign contestants target organizations (ranging from pizza joints to telecoms) well in advance of the conference, tasking them with finding intelligence on the target and strategizing how best to talk their way in. On the day of the competition, they’re ushered into a sound isolation booth with a phone line controlled by a referee. Contestants have a limited amount of time to dial up the target organizations and retrieve their objectives.
Those objectives typically entail convincing the party on the other end of the line to disclose details about physical security and cybersecurity measures at their employers. For example, vishers might have to ask how staff lock up at night, what antivirus software is installed on their machines, whether there are protocols for handling personal data, or how workers dispose of old keycards. Other objectives might include directing the visitor to visit a phishing link, although in this case, it’s a harmless site displaying humorous error messages.
Callers often pretend to be from some kind of IT department or help desks. But they’ve employed other personas as well, pretending to be everything from angry customers to radio hosts awarding prizes.
“We have people who have never been to DEF CON before that are competing,” Snow said. “We have seasoned professionals. We have salespeople, marketing people.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
One competitor in the past was simply a victim of a social engineering scam who decided to research the topic, Snow added: “They just went down a rabbit hole and learned what they could, and they somehow stumbled upon us.”
The competition has strict ethical rules. Asking for sensitive information like credentials or personal identifiable information is banned, as are “pretexts or narratives which utilize fear” and impersonation of external authority figures like police. Audience members are warned not to record audio of the actual calls (and IT Brew also agreed not record or report details from the calls).
Targeted organizations aren’t informed of the exercise in advance, according to the organizers, because there’s no way to ensure it won’t affect the result. SEC doesn’t notify or debrief them after the contest’s conclusion, either, to shield workers who picked up the phone from repercussions.
“We don’t want to name and shame companies,” Snow added. “It’s not about how they did great or didn’t.”
Instead, she said, the competition illustrates both the continued effectiveness of social engineering and specific trends that play into it. For example, the SEC issues data-driven reports detailing the results of competition engagements. This year, JC added, two academic experts listened behind the scenes to collect data.
“It’s really cool to see the breakdown of different tools that were used and what they found using those tools,” Snow added. For example, in recent years competitors have discovered troves of potentially useful information from communities on social networks like Reddit or TikTok.
At this year’s DEF CON, JC and Snow competed in the booth for the first time in almost 11 years. Their opponent, it turns out, was brand new to the game—a generative AI-powered vishing engine developed by two AI experts, human systems engineer Lisa Flynn and cybersecurity author Perry Carpenter.
The humans managed to eke out a victory this time. But JC warned AI tools will enable scammers to operate at scale without having to employ an entire call centers’ worth of telemarketers.
“There’s already teams out there that try and entrap these scam call centers, find and work with their local government authorities, and take them down,” JC said. “But the only reason is because they have that physical footprint.”
“We can’t sit on our haunches,” he added. “The attackers aren’t.”