US Army "Scams" Service Members to Test Their Spam Gullibility

← Back to Stories (view on slashdot.org)

US Army "Scams" Service Members to Test Their Spam Gullibility

Posted by Zonk on Wednesday April 2, 2008 @09:44AM from the i-think-they-call-that-trial-by-fire dept.

9gezegen writes "An offer for free tickets to theme parks for service members turned out to be an email scam, a ploy that was in actuality a security exercise run by the Army. Involved servicemen and DoD civilians received an email, allegedly coming from the 'Army Family and Morale, Welfare and Recreation Command Office,' and directed them to a phishing site which asked for personal information. After rebuttal and warning by Army MWR, the website revealed that it was a security exercise after all. Army MWR later verified the exercise and announced they were not informed beforehand."

32 of 218 comments (clear)

Min score:

Reason:

Sort:

Let me guess... by Chris+Burke · 2008-04-02 09:47 · Score: 5, Funny

In order for the Army MWR to verify that this was in fact a legitimate security operation, they had to visit a website and enter their personal information...

--

The enemies of Democracy are
Why no stats on who fell for it? by QuesarVII · 2008-04-02 09:47 · Score: 4, Interesting

I want to know a percentage of people that fell for it!
1. Re:Why no stats on who fell for it? by jackrabbit123 · 2008-04-02 13:50 · Score: 3, Interesting
  
  I know someone who did. As an aside all the site asked for was your email address. It's not like they were asking for people to give up their SSN or bank account numbers.
  
  --
  War(n) - Gods way of teaching Americans geography.
Typical by SatanicPuppy · 2008-04-02 09:48 · Score: 4, Insightful

The MWR people are all crying because no one told them that it was a test...Apparently, in their minds, there is no need to test an army organizations response to someone falsifying announcements in their name.

Sounds like the test went off swimmingly. I can't count the number of times I've thought about doing the same sort of thing to people I work with. A few good solid scares will tighten up their security policy.

--
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
1. Re:Typical by KevMar · 2008-04-02 10:15 · Score: 5, Interesting
  
  I am tempted to do this all the time, but I know the administration would not understand what I am talking about. In the end I would prabably get fired on a technicality.
  
  The weakest link in any security system is the end user. I work with users that have the hardest time with computers. I have this guy call every week because he forgot his password and I have to take 10 min training him how to change his password. (why every week? he only works on Thursdays).
  
  Now you will have to make a new password is has to have ... blah ... blah ... ... You have to retype it to confirm it before you press enter this time.
  
  now you have to put in your old password again. not that one, the one I just gave you is the old password. You have to click in the line. click the mouse. left click. you can't hover the mouse over it, you have to click in it. ... now type you new password. On the next line retype it. You have to click, no left click, click the mouse in the box.
  
  You have to type it the same. no, I can see they don't match. the first one is longer, it has more dots.
  
  You just cant explain to some people what fishing even is.
  
  I had one guy call up freaking out that his computer told him he had porn on it. (its a fire on the spot if you have porn). It was a little pop up window trying to get him to instal a program to "remove" it. The good news is he was too scared to click the button and called me instead. Other users had to be rebuilt.
  
  I know an attack like this would catch so many people and you have to train them. But you spend so much time just logging them in or working on the basic stuff. This is one detail that some people will have a hard time grasping.
  
  I am in an interesting enviroment. I have college students looking to enter the workforce working with people that are about to or have retired. So I deal will the full range of users all the time.
  
  --
  Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
2. Re:Typical by raehl · 2008-04-02 10:16 · Score: 4, Funny
  
  how long will they remain scared and secure?
  
  As long as you leave up the signs that say "Threat Level: Orange", of course.
  
  --
  paintball
3. Re:Typical by glavenoid · 2008-04-02 10:49 · Score: 3, Funny
  
  Or worse-- Threat Level: Elmo
  
  --
  I, for one, am looking forward to the inevitable /. beta rollout fallout.
4. Re:Typical by daeg · 2008-04-02 11:42 · Score: 5, Interesting
  
  Clear it with management and do it on a limited, rolling basis.
  
  We do it on a random sample of users with our web platform. All login requests get routed to a central domain ("shield.domain.com") which is non-SSL. That domain does a little basic load balancing to distribute requests to "https://foo.domain.com" or "https://bar.domain.com". We have a few extra domains set up, including "https://foo.domane.com" with a valid SSL certificate; "https://aa.domain.com" with an invalid certificate; and a non-SSL domain, "http://foodomain.com". All are nearly identical to our login page - one has a button out of alignment, throws some JavaScript errors, etc.
  
