Open in app

Sign in

Write

Sign in

Donning the Apron: Winning the DEF CON 31 Vishing Competition and a Black Badge

Jason Puglisi
9 min readSep 16, 2023

--

Some of my last restful moments before DEF CON 31 were spent over dinner at a dimly-lit Italian restaurant. Thursday would find me meeting with organizers and other competitors in the Social Engineering Community, and Friday would find me in the phone booth calling pizza company employees. For now, I sat in relative quiet among a few other patrons (and a $10 bottle of Fiji Water).

One song finished playing on the restaurant speakers, and the next one came in with a punchy, electronic bassline. As one of my favorites, it was unmistakeable: “Arty Boy” by Flight Facilities.

Sunday would find me holding a Black Badge on stage at the DEF CON closing ceremony.

Up on the main stage with my fake Black Badge. Photo: WiK (@jaimefilson)

Lying in Wait

The significance of that song comes from the team name I used for myself during DEF CON 30. Back for vengeance, I chose to go by Arty Boy again. If you haven’t read about my experience placing second last year, I highly recommend doing so before reading this! There I describe how I got interested in social engineering, my path to the vishing competition, and everything involved from written reports to live phone calls. The OSINT and vishing objectives were the same this year, so I’ll skip over most of what I covered before.

Keeping tabs on updates from the Social Engineering Community, I wondered if I’d be rushing to make a last-minute video submission again. Luckily, an email told me I didn’t need to.

Since your smooth skills won you 2nd place last year, we would like to invite you back to the Social Engineering Community Vishing Competition (SECVC) for DEF CON 31. This means you don’t need to apply — you’re in — and already accepted, if you want it.

Of course I accepted! I say of course, but there was a fair bit of internal debate if it would be worth the time and stress again. Not wanting the opportunity to go to waste, I still made a video and sent it in about a week before DEF CON.

Playing the piano with my second place trophy for company.

I had a few video ideas over the past year, and was especially drawn to this one: a Taylor Swift parody cover lamenting the first place and Black Badge that just barely slipped away from me. I was still sad from not getting tickets for her recent tour.

Our videos weren’t shown during the competition, but I hear mine might’ve been shown during one of the village debriefs. If anyone saw it, I hope they liked it. Bonus points if you can pick out the meow my cat was kind enough to provide.

Into the Numbers

This year, my OSINT report came in at 86 pages, with the vishing plan report close behind at 82. More interesting is the reason for the long vishing plan report: 3,175 phone numbers.

During the competition, I’d only be able to call phone numbers I submitted in this report with appropriate sources. I was struggling to finish the report in time, let alone decide what my calling strategy would be for the day-of. How could I give myself as many options as possible to deal with later? By listing the phone number of every single physical location belonging to my target company of course.

Each competitor was given a pizza chain, and the website for mine was particularly informative. With some sloppy coding, a little Python script was soon digging through links and gathering numbers for 3,108 different stores within the United States. As fate may have it, none of those phone numbers helped me at all in the booth.

You’ve seen the outside of the booth, but have you seen the inside?

Into the Booth

Like last year, I prepared cheat sheets of sorts to take into the booth with me. The first page was a selection of phone numbers—10 from corporate and 52 from stores throughout the country. I color coded this page based on timezone and which numbers had answered the quickest on test calls (as competitors, we could call numbers to verify them, but not interact with anyone). I also had pages for my spoofing phone numbers and three pretexts I’d prepared.

Wanting to maximize my points, I came prepared with background sounds to play on my iPad, and two different outfits. I only really used one pretext, outfit, and set of background sounds to drive me to victory. It was working so well that I didn’t really have time to switch things around, and I’m kind of sad I didn’t get to use my second “character”.

My first pretext was largely similar to last year: an IT support team member who was either troubleshooting connection issues or collecting employee feedback on security initiatives. I came armed with a keyboard, carabiner of random cables hanging from my belt, and a fake employee badge (that definitely wasn’t a Starbucks gift card). A few calls to stores at the start were futile, and the employees who answered knew little of computers. I quickly gave up on the dozens of store phone numbers.

Calling corporate was a lot more nerve-wracking, as I knew I’d be out of luck if I burned the few numbers I had. Another competitor with the same company had gone right before me, and I was afraid of reaching employees they already talked to. Still, I hoped for the best and called headquarters.

Is This the Mailroom?

I got a quick pickup from the receptionist, but with so few public phone lines, I worried they’d be wary of vishing. Instead, they started answering my questions without a second thought! Soon into the call, they told me they were actually from the mailroom, and just filling in for the receptionist. How lucky?

I assured them that they could help just as well, and got almost every objective on my list, including having them visit a fake troubleshooting website. This year, the audience was allowed to vote on a silly objective, and mine was “what would you do with a thousand rubber ducks?”. I got an answer to that one too: go swimming with them!

I thanked the employee graciously for their time, and kept going.

What Store Number?

