US Army "Scams" Service Members to Test Their Spam Gullibility 218
9gezegen writes "An offer for free tickets to theme parks for service members turned out to be an email scam, a ploy that was in actuality a security exercise run by the Army. Involved servicemen and DoD civilians received an email, allegedly coming from the 'Army Family and Morale, Welfare and Recreation Command Office,' and directed them to a phishing site which asked for personal information. After rebuttal and warning by Army MWR, the website revealed that it was a security exercise after all. Army MWR later verified the exercise and announced they were not informed beforehand."
Why no stats on who fell for it? (Score:4, Interesting)
Re:And what was the point? (Score:4, Interesting)
I think that the military should try more such exercises to keep their people aware of such security issues. If they do it enough, the standard response to such emails will be to verify the source and report it as required.
Even with that somewhat computer literate USAF folks I served with, these "exercises" would have been very helpful.
Re:Typical (Score:5, Interesting)
The weakest link in any security system is the end user. I work with users that have the hardest time with computers. I have this guy call every week because he forgot his password and I have to take 10 min training him how to change his password. (why every week? he only works on Thursdays).
Now you will have to make a new password is has to have
now you have to put in your old password again. not that one, the one I just gave you is the old password. You have to click in the line. click the mouse. left click. you can't hover the mouse over it, you have to click in it.
You have to type it the same. no, I can see they don't match. the first one is longer, it has more dots.
You just cant explain to some people what fishing even is.
I had one guy call up freaking out that his computer told him he had porn on it. (its a fire on the spot if you have porn). It was a little pop up window trying to get him to instal a program to "remove" it. The good news is he was too scared to click the button and called me instead. Other users had to be rebuilt.
I know an attack like this would catch so many people and you have to train them. But you spend so much time just logging them in or working on the basic stuff. This is one detail that some people will have a hard time grasping.
I am in an interesting enviroment. I have college students looking to enter the workforce working with people that are about to or have retired. So I deal will the full range of users all the time.
Good (Score:3, Interesting)
Education? (Score:4, Interesting)
They will still need to conduct something like this once every year or two, though, you're right, because 1) yes, people will tend to become complacent, even if they now know better, and 2) Turnover (not apple or cherry) - old people leaving, new recruits joining, need to educate the new guys (and gals).
Plus, the information gathered in this exercise (not the data entered by the people on the phishing site, but the lessons learned by Command about the phishing attack and what made it succeed) could help them to review and re-write training material / procedures, and policies, to help them tighten up their security longer term. Although, we are talking about the military so who knows? (I kid, I kid. . . honestly, the military for the last 20 or so years has been doing, as far as I can tell, a pretty impressive job of re-inventing itself, and becoming much less bureaucratic than it used to have a reputation for being).
Re:.mil??? (Score:3, Interesting)
I'd give the people that responded a break, they seemed very well targeted. There is probably a significant number of people who, if they were on the receiving end of such a targeted offer, would probably succumb to a similar promise. But, as other people have noted, perhaps this will help people question what they see more and not accept things at face value. Who knows, if the Army finds human error too much of an operational risk maybe they will start whitelisting sites people can go to instead of expecting people to identify fine-tuned phishing scams.
Then again, the only safe network is one that is air gapped, degrading its usefulness but greatly increasing it's security; at least to outside threats - there's always room for user error!
They should have known better... (Score:2, Interesting)
AFMWRCO... AFMWRCO... wait a minute, something's fishy here... [wikipedia.org]
Pronounce enough of these and you start seeing a pattern. What is that pattern? Beats me. It's just "one of those things."
Can I get a hoo-ah?
Re:Typical (Score:5, Interesting)
We do it on a random sample of users with our web platform. All login requests get routed to a central domain ("shield.domain.com") which is non-SSL. That domain does a little basic load balancing to distribute requests to "https://foo.domain.com" or "https://bar.domain.com". We have a few extra domains set up, including "https://foo.domane.com" with a valid SSL certificate; "https://aa.domain.com" with an invalid certificate; and a non-SSL domain, "http://foodomain.com". All are nearly identical to our login page - one has a button out of alignment, throws some JavaScript errors, etc.
The pages alert the user to the deception on the first try. Second tries net a phone call. Third tries get a more detailed phone call with the office owner & account lockout.
It's been very effective, in fact, I've received several thank you notes so far from our users for teaching them about it. Not just dictating to them, but teaching them through first hand experience. They thank us because they can easily apply those same "does the address bar really match what it should?" technique to every other site out there.
And to get the same effect as phising, we send out periodic/random e-mails that read pretty official, but come from the wrong domain, or have a forged From: address, asking a user to visit a set up fraud website to enter personal information (not detailed, mostly just fishing for their user credentials).
The only thing I don't know yet is if users are learning because they are actually learning, or if it's a forced behavior just so they don't get a phone call from me. I'm not sure it matters why, just as long as it's happening.
Re:Why no stats on who fell for it? (Score:3, Interesting)
Re:This is good. (Score:3, Interesting)
It's a way for "businesses" who can't even muster enough confidence from a bank to get an account with them, to still be able to "accept" credit cards.
But although you can do something that's very much like banking, with paypal, they are not, themselves, a bank. So they can get away with outrageous fees and also avoid any of the liability the CC banks have.
This is very much in line with Ebay's business practices: a classified-ad web site server which charges based on how much money changes hands rather than how much bandwidth & back-end processing you sop up.
Re:Typical (Score:5, Interesting)
Re:Typical (Score:5, Interesting)
Now you will have to make a new password is has to have
I consider myself fairly intelligent, but I had a heck of a time remembering the passwords and was embarrassed by needing regular password resets after long weekends.
To make matters worse, password management programs like KeePass were not allowed on the network and any unauthorized software could get you in trouble. Because of this I ended up having to do things like writing half my password on a post-it and the other half on a card in my wallet. I devised all sorts of incredibly insecure systems to store the myriad complex passwords I was required to maintain.