A cyber-wellness exercise on phishing fraud conducted by the U.S. Air Force went out too well. Robert McMillan reported on NetworkWorld, “The e-mail said that crews were going to start filming ‘Transformers 3’ on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information.” The exercise went rogue when the information leaked out from their network to the public via e-mails and the like of Transformers fan sites. U.S. Air Force issued a statement to account for the incident, “Unfortunately, many of Andersen’s personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen.”
It is interesting to see how victims not only not realised they have fallen into the scam. Furthermore, helped in propagating it. It is interesting to see how trust are established among human (on the cyber space).Yet saddening to witness how scammers are exploiting such vulnerabilities of us.
Let see what we can learn from this incident… If I’m a scammer…
- Spoofed e-mail address from an looks-like legitimate source
The first step of every phishing attacks. Social engineer the victim to believe it is neither a spam nor scam. E.g. email@example.com
- I would use some catchy theme
I’m impress with the designer of the U.S. Air Force phishing exercise. Transformer sure is catchy, getting the victim excited and catch him/her off-guard. It is also proven that they will propagate the scam for you too! 😀
- Have my victim create an account with me
Single-username/single-password syndrome. If I have these information, most probably I can access most of your accounts. According to the case study, most likely I would also get information like their name, address, date-of-birth, etc. I would also ask for their e-mail addresses (I could help myself to their e-mail account and propagate the scam if they don’t do it for me 😛 Mutual trust are already established between them isn’t it?), and two set of “secret questions” (a backup if my single-password syndrome attack fails). In addition, I could make full use of all these information gathered and conduct a spear-phishing attack, drastically improve the success rate.