Next up was a corporate helpdesk line for stores experiencing IT issues. Could I call IT, pretend to also be IT, and still get objectives? I guess so.

Hello, what is your store number?

I knew this question was coming, as I’d heard it during my test calls. I could’ve researched store numbers in preparation for the competition, but alas I had none. I answered the best I could:

Hey, I don’t have a store number, I’m actually calling from corporate IT… (yada yada)

And it worked! I soon had another employee giving me objective after objective. For the second time, and with incredible luck, I wrapped up the call on a fake website visit. With under a minute left on my timer, I realized I never got to perform my costume switch.

The Tale of the Broken Marinara Machine

“Wait, wait, I’m Tony!” I said, rushing to switch costumes as the crowd cheered from my previous phone call. I donned an apron and chef’s hat, and swiftly dialed one more phone number. I really wanted those extra costume and pretext points. My time ran out, but I was proud of that alter ego.

The pretext was always meant to be backup entertainment in the event my calls were going horribly. I’m happy I never needed that fallback, but it would’ve been fun. Here’s how Tony planned to start his calls:

Hey, this is Tony from the <insert location> store, and I’ve got a big problem. My marinara machine is down and corporate won’t help me at all. The thing is boiling up, won’t give me any sauce, and the customers are getting angry; let me tell you. What am I supposed to do, serve only white pies? Papadias with no marinara? I’m losing my mind here. Can you help me real quick?

The costume was a big part of it! One of the first websites I found during OSINT research was a uniform store. I was able to order an official apron, complete with the embroidery “ARTY BOY / DEF CON 31 SECVC”. I made up a store number to place the order and held my breath — knowing this cheeky move could tip off my target and put me out of the running completely. When the order finally arrived, I was ecstatic.

Since I didn’t really get to show off the apron in the booth, I wore it to the village award ceremony:

Assuming the role of Tony. Photo: WiK (@jaimefilson)

The Aftermath

The judges gave me some feedback, and I quickly started my internal debrief. Did I place enough calls? Did I capture enough objectives? Did my last-minute costume change count? It seemed like I captured fewer objectives than last year, but there were some high value ones, like the two separate website visits.

Winners this year wouldn’t be announced until the village award ceremony on Sunday morning. I got an email on Saturday inviting me to the competitor panel, so I was pretty confident I won first or second place, but didn’t know which.

At the award ceremony, I put the apron back on and took a seat with my friends. I could barely talk or think as I waited for the results. Finally, the scoreboard updated and refreshed on screen, showing me in first. I’d won by over 150 points—the costumes hadn’t mattered after all!

An Electric Feel

News came shortly after that a Black Badge was confirmed for the vishing competition. DEF CON chooses which competitions get Black Badges each year, and villages don’t know in advance. We gathered at the main closing ceremony, where I waited for what felt like an eternity until we were called up front. Jeff Moss (AKA Dark Tangent, founder and host of DEF CON) introduced the village and welcomed us on stage before handing me a temporary Black Badge. That’s the photo you see at the top of this writing.

I never got info on how or when I’d get the real badge, and remained confused until watching a recording of the closing ceremony about a month later. While I was exiting the stage and registering myself for the Black Badge Hall of Fame, I missed Moss explaining that the Black Badges ran into manufacturing problems, and would be swapped out later. While I’m still waiting for mine, that recording finally gave me a glimpse of what to look forward to.

Jeff Moss holding up an almost-complete version of the DEF CON 31 Black Badge. Photo: ASTcell (@astcell)

This year’s Black Badge was intended to be coated with electroluminescent paint, making the white parts shine brightly when met with an electric current. Such paint requires complicated and delicate application, which was not completed in time for the conference. I look forward to eventually getting one and witnessing its shining glory!

Karma Takes All My Friends to the Summit

I wanted to attend Hacker Karaoke this year to follow-up last year’s performance of “Helena” by My Chemical Romance, but DEF CON was evacuated just as I was getting there. Disappointed, I brought my friends back to my hotel room where we held our own mini-karaoke, and I sang “Karma” by Taylor Swift.

(Facts).

Karma on who? I don’t know; maybe myself. I hadn’t known if I’d won the competition at that point, but I was proud of the work and effort I put in. If nothing else, I surpassed myself from the year prior.

My biggest lesson this year was to stay determined. There were a few times before the conference when I wanted to give up completely, and surrender to the stress I was under. My OSINT and vishing plan reports took an incredible amount of time, but I’m glad I kept at them. The coaches were incredibly helpful for this—pushing me to get every last OSINT objective I could before the report deadline.

Again, I offer my sincere gratitude to the organizers, judges, coaches, and other volunteers in the Social Engineering Community (@sec_defcon). I look forward to joining you all and coaching some competitors myself next year!

Technology
Security
Social Engineering
Vishing
Def Con

--

--

Jason Puglisi

Written by Jason Puglisi

31 Followers

Hacker, musician, artist, explorer • pugli.si

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams