US Army "Scams" Service Members to Test Their Spam Gullibility

9gezegen writes "An offer for free tickets to theme parks for service members turned out to be an email scam, a ploy that was in actuality a security exercise run by the Army. Involved servicemen and DoD civilians received an email, allegedly coming from the 'Army Family and Morale, Welfare and Recreation Command Office,' and directed them to a phishing site which asked for personal information. After rebuttal and warning by Army MWR, the website revealed that it was a security exercise after all. Army MWR later verified the exercise and announced they were not informed beforehand."

Typical

[SatanicPuppy]

The MWR people are all crying because no one told them that it was a test...Apparently, in their minds, there is no need to test an army organizations response to someone falsifying announcements in their name.

Sounds like the test went off swimmingly. I can't count the number of times I've thought about doing the same sort of thing to people I work with. A few good solid scares will tighten up their security policy.

This is good.

[Anonymous Crowhead]

More companies should do this. Hell, banks should do this to their customers.

In before....

[Protonk]

people suggest that the stupidity of the army members leads to a higher percentage of click throughs. Remember, studies across the board have shown about a 60% 'gullibility' rate for almost any sector of the populace. Those using general banking, investment banks, 4 year degree holders, etc.

.mil???

[QuantumRiff]

One would think the military would have an easier time than most. You and I cannot register .mil addresses. Shouldn't the people have been looking out for http://mwr.army-support.mil/ [army-support.mil] instead of http://mwr.army-support.com/ [army-support.com] (the link in the email?) Or does the army use .com addresses for some things, cause that seems silly. One would think they could tweak the source in firefox to change the address bar a different color for .mil addresses or something..

Re:.mil???

[Anonymous Coward]

Do you think your average Army grunt knows anything about the domain registration rules? No. They just want free tickets, and it probably looked legit enough.

Challenges = Good Security

[Anonymous Coward]

Human nature is to focus on important things and disregard unimportant things. Because security challenges don't happen every day, we tend to get lazy and think it's not important. (Blame evolution; your brain just isn't worried about charging lions until it sees one. After that, you tend to watch out for lions!)

At work, I will always do something to an unlocked computer. Sometimes it's just to open Notepad and write, "This machine has been hacked!" and crank the font size up to 96. Sometimes I'll send an "I Love You" e-mail from the person to the person sitting next to them. (Who I always bring in on the prank, and I have never had a problem getting cooperation).

Last week, my boss (VP of IT) went into a meeting and left his machine unlocked. I sent *his* boss an "I Quit!" message.

Now, unlocked computers are so very rare around here. I'm glad for the increased security, but sad that I can no longer prank my co-workers.

Re:And what was the point?

[qbzzt]

Either way that's not cool at all. Just think if your company set this up on you, what would your reactions be?

If my company trusted my co-workers with information that could get me killed, I'd want them to test susceptibility to social engineering. If I do a bad job, my company loses money. When people in the military do a bad job, people can die (OK, when they do a good job people still die - but they're other people, those trying to kill them). They need to worry more about security.

Re:In before....

[Moonpie Madness]

who are these people making that suggestion?

I'm not pretending the army is full of Einsteins, but they all graduated high school or earned a GED (vast vast majority graduated high school), and all of them are required to learn math skills involving chemical attack detection, navigation, operating a frequency hopping radio, etc.

Compare that to kids in the average US city, where 50% do not graduate high school.

The Army is certainly a lot smarter than the general population. They may be more willing to rely on titles (like MWR)... I don't know about that, but I'd like to know who is buying the Carter era propaganda that the army is a bunch of idiots.

I like it

[Daniel Wood]

I didn't get the e-mail myself(or maybe I did, I'm on leave so I have not checked it in weeks), but this is an example of the kind of tests that the Army should do. Not telling MWR, good idea. It not only gives them an opportunity to see the response of troops, but an opportunity to see the response of MWR to this kind of threat.

What I think the Army will find most surprising(or not!) is the apparent lack of use of the AKO Webmail system, it sucks, hard. //SPC Wood, Active Duty

Re:Typical

[glavenoid]

Sounds like the test went off swimmingly. I can't count the number of times I've thought about doing the same sort of thing to people I work with. A few good solid scares will tighten up their security policy

*Sigh (not at you, just in general)* That's true, but how long will they remain scared and secure? People often fall into a false sense of security when there has been either a trend of "good times" or when someone keeps crying wolf. One scare will keep people safer in the short term, but not permanently.

Except for those of us who are always waiting for the other shoe to drop...

Re:This is good.

[glavenoid]

More companies should do this. Hell, banks should do this to their customers.

