Slashdot Mirror
US Army "Scams" Service Members to Test Their Spam Gullibility
9gezegen writes "An offer for free tickets to theme parks for service members turned out to be an email scam, a ploy that was in actuality a security exercise run by the Army. Involved servicemen and DoD civilians received an email, allegedly coming from the 'Army Family and Morale, Welfare and Recreation Command Office,' and directed them to a phishing site which asked for personal information. After rebuttal and warning by Army MWR, the website revealed that it was a security exercise after all. Army MWR later verified the exercise and announced they were not informed beforehand."
In order for the Army MWR to verify that this was in fact a legitimate security operation, they had to visit a website and enter their personal information...
The enemies of Democracy are
I want to know a percentage of people that fell for it!
The MWR people are all crying because no one told them that it was a test...Apparently, in their minds, there is no need to test an army organizations response to someone falsifying announcements in their name.
Sounds like the test went off swimmingly. I can't count the number of times I've thought about doing the same sort of thing to people I work with. A few good solid scares will tighten up their security policy.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
More companies should do this. Hell, banks should do this to their customers.
Did they just want to see how much at risk their respective departments were? I don't think they needed to try this on the military with so much data out there. Information is the hardest thing to keep secure, right?
So now what happens with people who gave up too much info? Will they get in trouble or will it be "well now you know better?" Either way that's not cool at all. Just think if your company set this up on you, what would your reactions be?
My abilities are only limited by my imagination
people suggest that the stupidity of the army members leads to a higher percentage of click throughs. Remember, studies across the board have shown about a 60% 'gullibility' rate for almost any sector of the populace. Those using general banking, investment banks, 4 year degree holders, etc.
This is a totally good idea and should be implemented by educational and business institutions and here's why: #1 It creates awareness for the issue. #2 It will make people pay attention to the URL when using the web. #3 By inciting #2 it will make basic internet security main stream.
I feel this is actually quite a good idea. ISPs, companies, schools, and other organizations could use this same tactic to train their populations to be spam savvy. Lord knows most people aren't. Come on IT departments, put on your white hat.
Because it's Wednesday, and the test was on Monday. Give 'em a chance to process the data!
Now, on to the answer you were looking for:
Unfortunately, in the process of transferring a few million dollars left by a distant relative in the State Bank of Nigeria, the soldier responsible for compiling the data allowed his system to be compromised, and all data was lost.
paintball
1. Don't ask.
2. Don't tell.
3. Don't opt-in.
Those who believe the Internet is private,
find their privates are on the Internet.
One would think the military would have an easier time than most. You and I cannot register .mil addresses. Shouldn't the people have been looking out for http://mwr.army-support.mil/ instead of http://mwr.army-support.com/ (the link in the email?) Or does the army use .com addresses for some things, cause that seems silly. One would think they could tweak the source in firefox to change the address bar a different color for .mil addresses or something..
What are we going to do tonight Brain?
I always thought phishing was a recreation, why wouldn't it be part of MWR?
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
See its people like this the Military's Cyber Command should be hunting down... Huh?! What do you mean we sent it in the first place? Who should we attack then?
AP: US Cyber Command commences new attack policy, retaliates against North Korean Cyber Terrorists for Army Spam.
Human nature is to focus on important things and disregard unimportant things. Because security challenges don't happen every day, we tend to get lazy and think it's not important. (Blame evolution; your brain just isn't worried about charging lions until it sees one. After that, you tend to watch out for lions!)
At work, I will always do something to an unlocked computer. Sometimes it's just to open Notepad and write, "This machine has been hacked!" and crank the font size up to 96. Sometimes I'll send an "I Love You" e-mail from the person to the person sitting next to them. (Who I always bring in on the prank, and I have never had a problem getting cooperation).
Last week, my boss (VP of IT) went into a meeting and left his machine unlocked. I sent *his* boss an "I Quit!" message.
Now, unlocked computers are so very rare around here. I'm glad for the increased security, but sad that I can no longer prank my co-workers.
I didn't get the e-mail myself(or maybe I did, I'm on leave so I have not checked it in weeks), but this is an example of the kind of tests that the Army should do. Not telling MWR, good idea. It not only gives them an opportunity to see the response of troops, but an opportunity to see the response of MWR to this kind of threat.
