Slashdot Mirror

← Back to Stories (view on slashdot.org)

Belgian Government Phishing Test Goes Off-Track

Posted by samzenpus on from the who's-to-blame dept.

alphadogg writes: An IT security drill went off the tracks in Belgium, prompting a regional government office to apologize to European high-speed train operator Thalys for involving it without warning. Belgium's Flemish regional government sent a mock phishing email to about 20,000 of its employees to see how they would react. Hilarity and awkwardness ensued, with some employees contacting Thalys directly to complain, and others contacting the cops.

11 of 58 comments (clear)

  1. How many handed their credit card info over? by ASDFnz · · Score: 2

    That is what we really want to know.

    1. Re:How many handed their credit card info over? by paul_metcalfe · · Score: 2

      Enough people believed it was legit to the point they called Thalys. So... looks like they need some more anti-phishing training.

      --
      Always read at -1, don't let others decide what you should and should not read.
  2. But did anyone hit reply-to-all? by thegarbz · · Score: 4, Funny

    I've seen a similar type of system go off the rails, except the company forgot to put the target mailing list in the BCC field. Instead an unprotected mailing list with all 50000 employees was emailed out to everyone, so naturally someone hit reply-to-all.

    After 4 hours of an endless stream of reply-to-all "TAKE ME OFF YOUR MAILING LIST" emails it all quietened down.

    Then the Americans woke up and went to work...

  3. Can email service providers do more? by Jeremi · · Score: 2

    It seems like relying solely on peoples' good judgement to figure out which emails are legitimate vs which ones are phishing spam (or worse, spear-phishing spam) is asking for trouble.

    I can imagine email service providers using cryptographic signing techniques to assist the email client in reliably identifying which emails are definitely coming from their boss (or at least, from their boss's legitimate email account) vs which ones are unauthenticated and could have been written by anyone.

    With that implemented, after a few weeks people would grow used to seeing the happy green "sender authenticated" sign at the top of each email from their boss, and if an email came in purporting to be from the boss, but with a big angry red "WARNING -- UNAUTHENTICATED MESSAGE -- MAY BE FRAUDULENT" (or whatever) sign at the top, they'd be less likely to hand over the company jewels without first confirming the email's validity.

    Does something like this exist? If so, it seems like it's not widely used. If GMail/hotmail/yahoo could agree on a method and then start implementing it by default, I think that would go a long way towards reducing the effectiveness of email phishing attacks.

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
    1. Re:Can email service providers do more? by guruevi · · Score: 2

      How about just rendering everything as text? Avoid rendering URL's or HTML and you'll solve most of the problems.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Can email service providers do more? by Obfuscant · · Score: 2

      Does something like this exist?

      Many mail clients have provisions for PGP signing of messages. It is one of the options I have set up on my tablet for K9 mail.

      For it to work in a corporate environment, it must be mandated by the company so that everyone does it, everyone must have a client that supports it, keys must exist and be distributed, and only then can everyone rely on an unsigned message being invalid. If your boss forgets to sign a message telling you to do something and you ignore it, you better have a company policy backing you up.

      That puts it in the realm of a social problem, not a technical one. And it does not solve the problem of external sources of email that don't sign anything being the alleged source of the email asking you to "click here" because your train reservation has changed and you need to pay a bit extra.

    3. Re:Can email service providers do more? by cheater512 · · Score: 2

      It's called DKIM.

      The problem is it works very well for boss@company.com but it would also give the green light for boss@c0mp4ny.com if they also used DKIM.

  4. Again? by meerling · · Score: 2

    So yet again a member of a government organization has willfully engaged in Identity Theft and/or Copyright or Trademark Infringement. Will they get arrested? Of course no. Heck, they won't even get a slap on the wrist as soon as the press quiets down. I guess it doesn't matter what country it is, they seem to think the laws apply to other people.

  5. At least.... by mark-t · · Score: 3, Insightful

    ... now they know how they would react. Mission accomplished, right?

    --
    File under 'M' for 'Manic ranting'
  6. Regional Government? by houghi · · Score: 4, Informative

    Belgium is made up of states, so the Flermish Government is like the Government of Texas or any other US state or German Bundesland.

    For the rest: do not try to figure out Belgian Politics. It is kind of a clusterfuck that kind of works.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:Regional Government? by Nikademus · · Score: 2

      It works even without government :)
      http://www.washingtonmonthly.c...

      --
      I gave up with the idea of an useful sig...