If more companies did this, then people would stop using their services as the trust relationship would be totally broken. People in general don't like to be dicked around with, even if it's for their own good (maybe especially then?). More companies should create better mechanisms that protect their consumers instead.

Re:Typical

[Gogo0]

Youre right, but there is a little more to it.
These are called 'exercises', are planned extensively, and there is definitely installation coordination. The local DOIM (directorate of information management) is notified of the exercise, usually by their theatre command well ahead of time.

Of all the phishing iv seen during various exercises, iv never seen one more complicated than simply counting how many users on what installation clicked the link. no information gathering besides IP, which is helpful for problem user training.

Re:And what was the point?

[protolith]

Either way that's not cool at all. Just think if your company set this up on you, what would your reactions be?

I would prefer that my company be active in testing security in this exact fashion. Rather than imposing increasingly opressive restrictions because of what some people "might" do.

it would be better to get teh e-mail "Since 12% of you BONEHEADS didn't recognize a clear security threat, and feature XYZ was essentially opened to be compromized, it will be locked untill you boneheads demonstrate you can handle the responsibility" If the feature to be lost is significant, publicly humiliate the list that failed the security test, Lord of The Flies style justice will take over the cube farm and lessons will be learned...

Re:In before....

[Anonymous Coward]

Actually it's smart to have directions. Not because people are dumb, but so people who are under extreme duress can still function. And what about people not trained to use the device, or who were trained a long time ago but don't regularly use it? Not putting directions on everything would be dumb.

Re:In before....

[rossz]

So the guy trained to use the anti-tank rocket is killed. Isn't it nice that they put nice, easy to follow instructions on it so that any private can use it and save everyone's ass?

Simple instructions are the fail-over mechanism.

Re:The army has been scamming people for years.

[IHC Navistar]

Actually, that's not a scam. The military will pay for whatever school you can get accepted into. If there is a conflict going on, and you are currently enrolled, you just send in a verification of your enrollment and the military will (they have to) pass over you until your next deployment comes up next, you graduate, or you decide to resume service.

They cannot pull you out of class. The only time they can pull you out of class is during a natural disaster (National Guard, or in extreme cases, the standing military). If the conflict or disaster gets to the point where they are pulling people out in the middle of class, school for everybody will pretty much be irrelevent to the issues occuring. However, they can keep you deployed for a certain amount of extended time, provided you are already deployed.

I know it's easy to trash the military, being all high on your horse and born with a silver spoon in your mouth, but until you can actually say you've EARNED your right to free speech, rather than using it because you were born with it, pull your head out of your ass and stop abusing it. Unlike you, obviously, those of us in the military have the guts, balls, discipline, and bravery to fight for our rights at the expense and derision of little pussies like you who talk trash about us while sipping a Starbucks latte in your comfy office. Someone should strap you to the side of a Humvee and use you for armor. Weak armor.

Re:Education?

[Jaime2]

Ummmm.... This was a test, not a lesson. A good test is designed to evaluate something, not to educate or to scare. Now, the Army knows at what rate people can be scammed. This data will either be used to judge the effectiveness of their previous training (if there has been any), or as a baseline to judge effectiveness of future training. You cannot teach during a test without destroying the statistical validity of the results.

Re:Education?

[somersault]

I think stuff like this should be taught at a more basic level - in school rather than on the job. Nothing wrong with organisations doing it at the moment for the already schooled peeps, but the only way to get rid of phishing scams is to educate people so that they stop being worth the scammer's time. Advertising spam will probably never stop being worth it unless people start using white lists for all their communication, but that's not possible in a lot of situations (like most businesses).

Military service is for idiots

[slydawg1]

Say what. The biggest probelm with our nation today is the fact that as I type I am wasting time that could be put forth for a more useful purpose. As for the individuals in this talkback that think the military is full of a bunch of idiots. Today's US military is the best educated in the world.

Here are some numbers just from the Air Force alone:

- 72 percent of enlisted personnel have some semester hours towards a college degree
- 17 percent of enlisted personnel have an associate's degree or equivalent semester hours
- 5 percent of enlisted personnel have a bachelor's degree
- 0.01 percent have a professional or doctorate degree

And that is just the enlisted. So to those that think that the US military is for dummies. And that military serves no useful purpose please go to Indonesia, Pakistan, Afganistan, or countries in the Horn of Africa and say you know "I don't want to disappoint you but we are getting rid of our military and all that food medicine, free doctor's care , new water wells, electricity, that you have been recieve via our military is not going to be provided to you any more. Oh and those fanatics that have been threating you for years now we aren't going to protect you from any more because we are getting rid of our military." Also include the the following while you are at it. "Oh you know that development of that dam to keep your land from flooding every year that causes disease and destroys your crops well the Corps of Engineers are a part of our military and well thier gone too."