//SPC Wood, Active Duty
What I think the Army will find most surprising(or not!) is the apparent lack of use of the AKO Webmail system, it sucks, hard.
There need to be more of these "safe tests" to point out to people that they need to be more careful about their email habits. Maybe, eventually, I won't have to worry about family members getting phished and falling victim to identity theft if they're educated this way.
Maybe I'm overly optimistic, but maybe the point of this exercise wasn't *just* about scaring people, but about trying to educate them in such a way that they remember the lesson? So, it could have a longer term positive impact that you credit it.
They will still need to conduct something like this once every year or two, though, you're right, because 1) yes, people will tend to become complacent, even if they now know better, and 2) Turnover (not apple or cherry) - old people leaving, new recruits joining, need to educate the new guys (and gals).
Plus, the information gathered in this exercise (not the data entered by the people on the phishing site, but the lessons learned by Command about the phishing attack and what made it succeed) could help them to review and re-write training material / procedures, and policies, to help them tighten up their security longer term. Although, we are talking about the military so who knows? (I kid, I kid. . . honestly, the military for the last 20 or so years has been doing, as far as I can tell, a pretty impressive job of re-inventing itself, and becoming much less bureaucratic than it used to have a reputation for being).
I'm responding directly to something that's relevant to the topic, and specifically giving a reasonable reaction to an obvious troll.
Not sure how that's flamebait. Granted, I did call an idiot an idiot.
Face it, whoever rated this down, you just don't agree with attacks on "your side". You know I'm right about this issue.
Hello, I am the former general Fred Mercasey of Ft. Oscdurity and recently I was relived of command. Not before I had transferred a large amount of C-4 and M-16's in an un-marked supply shed on the outskits of the base. The decision to relive me of command was unjust and illegal. I need your help in helping me reocver these supplies. With your assiatnce I will reward you with 10lbs of C-4 and 3 M-16s. In order for this transaction to happe3n you will need to send a good faith deposit of 3 M1A1 Abrams tanks to and undisclosed location in the Sierra Nacho desert. God Bless and Ten-hut!
Tsukasa: All I really want, is to be left alone...
I don't care, they should have known better. I've been a service member, and I gotta' tell you, I would have realized it was a scam the second I read the words "Army Family and Morale, Welfare and Recreation Command Office" ... and tried to pronounce the acronym so I could start using it.
AFMWRCO... AFMWRCO... wait a minute, something's fishy here...
Pronounce enough of these and you start seeing a pattern. What is that pattern? Beats me. It's just "one of those things."
Can I get a hoo-ah?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Most people are aware, or they should be aware, that in the event of a war or national emergency, they may be in for the duration. I was certainly aware of it. That's one of the risks that you take. It isn't the Hooterville Chowder and Marching Society.
Mea navis aericumbens anguillis abundat
From Humorix's "2008: The Year in Preview" (http://humorix.org/articles/2008/01/preview/)
:)
June 10 -- Word leaks that the major credit bureaus have teamed up with the Republican Party to tabulate a "Gullibilty Score" on every American citizen. The system assigns a score based on how easily each person can be swayed with propaganda and shiny things.
Using the system, the GOP compiles a list of the top 12 million most gullible voters and starts a saturation campaign to hit them with mailings, automated phone calls, and door-to-door visits. Explains a campaign worker, "We've been wasting our time trying to fool all of the people some of the time. Instead, we now have a list with some of the people that we can fool all of the time!"
The timing's a little off, but it seems to line up
Not really. Any legitimate Army website should be in the .mil domain.
Still they picked an ironic command to spoof - this whole exercise must've been just great for morale. "87% of Army personnel were successfully conned into revealing personal information by a phishing e-mail and website. Go ARMY!"
(I made up 87% - it's a joke.)
...the future crusty old bastards are already drinking the Kool-Aid.
http://www.army.mil/-news/2008/04/02/8265-phishing-e-mail-to-mwr-patrons-turns-out-to-be-army-exercise/ 10,000 mails sent, 3,000 visitors to the site (enough to gather IP addies, browser agents, etc.).
Actually, that's not a scam. The military will pay for whatever school you can get accepted into. If there is a conflict going on, and you are currently enrolled, you just send in a verification of your enrollment and the military will (they have to) pass over you until your next deployment comes up next, you graduate, or you decide to resume service.