  The pages alert the user to the deception on the first try. Second tries net a phone call. Third tries get a more detailed phone call with the office owner & account lockout.
  
  It's been very effective, in fact, I've received several thank you notes so far from our users for teaching them about it. Not just dictating to them, but teaching them through first hand experience. They thank us because they can easily apply those same "does the address bar really match what it should?" technique to every other site out there.
  
  And to get the same effect as phising, we send out periodic/random e-mails that read pretty official, but come from the wrong domain, or have a forged From: address, asking a user to visit a set up fraud website to enter personal information (not detailed, mostly just fishing for their user credentials).
  
  The only thing I don't know yet is if users are learning because they are actually learning, or if it's a forced behavior just so they don't get a phone call from me. I'm not sure it matters why, just as long as it's happening.
5. Re:Typical by vidarh · 2008-04-02 20:51 · Score: 4, Interesting
  
  A company I did consulting for at one point did this by posting a top ten list in a very visible spot in the office regularly. No identifiable information, even though all outgoing requests were forced through Squid and so they had the internal static IP addresses of everyone. Within a week visits to "undesirable" sites had dropped to near zero, and there was no reason to deal with anyone - just a gentle reminder that their requests _had_ been logged seemed to be more than enough.
6. Re:Typical by bhiestand · 2008-04-02 21:41 · Score: 4, Interesting
  
  The weakest link in any security system is the end user. I work with users that have the hardest time with computers. I have this guy call every week because he forgot his password and I have to take 10 min training him how to change his password. (why every week? he only works on Thursdays).
  
  Now you will have to make a new password is has to have ... blah ... blah ... Have you ever considered that your passwords might be too complex for the average user? I worked for an organization that had very stringent password rules: 2 lower case, 2 upper case, 2 special character, 2 numbers, numbers cannot repeat, letters can't be next to each other on the keyboard, and password must be changed every 60 days, and that was just for my network login. There were more for internal company websites, databases, and custom programs that all had to have similar (but different) passwords.
  
  I consider myself fairly intelligent, but I had a heck of a time remembering the passwords and was embarrassed by needing regular password resets after long weekends.
  
  To make matters worse, password management programs like KeePass were not allowed on the network and any unauthorized software could get you in trouble. Because of this I ended up having to do things like writing half my password on a post-it and the other half on a card in my wallet. I devised all sorts of incredibly insecure systems to store the myriad complex passwords I was required to maintain.
  
  --
  SWM seeks new sig for a brief fling
This is good. by Anonymous+Crowhead · 2008-04-02 09:49 · Score: 5, Insightful

More companies should do this. Hell, banks should do this to their customers.
1. Re:This is good. by steveo777 · 2008-04-02 10:22 · Score: 5, Funny
  
  Hell, banks should do this to their customers.
  They already do. Haven't you ever received a "Pre-Approved" credit card application?
  
  --
  This sig isn't original enough, it's time to come up with something witty...
In before.... by Protonk · 2008-04-02 09:51 · Score: 3, Insightful

people suggest that the stupidity of the army members leads to a higher percentage of click throughs. Remember, studies across the board have shown about a 60% 'gullibility' rate for almost any sector of the populace. Those using general banking, investment banks, 4 year degree holders, etc.
1. Re:In before.... by Moonpie+Madness · 2008-04-02 10:05 · Score: 4, Insightful
  
  who are these people making that suggestion?
  
  I'm not pretending the army is full of Einsteins, but they all graduated high school or earned a GED (vast vast majority graduated high school), and all of them are required to learn math skills involving chemical attack detection, navigation, operating a frequency hopping radio, etc.
  
  Compare that to kids in the average US city, where 50% do not graduate high school.
  
  The Army is certainly a lot smarter than the general population. They may be more willing to rely on titles (like MWR)... I don't know about that, but I'd like to know who is buying the Carter era propaganda that the army is a bunch of idiots.
2. Re:In before.... by kd5ujz · 2008-04-02 10:17 · Score: 3, Informative
  
  At least Half (if not all) of the military's equipment has VERY explicit instructions written on it, to the point that if you had not been trained in its use, you could pick it up on the battlefield and make it work in a few minutes. Take the AT-4 for example, if you follow the attached link and click on detailed instructions, you will see what is printed on the launch tube. In the other photos, you can see the instructions, but you can not make out the words.
  
  http://www.bellum.nu/armoury/FFVAT4.html
  
  --
  -William
  God is everything science has yet to explain.
3. Re:In before.... by Anonymous Coward · 2008-04-02 10:49 · Score: 3, Insightful
  
  Actually it's smart to have directions. Not because people are dumb, but so people who are under extreme duress can still function. And what about people not trained to use the device, or who were trained a long time ago but don't regularly use it? Not putting directions on everything would be dumb.
4. Re:In before.... by evilviper · 2008-04-02 11:16 · Score: 4, Funny
  
  you will see what is printed on the launch tube.
  
