Phishing E-mail To MWR Patrons Turns Out To Be Army Exercise
April 2, 2008
More than 10,000 Soldiers, civilians and Family members with military e-mail addresses received an e-mail March 30 promising free tickets to area theme parks, with a link to a Web site that appeared to belong to the Family and Morale, Welfare and Recreation Command.
These e-mails were sent without the knowledge or consent of the Family and Morale, Welfare and Recreation Command (FMWRC) or installation MWR offices. These e-mails were "phishing" emails developed by the Army Computer Emergency Response Team (ACERT) in a Global Computer Network Defense exercise, Bulwark Defender 08 (BD08) to test the defensive posture of the Army LandWarNet.
FMWRC officials were not alerted to the exercise in advance because the unit "limits the number of trusted agents" in phishing exercises of this type, according to ACERT officials.
FMWRC reacted decisively by informing their patrons that the offer was not legitimate, distributing a press release to media outlets world-wide in an effort to warn as many customers as possible, and coordinating through Army legal and information technology offices to have the bogus Web site shut down.
When ACERT officials confirmed late Monday the e-mail and website were part of their exercise, FMWRC began coordinating with ACERT to prepare messages and media responses addressing the phishing scam, and more importantly, the breach of trust it represents to MWR customers.
"From the outside, looking in, the customer has no way of knowing FMWRC was not involved in this exercise," said Ms. Laurie Pugh, Public Affairs Officer for FMWRC. "We have no idea how many of our customers this exercise has alienated."
FMWRC routinely sends e-mail messages to its customers and press releases to installation newspapers, inviting patrons to visit the official Web site to learn about new offers and promotions.
"The Family and MWR Command has spent decades and millions of dollars establishing our brand as one that can be recognized and trusted by Soldiers and Families," Pugh said. "We have yet to determine how much of that trust has been undermined by this exercise."
The e-mail and Web site created by ACERT were convincing enough to entice more than 3,000 people to click through, in part because of the use of the MWR web graphics and logo, and in part because patrons are used to receiving similar messages.
"It's important to be alert to potential phishing attempts," Pugh said. "But it's also important for FMWRC to be able to use e-mail and our Web site as an effective marketing tool."
All legitimate emails from FMWRC will come from a .mil address, and links will direct patrons to www.armymwr.com. When in doubt, do not click through the e-mail. Type www.ArmyMWR.com directly into a Web browser and see if the offer is advertised on FMWRC's official Web site.
ACERT officials sent a follow-up email to the original 10,000 recipients of the "phishing" email describing the exercise and asserting the e-mail was non-malicious.
Their second e-mail reads, in part:
"For those individuals responding to the ACERT Phishing attempts regardless of what you submitted, no personal data was collected or transmitted.
This exercise illustrates how hackers can turn the popularity of a trusted resource such as the MWR Web site against unwitting personnel by using real information and activities openly available on the Internet.
We apologize for any inconvenience or false hope these e-mails may have caused. As users of Army network and information systems, you play an integral role in the Information Assurance and Network Security posture for the Army. As you know, phishing emails are a common method used by Hackers to infiltrate Army networks and systems. Your ability to identify and respond to phishing attempts is paramount to the defense of critical information systems that make up the Army LandWarNet. Soon, you will receive another e-mail from the ACERT that will provide education on how to identify "phishing" attempts as illegitimate.
We appreciate your participation in this exercise. Everyone plays a part in the security of the Army networks and systems. It is important for everyone to know the MWR brand can be trusted, so please forward this email to anyone you may have shared the original "phishing" email with."
Anyone with questions or comments in the conduct of the exercise should contact the ACERT at 703-706-1113.