"Spear Phishing" American Airmen on Guam

[grawp]

Good afternoon, all.

A cautionary tale about the dangers of "spear phishing," from today's strategypage.com site:

####

May 4, 2010: Offers to hire American airmen, stationed at an airbase on the Central Pacific island of Guam, as extras in the Transformers 3 movie, turned out to be an unexpectedly scary training exercise. First, keep in mind that there is no Transformers 3 filming scheduled for Guam. The email was a fake, used to test how well airmen could detect a hacker attempts to deceive military Internet users to give up valuable information.
The Transformers 3 email was a test to see how many airmen would fall for a "spear phishing" offensive. "Phishing" (pronounced "fishing") is when a hacker sends out thousands, or millions, of emails that look like warnings from banks, eBay or PayPal, asking for you to log in (thus revealing your password to the hackers, who have set up a false website for this purpose) to take care of some administrative matter. The hacker then uses your password to loot your account. "Spear phishing" is when the emails are prepared with specific individuals in mind. The purpose here is to get specific information from, say, a bank manager, or someone known to be working on a secret project. In the Guam case, the targets of the spear phishing test were asked to go to a web site and fill out an application form to be eligible to be an extra. That form asked for information that would have enabled hostile hackers to gain more access to air force networks. A lot of the airmen who received the Transformers 3 email, responded. The air force won't say how many, but it was more than expected. A lot more.

The hundreds of separate spear phishing attacks on American military personnel each year is worrisome, because it means someone is looking for defense related data, including classified stuff. Most people don't fall for phishing attacks, but the hackers know that some will. This is especially true if the hackers can come up with the right hook. Seeking extras, among young male airmen, for a movie set containing a sweaty and scantily clad Megan Fox, was apparently too much for even the most security minded trooper to resist.

Military personnel are trained to watch out for things like phishing attacks, but hackers only need to get a few victims to fall for it. The Department of Defense has publicized this spear phishing attack in order to encourage any military personnel, who may have fallen for one (or think they did) to report that as soon as possible.

How to defend against this? There's no perfect protection from these kinds of attacks, but there are things that can be done to reduce vulnerability. This consists of more education of users (to make them aware of what kind of dangers they face), and hardware and software defenses against attacks. Another approach favored by military, and government, users is frequent scans of user computers, and strict rules about what you can put on them. What all of this tries to do is limit the damage, not eliminate it. This reflects an ancient military adage; "it's not a matter of who is better, but who is worse (off)."

####
Discussion?

grawp