Over 10,000 soldiers, civilians, and military family members with .mil email extensions were duped by a bizarre, security exercise conducted by the Army on Sunday.  The exercise set out to test susceptibility to phishing - attempts to fraudulently acquire sensitive information, such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic medium.

To conduct the exercise, the Army Computer Emergency Response Team sent e-mails promising free tickets to area theme parks which linked to a website posing as the site for the Family and Morale, Welfare and Recreation Command (FMWRC) - a real military family support organization.  The only problem was, no one bothered to tell the organization that their name was being used to conduct the exercise.  Oops!

When FMWRC realized they were being used fraudulently for phishing, they immediately distributed a press release to media outlets world-wide in an effort to warn as many customers as possible that the offer was fraudulent.  At the same time, they hustled to coordinate with Army legal and information technology offices to have the bogus website shut down.

At that point, FMWRC learned that it was actually the Army that orchestrated the entire facade. Needless to say, they were less than enthusiastic after learning this.

"From the outside, looking in, the customer has no way of knowing FMWRC was not involved in this exercise," said Ms. Laurie Pugh, Public Affairs Officer for FMWRC.  "The Family and MWR Command has spent decades and millions of dollars establishing our brand as one that can be recognized and trusted by Soldiers and Families," Pugh said. "We have yet to determine how much of that trust has been undermined by this exercise."

Pugh went on to express her discontent with being completely left out in the dark - a case of the left hand deciding not to talk to and throw rocks at the right.

"We were concerned that we had not been brought into the loop on it," said pugh. "We understand the need for testing security and wished we had known about it." 

Officials from the Army Computer Emergency Response Team eventually sent an email to the original 10,000 recipients of the "phishing" email describing the exercise and informing them that no personal information was actually collected or transmitted. The email read as follows:

"For those individuals responding to the ACERT Phishing attempts regardless of what you submitted, no personal data was collected or transmitted.

This exercise illustrates how hackers can turn the popularity of a trusted resource such as the MWR Web site against unwitting personnel by using real information and activities openly available on the Internet.

We apologize for any inconvenience or false hope these e-mails may have caused. As users of Army network and information systems, you play an integral role in the Information Assurance and Network Security posture for the Army. As you know, phishing emails are a common method used by Hackers to infiltrate Army networks and systems. Your ability to identify and respond to phishing attempts is paramount to the defense of critical information systems that make up the Army LandWarNet. Soon, you will receive another e-mail from the ACERT that will provide education on how to identify "phishing" attempts as illegitimate.

We appreciate your participation in this exercise. Everyone plays a part in the security of the Army networks and systems. It is important for everyone to know the MWR brand can be trusted, so please forward this email to anyone you may have shared the original "phishing" email with."

Anyone with questions or comments in the conduct of the exercise should contact the ACERT at 703-706-1113."

OhMyGov!