Over 10,000 soldiers, civilians, and military family members with .mil email extensions were duped by a bizarre, security exercise conducted by the Army on Sunday. The exercise set out to test susceptibility to phishing - attempts to fraudulently acquire sensitive information, such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic medium.
To conduct the exercise, the Army Computer Emergency Response Team sent e-mails promising free tickets to
area theme parks which linked to a website posing as the site for the Family and Morale, Welfare and Recreation Command (FMWRC) - a real military family support organization. The only problem was, no one bothered to tell the organization that their name was being used to conduct the exercise. Oops!
When FMWRC realized they were being used fraudulently for phishing, they immediately distributed a press release to media outlets
world-wide in an effort to warn as many customers as possible that the offer was fraudulent. At the same time, they hustled to coordinate with Army legal and information technology offices to
have the bogus website shut down.
At that point, FMWRC learned that it was actually the Army that orchestrated the entire facade. Needless to say, they were less than enthusiastic after learning this.
"From the outside, looking in, the customer has no way of knowing FMWRC
was not involved in this exercise," said Ms. Laurie Pugh, Public
Affairs Officer for FMWRC. "The Family and MWR Command has spent decades and millions of dollars
establishing our brand as one that can be recognized and trusted by
Soldiers and Families," Pugh said. "We have yet to determine how much
of that trust has been undermined by this exercise."
Pugh went on to express her discontent with being completely left out in the dark - a case of the left hand deciding not to talk to and throw rocks at the right.
"We were concerned that we had not been brought into the loop on it," said pugh. "We understand the need for testing security and wished we
had known about it."
Officials from the Army Computer Emergency Response Team eventually sent an email to the original 10,000
recipients of the "phishing" email describing the exercise and informing them that no personal information was actually collected or transmitted. The email read as follows:
"For those individuals responding to the ACERT Phishing attempts
regardless of what you submitted, no personal data was collected or
transmitted.
This exercise illustrates how hackers can turn the popularity of a
trusted resource such as the MWR Web site against unwitting personnel
by using real information and activities openly available on the
Internet.
We apologize for any inconvenience or false hope these e-mails may have
caused. As users of Army network and information systems, you play an
integral role in the Information Assurance and Network Security posture
for the Army. As you know, phishing emails are a common method used by
Hackers to infiltrate Army networks and systems. Your ability to
identify and respond to phishing attempts is paramount to the defense
of critical information systems that make up the Army LandWarNet. Soon,
you will receive another e-mail from the ACERT that will provide
education on how to identify "phishing" attempts as illegitimate.
We appreciate your participation in this exercise. Everyone plays a
part in the security of the Army networks and systems. It is important
for everyone to know the MWR brand can be trusted, so please forward
this email to anyone you may have shared the original "phishing" email
with."
Anyone with questions or comments in the conduct of the exercise should contact the ACERT at 703-706-1113."
OhMyGov!