They cannot pull you out of class. The only time they can pull you out of class is during a natural disaster (National Guard, or in extreme cases, the standing military). If the conflict or disaster gets to the point where they are pulling people out in the middle of class, school for everybody will pretty much be irrelevent to the issues occuring. However, they can keep you deployed for a certain amount of extended time, provided you are already deployed.
I know it's easy to trash the military, being all high on your horse and born with a silver spoon in your mouth, but until you can actually say you've EARNED your right to free speech, rather than using it because you were born with it, pull your head out of your ass and stop abusing it. Unlike you, obviously, those of us in the military have the guts, balls, discipline, and bravery to fight for our rights at the expense and derision of little pussies like you who talk trash about us while sipping a Starbucks latte in your comfy office. Someone should strap you to the side of a Humvee and use you for armor. Weak armor.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
I have, in my life, been denied the ability to petition for a writ of habeas corpus right here in this country you're so fond of claiming is free.
I have had my rights violated, under color of law, and been denied any redress thanks to procedural technicalities.
Shut the fuck up about freedom. It isn't available to everyone, even in America. I wasn't born with a silver spoon, I had to fight for every last trace of freedom I enjoy. People were using violence against me in the name of my best interests before (I'm guessing) you could count to five. (It's at least as valid an assumption as your assumption about my silver spoon.)
Though, it doesn't suprise me that someone who wants to lecture me about how they are fighting for my freedom wants me used for armor for their humvee for execrising that very same freedom they're lecturing me about.
That's about par for course.
"I have, in my life, been denied the ability to petition for a writ of habeas corpus right here in this country you're so fond of claiming is free.
"I have had my rights violated, under color of law, and been denied any redress thanks to procedural technicalities."
Boo hoo. So the law didn't let you get your way, because you weren't supposed to under the way it was written. Just because you feel that you should get something doesn't meant that you are SUPPOSED to get something. Freedom and rights do not mean that you were supposed to get something because you feel like it. You didn't get what you asked for because you weren't SUPPOSED to get it. Unitl the judge, or whoever denied your requests, is overruled, justice has been served and freedoms preserved.
"I have had my rights violated, under color of law, and been denied any redress thanks to procedural technicalities."
Lemme guess..... You were roughed up by the cops for no reason?
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Sorry pal, but you're going to have to back up that extreme position you're taking, because all research indicated there is a correlation between high school graduation and intelligence.
Sorry you met a dumbass or two with a diploma. But I'm relying on facts and you're relying on anecdote and claiming I'm the one with the fallacy.
Sure, there are geniuses who fail to graduate. There are tons of morons who do graduate... but the group of non graduates is definitely dumber, as a group, than those who did graduate. Anyone disputing this had better have something freaking powerful to rely on (of course, no such evidence exists because I'm right).
the sign hung over the door to The Asylum.
I agree with your point though, a toothpick is not going to suddenly cause the office building across the street to collapse.
Ice Cream has no bones.
I'm probably sitting on my silverspoon fed horse right now. But I EARNED the right of free speach by learning to communicate. We are human. Taking that right away from us is a human rights violation.
And while you obviously would love to kill to protect your rights I'm prepared to die for my rights. Especially when it comes to this whole terrorism thing.
Let's cut these guys some slack. It's happened to the best of us. (me too...I say in a hushed voice). And who isn't enticed by free stuff?
LouiseV
The Army, (and other services), also use .com, .org and .biz domains. The actual Family & MWR Command site is armymwr.com. This is primarily done so that soldiers, sailors, etc. can reach the, (commercially hosted), sites from home computers. Lots of .mil and .gov domains restrict huge chunks of the Internet from accessing anything.
This is the core of the military, especially in active combat. You subsume yourself into the greater whole to complete your mission and survive.
I would find it doubtful that a true soldier would approve scams. perhaps this is an idea from some computer consultant.
What method would you recommend? Stapling it to his forehead, or perhaps just a tattoo while they sleep?
which is totally what she said
I fell for this trick, as did alot of the people in my office, but there are some important points before you reinforce your ignorant military stereotype.
