Anti-Phishers Pose as Phishers to Make Point

Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"

Re:Fill them in with crap

[lukewarmfusion]

You might still be helping them in some small way by confirming that your email address is valid.

Many spam and phishing emails use links that contain an ID indicating the email address. For instance, "myspamsite.com/great_offers.php?id=1492" where "1492" corresponds to "columbus@hotmail.com" in the spammer's database. Sometimes that ID is buried within a long URL full of different parameters, too.

Valid emails (especially of those that click on them) are valuable to spammers.

It's the same reason that you shouldn't click the unsubscribe link or display remote images in your email.

Re:Blindly following orders from a colonel...

[YomikoReadman]

Depends on the situation. If a 4 star general is attempting to gain access to a protected installation, and a SF/MP member requests his ID, then that same 4 Star is required by law under UCMJ to provide it.

Here's a real-world example:
Location is on some AFB's flight line. An O-6 pilot , who thinks that restricted area demarcations do not apply to him, enters the restricted area without utilizing an authorized entry point. The SF team on patrol in the area hails the O-6, who ignores their orders to halt. At this point, he's run down, jacked up, placed in handcuffs, at which point he's escorted from the area and subjected to a very through search.

So, as you can see, depending on the situation, there are NO repercussions. It's all about whether the challenging individual has the proper authority to request verification of identity. In all cases, a set of orders will be accompanied by a form of authentication, which you *should* be able to trust as valid.

Now, getting back to the situation at hand, involving the email. Most likely, they received and e-mail with a valid signature block of the Col. in question. Upon receipt of that, they can do one of two things:

1. Do what the email says. As far as they can tell, the email is properly authenticated as long as it comes from a .mil address and includes the proper signature block.

2. Reply to the email requesting clarification. If the response seems sketchy, they can then use their chain of command to verify the authenticity.

Now, herein lies the caveat in all of this; because they are cadets, they spend seven days a week, 24 hours a day getting it drilled into their heads to obey orders. As a result of that, they are less likely to question anything, or request clarification on anything they might otherwise question the authenticity of. Ultimately, I think this was a really bad way to handle the situation on part of the instructor.