US Air Force Phishing Test Transforms Into a Problem

Sorry Airman Supershaggy, "Transformers 3" is not coming to Andersen Air Force Base. And by the way, you've been phished.

Security testers at the Guam Air Force base's 36th Communications Squadron had to send out a clarification notice on Monday after an in-house test -- called an operational readiness exercise (ORE) in Air Force parlance -- of how airmen would respond to a phishing e-mail worked out a little too well.

The e-mail said that crews were going to start filming "Transformers 3" on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information.

This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world.

"Unfortunately, many of Andersen's personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen," the Air Force base said in a statement.

Supershaggy was one of them. "I'm an Airman in the worlds greatest air, space and cyberspace force on Guam," he wrote in a Sunday posting to the Scooper section of Comicbookmovie.com. "I received an email stating that Dreamworks is looking for 20 airmen from Andersen to be extras."

The rumor soon spread to other Transformers fan sites, including Seibertron.com and Tformers.com.

The Transformers movies, directed by Michael Bay, are successful Hollywood blockbusters that depict a futuristic war between alien robots. The third installment in the franchise is expected next year. Shooting is slated to happen all over the world -- in China, Moscow and Africa -- but not in Guam.

As the rumor spread that the hotly anticipated film was coming to Guam, local media started calling the base, which then began the work of setting the record straight.

"Leadership from Andersen AFB regrets that there has been any confusion in the general public regarding this exercise phishing attempt," Andersen said in a statement. "We hope however that this will show that all individuals need to be careful about the real danger of phishing emails and that others can learn from this exercise."

This isn't the first time that some type of unforeseen consequence has come of a security training exercise. In August, a test of a bank's computer systems prompted the federal agency chartered with overseeing the nation's credit unions to issue a fraud alert. The "fraud" was actually a sanctioned penetration testing exercise conducted by a security firm.

Organizations conducting these drills need to first make sure that they're spelled out in company policies, and they need to think carefully about what the phishing e-mail promises, said Sherri Davidoff, a consultant with Lake Missoula Group who conducts this type of test for the financial services industry. Often, she tries to trick employees into divulging information by offering raffles for free iPods or promising a cash bonus. "If you're not careful, then afterwards if they find out they're not really getting an iPod or they're not getting a bonus, they can get really angry."

She also recommends notifying employees very soon after the test is run. "If it's not carefully managed, it can backfire," she said. "People feel bad when they fall for these things and if you want to keep a company secure, you don't want to have a whole bunch of disgruntled employees."

On the other hand, she believes that this type of testing is very effective in preventing so-called social engineering attacks, such as phishing.

"People should realize that those e-mails have more than meets the eye," she said.