1. This wasn't like real phishing. The website didn't ask for any real information, just a name and e-mail address.
2. Soldiers are used to getting free shit. The Army MWR does give out free tickets to amusement parks.
3. The e-mails were sent from trusted addresses at headquarters. This is obviously not a good excuse, as it's the number one thing that causes these types of things, however it did add to the problem.
Would you really be so suspicious of a "phishing" website that didn't actually ask for any personal data? I think most people's red flags for phishing go off when they are asked for a social security number, password, or other more personal information. How many times in a year do you provide your name and e-mail address to a website that you don't really trust in order to get some service from that website?
That being said, I should have known to look at the URL, but I didn't. If only 30% of people signed up for the website, I think it may be actually be a good thing. That means that the training that army does to prohibit things like this is working. The thing here is that you have to acknowledge the difference between military and civilians when forming your opinion. As a civilian you don't often have people giving you free shit, but in the military it's a common occurrence.
I can't think of a really good analogy, but if you received an e-mail from your friend telling you that you could get in on a World of Warcraft expansion early beta test, you click the link, and then a page asks you for your e-mail address and password, there's a good chance that most people wouldn't notice that http://www.worldofwarcraft.blizard.net/beta is not the real server. And since it's just asking for an e-mail and name you probably wouldn't care. I don't know if I've made my point but anyway there it is.
Insightful? That's funny, I thought we were endowed with certain inaliable rights by our creator, not the magnanimity of GI IHC Navistar who courageously takes orders and carries a gun with his Balls.
You know, I'm glad someone finally has the stones to speak the truth: we go to war with countries not to control their resources (that is so last century) but to somehow defend my freedom of speech. Thank you, military! I'm sure you'll be well-pleased to know that I'm using my freedom of speech to do the very thing it's intended for: criticize everything. If that makes me unlikable, or even (shudder) unpatriotic, well, you military people have only yourselves to blame. If you were not out there defending my free speech, I wouldn't be sitting here sipping my Venti Americano (with five ice cubes and room for milk) and writing this drivel in the first place.
Remember: if you don't like what someone is saying, don't blame them--blame their ability to say it, and by extension, the military!
You have a very strange idea of the "average US city", since the current high school completion rate is 86%.
That number includes GEDs; since the military number does as well, it's deceptive to do otherwise. If you want to exclude GEDs, you get 71% for civilians and 71% for the latest batch of army recruits.
Perhaps you got your 50% figure here, which was talking about rates in a minority of cities, excluding GED. Cherry-picking that minority of cities and comparing that to GED-inclusive rates is, obviously, rather disengenuous.
You seem terribly certain of a claim you have no evidence for. Let's look for some, shall we?
The average IQ of an enlisted man in 1998 was apparently 105, based on comparison to a 1980 test. Thanks to the Flynn Effect, IQ in 1998 should average 105 on a 1980 test, meaning the IQ of US military recruits appears to be totally average.
I'm sorry if that interferes with your self-aggrandizing, pro-military chest-thumping, or with the self-aggrandizing, anti-military chest-thumping of the people you're getting irritated by, but the simple fact of the matter is that evidence suggests military folk and civilian folk are just as smart as each other. Rather than "dumb grunts" or "dumb civvies", the only lack of intelligence here appears to be on the part of those making the ill-informed stereotypes.
Here are some numbers just from the Air Force alone:
- 72 percent of enlisted personnel have some semester hours towards a college degree
- 17 percent of enlisted personnel have an associate's degree or equivalent semester hours
- 5 percent of enlisted personnel have a bachelor's degree
- 0.01 percent have a professional or doctorate degree
And that is just the enlisted. So to those that think that the US military is for dummies. And that military serves no useful purpose please go to Indonesia, Pakistan, Afganistan, or countries in the Horn of Africa and say you know "I don't want to disappoint you but we are getting rid of our military and all that food medicine, free doctor's care , new water wells, electricity, that you have been recieve via our military is not going to be provided to you any more. Oh and those fanatics that have been threating you for years now we aren't going to protect you from any more because we are getting rid of our military." Also include the the following while you are at it. "Oh you know that development of that dam to keep your land from flooding every year that causes disease and destroys your crops well the Corps of Engineers are a part of our military and well thier gone too."
Would it not be the most malevolent idea if some how you opted out of their e-mail and inadvertedly be drafted into military service.
Imagine how that would work.
The Rapture is NOT an exit strategy.