  "AIM AWAY FROM FACE." ???
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Not the answer you are looking for.... by raehl · 2008-04-02 09:55 · Score: 4, Funny

Because it's Wednesday, and the test was on Monday. Give 'em a chance to process the data!

Now, on to the answer you were looking for:

Unfortunately, in the process of transferring a few million dollars left by a distant relative in the State Bank of Nigeria, the soldier responsible for compiling the data allowed his system to be compromised, and all data was lost.

--
paintball
Addendum by oahazmatt · 2008-04-02 09:56 · Score: 4, Funny

1. Don't ask.
2. Don't tell.
3. Don't opt-in.

--
Those who believe the Internet is private,
find their privates are on the Internet.
1. Re:Addendum by TubeSteak · 2008-04-02 10:07 · Score: 4, Funny
  
  1. Don't ask.
  2. Don't tell.
  3. Don't opt-in. Hello [Armed Forces Member],
  This is an e-mail from the Army Family and Morale, Welfare and Recreation Command Office informing you that you've been signed up for the "STDs and You" mailing list. To Opt-Out, please visit the following link: hxxp://maliciouslink.com where you will be asked for some basic information to verify your identity.
  
  --
  [Fuck Beta]
  o0t!
.mil??? by QuantumRiff · 2008-04-02 09:56 · Score: 5, Insightful

One would think the military would have an easier time than most. You and I cannot register .mil addresses. Shouldn't the people have been looking out for http://mwr.army-support.mil/ instead of http://mwr.army-support.com/ (the link in the email?) Or does the army use .com addresses for some things, cause that seems silly. One would think they could tweak the source in firefox to change the address bar a different color for .mil addresses or something..

--

What are we going to do tonight Brain?
1. Re:.mil??? by -Tango21- · 2008-04-02 10:45 · Score: 3, Interesting
  
  That's a great idea but it might have been obfuscated by spoofing and hiding a ".mil" extension within a long hyperlink. I know many organizations that send out requests for information via third party links. I would be that the service men and women who responded to the offer were trained to a certain degree _to do_ the very thing that the Army admonished them for. What I mean is, they are probably so used to replying/responding to such inquiries that they didn't even think twice (heck, they're the Army even trains their soldiers not to obey).
  I'd give the people that responded a break, they seemed very well targeted. There is probably a significant number of people who, if they were on the receiving end of such a targeted offer, would probably succumb to a similar promise. But, as other people have noted, perhaps this will help people question what they see more and not accept things at face value. Who knows, if the Army finds human error too much of an operational risk maybe they will start whitelisting sites people can go to instead of expecting people to identify fine-tuned phishing scams.
  Then again, the only safe network is one that is air gapped, degrading its usefulness but greatly increasing it's security; at least to outside threats - there's always room for user error!
Challenges = Good Security by Anonymous Coward · 2008-04-02 10:00 · Score: 3, Insightful

Human nature is to focus on important things and disregard unimportant things. Because security challenges don't happen every day, we tend to get lazy and think it's not important. (Blame evolution; your brain just isn't worried about charging lions until it sees one. After that, you tend to watch out for lions!)

At work, I will always do something to an unlocked computer. Sometimes it's just to open Notepad and write, "This machine has been hacked!" and crank the font size up to 96. Sometimes I'll send an "I Love You" e-mail from the person to the person sitting next to them. (Who I always bring in on the prank, and I have never had a problem getting cooperation).

Last week, my boss (VP of IT) went into a meeting and left his machine unlocked. I sent *his* boss an "I Quit!" message.

Now, unlocked computers are so very rare around here. I'm glad for the increased security, but sad that I can no longer prank my co-workers.
Re:And what was the point? by qbzzt · 2008-04-02 10:01 · Score: 4, Insightful

Either way that's not cool at all. Just think if your company set this up on you, what would your reactions be?

If my company trusted my co-workers with information that could get me killed, I'd want them to test susceptibility to social engineering. If I do a bad job, my company loses money. When people in the military do a bad job, people can die (OK, when they do a good job people still die - but they're other people, those trying to kill them). They need to worry more about security.

--
-- Support a free market in the field of government
I like it by Daniel+Wood · 2008-04-02 10:11 · Score: 4, Insightful

I didn't get the e-mail myself(or maybe I did, I'm on leave so I have not checked it in weeks), but this is an example of the kind of tests that the Army should do. Not telling MWR, good idea. It not only gives them an opportunity to see the response of troops, but an opportunity to see the response of MWR to this kind of threat.

