US Army "Scams" Service Members to Test Their Spam Gullibility

← Back to Stories (view on slashdot.org)

US Army "Scams" Service Members to Test Their Spam Gullibility

Posted by Zonk on Wednesday April 2, 2008 @09:44AM from the i-think-they-call-that-trial-by-fire dept.

9gezegen writes "An offer for free tickets to theme parks for service members turned out to be an email scam, a ploy that was in actuality a security exercise run by the Army. Involved servicemen and DoD civilians received an email, allegedly coming from the 'Army Family and Morale, Welfare and Recreation Command Office,' and directed them to a phishing site which asked for personal information. After rebuttal and warning by Army MWR, the website revealed that it was a security exercise after all. Army MWR later verified the exercise and announced they were not informed beforehand."

6 of 218 comments (clear)

Min score:

Reason:

Sort:

Let me guess... by Chris+Burke · 2008-04-02 09:47 · Score: 5, Funny

In order for the Army MWR to verify that this was in fact a legitimate security operation, they had to visit a website and enter their personal information...

--

The enemies of Democracy are
This is good. by Anonymous+Crowhead · 2008-04-02 09:49 · Score: 5, Insightful

More companies should do this. Hell, banks should do this to their customers.
1. Re:This is good. by steveo777 · 2008-04-02 10:22 · Score: 5, Funny
  
  Hell, banks should do this to their customers.
  They already do. Haven't you ever received a "Pre-Approved" credit card application?
  
  --
  This sig isn't original enough, it's time to come up with something witty...
.mil??? by QuantumRiff · 2008-04-02 09:56 · Score: 5, Insightful

One would think the military would have an easier time than most. You and I cannot register .mil addresses. Shouldn't the people have been looking out for http://mwr.army-support.mil/ instead of http://mwr.army-support.com/ (the link in the email?) Or does the army use .com addresses for some things, cause that seems silly. One would think they could tweak the source in firefox to change the address bar a different color for .mil addresses or something..

--

What are we going to do tonight Brain?
Re:Typical by KevMar · 2008-04-02 10:15 · Score: 5, Interesting

I am tempted to do this all the time, but I know the administration would not understand what I am talking about. In the end I would prabably get fired on a technicality.

The weakest link in any security system is the end user. I work with users that have the hardest time with computers. I have this guy call every week because he forgot his password and I have to take 10 min training him how to change his password. (why every week? he only works on Thursdays).

Now you will have to make a new password is has to have ... blah ... blah ... ... You have to retype it to confirm it before you press enter this time.

now you have to put in your old password again. not that one, the one I just gave you is the old password. You have to click in the line. click the mouse. left click. you can't hover the mouse over it, you have to click in it. ... now type you new password. On the next line retype it. You have to click, no left click, click the mouse in the box.

You have to type it the same. no, I can see they don't match. the first one is longer, it has more dots.

You just cant explain to some people what fishing even is.

I had one guy call up freaking out that his computer told him he had porn on it. (its a fire on the spot if you have porn). It was a little pop up window trying to get him to instal a program to "remove" it. The good news is he was too scared to click the button and called me instead. Other users had to be rebuilt.

I know an attack like this would catch so many people and you have to train them. But you spend so much time just logging them in or working on the basic stuff. This is one detail that some people will have a hard time grasping.

I am in an interesting enviroment. I have college students looking to enter the workforce working with people that are about to or have retired. So I deal will the full range of users all the time.

--
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
Re:Typical by daeg · 2008-04-02 11:42 · Score: 5, Interesting

Clear it with management and do it on a limited, rolling basis.

We do it on a random sample of users with our web platform. All login requests get routed to a central domain ("shield.domain.com") which is non-SSL. That domain does a little basic load balancing to distribute requests to "https://foo.domain.com" or "https://bar.domain.com". We have a few extra domains set up, including "https://foo.domane.com" with a valid SSL certificate; "https://aa.domain.com" with an invalid certificate; and a non-SSL domain, "http://foodomain.com". All are nearly identical to our login page - one has a button out of alignment, throws some JavaScript errors, etc.

The pages alert the user to the deception on the first try. Second tries net a phone call. Third tries get a more detailed phone call with the office owner & account lockout.

It's been very effective, in fact, I've received several thank you notes so far from our users for teaching them about it. Not just dictating to them, but teaching them through first hand experience. They thank us because they can easily apply those same "does the address bar really match what it should?" technique to every other site out there.

And to get the same effect as phising, we send out periodic/random e-mails that read pretty official, but come from the wrong domain, or have a forged From: address, asking a user to visit a set up fraud website to enter personal information (not detailed, mostly just fishing for their user credentials).

The only thing I don't know yet is if users are learning because they are actually learning, or if it's a forced behavior just so they don't get a phone call from me. I'm not sure it matters why, just as long as it's happening.