What I think the Army will find most surprising(or not!) is the apparent lack of use of the AKO Webmail system, it sucks, hard. //SPC Wood, Active Duty
Re:And what was the point? by couchslug · 2008-04-02 10:12 · Score: 3, Interesting

"I don't think they needed to try this on the military with so much data out there."

I think that the military should try more such exercises to keep their people aware of such security issues. If they do it enough, the standard response to such emails will be to verify the source and report it as required.
Even with that somewhat computer literate USAF folks I served with, these "exercises" would have been very helpful.

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Education? by JSBiff · 2008-04-02 10:30 · Score: 3, Interesting

Maybe I'm overly optimistic, but maybe the point of this exercise wasn't *just* about scaring people, but about trying to educate them in such a way that they remember the lesson? So, it could have a longer term positive impact that you credit it.

They will still need to conduct something like this once every year or two, though, you're right, because 1) yes, people will tend to become complacent, even if they now know better, and 2) Turnover (not apple or cherry) - old people leaving, new recruits joining, need to educate the new guys (and gals).

Plus, the information gathered in this exercise (not the data entered by the people on the phishing site, but the lessons learned by Command about the phishing attack and what made it succeed) could help them to review and re-write training material / procedures, and policies, to help them tighten up their security longer term. Although, we are talking about the military so who knows? (I kid, I kid. . . honestly, the military for the last 20 or so years has been doing, as far as I can tell, a pretty impressive job of re-inventing itself, and becoming much less bureaucratic than it used to have a reputation for being).
1. Re:Education? by Jaime2 · 2008-04-02 14:28 · Score: 3, Insightful
  
  Ummmm.... This was a test, not a lesson. A good test is designed to evaluate something, not to educate or to scare. Now, the Army knows at what rate people can be scammed. This data will either be used to judge the effectiveness of their previous training (if there has been any), or as a baseline to judge effectiveness of future training. You cannot teach during a test without destroying the statistical validity of the results.
Dear Seargent or Lewtenant by jameskojiro · 2008-04-02 10:44 · Score: 4, Funny

Hello, I am the former general Fred Mercasey of Ft. Oscdurity and recently I was relived of command. Not before I had transferred a large amount of C-4 and M-16's in an un-marked supply shed on the outskits of the base. The decision to relive me of command was unjust and illegal. I need your help in helping me reocver these supplies. With your assiatnce I will reward you with 10lbs of C-4 and 3 M-16s. In order for this transaction to happe3n you will need to send a good faith deposit of 3 M1A1 Abrams tanks to and undisclosed location in the Sierra Nacho desert. God Bless and Ten-hut!

--
Tsukasa: All I really want, is to be left alone...
Dear sir by sootman · 2008-04-02 11:08 · Score: 3, Funny

Your post advocates a ( ) technical ( ) legislative ( ) market-based (x) military approach to fighting spam...

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
According to them, roughly 30% by ronabop · 2008-04-02 13:06 · Score: 3, Informative

http://www.army.mil/-news/2008/04/02/8265-phishing-e-mail-to-mwr-patrons-turns-out-to-be-army-exercise/ 10,000 mails sent, 3,000 visitors to the site (enough to gather IP addies, browser agents, etc.).
Re:The army has been scamming people for years. by IHC+Navistar · 2008-04-02 14:04 · Score: 3, Insightful

Actually, that's not a scam. The military will pay for whatever school you can get accepted into. If there is a conflict going on, and you are currently enrolled, you just send in a verification of your enrollment and the military will (they have to) pass over you until your next deployment comes up next, you graduate, or you decide to resume service.

They cannot pull you out of class. The only time they can pull you out of class is during a natural disaster (National Guard, or in extreme cases, the standing military). If the conflict or disaster gets to the point where they are pulling people out in the middle of class, school for everybody will pretty much be irrelevent to the issues occuring. However, they can keep you deployed for a certain amount of extended time, provided you are already deployed.

I know it's easy to trash the military, being all high on your horse and born with a silver spoon in your mouth, but until you can actually say you've EARNED your right to free speech, rather than using it because you were born with it, pull your head out of your ass and stop abusing it. Unlike you, obviously, those of us in the military have the guts, balls, discipline, and bravery to fight for our rights at the expense and derision of little pussies like you who talk trash about us while sipping a Starbucks latte in your comfy office. Someone should strap you to the side of a Humvee and use you for armor. Weak armor.

--
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....