Belgian Government Phishing Test Goes Off-Track

alphadogg writes: An IT security drill went off the tracks in Belgium, prompting a regional government office to apologize to European high-speed train operator Thalys for involving it without warning. Belgium's Flemish regional government sent a mock phishing email to about 20,000 of its employees to see how they would react. Hilarity and awkwardness ensued, with some employees contacting Thalys directly to complain, and others contacting the cops.

How many handed their credit card info over?

[ASDFnz]

That is what we really want to know.

Re:

[paul_metcalfe]

Enough people believed it was legit to the point they called Thalys. So... looks like they need some more anti-phishing training.

But did anyone hit reply-to-all?

[thegarbz]

I've seen a similar type of system go off the rails, except the company forgot to put the target mailing list in the BCC field. Instead an unprotected mailing list with all 50000 employees was emailed out to everyone, so naturally someone hit reply-to-all.

After 4 hours of an endless stream of reply-to-all "TAKE ME OFF YOUR MAILING LIST" emails it all quietened down.

Then the Americans woke up and went to work...

Re:

[techno-vampire]

Back when Melissa and The Love Bug came out, I was working at an ISP. You'd be amazed (or maybe you wouldn't) at how many techs sent out emails warning everybody not to click on those emails and how many responded by using reply-to-all. It was quite entertaining while it lasted, especially as I was one of the few people in the company who wasn't using Outlook, meaning that my email client wasn't vulnerable.

Re:

[operagost]

That sounds similar to what happened at Microsoft with the Bedlam DL3 incident [technet.com].

Re:

[nitehawk214]

Had one of those bouncing around several thousand employees at a company I worked for. I don't even know why they had the mail server configured to allow to send to so many people. Probably lazyness on the part of IT.

It was repeated rounds of "TAKE ME OFF YOUR MAILING LIST" and "STOP HITTING REPLY ALL" (which was reply-alled, of course) And then people ironically sending the same just to piss people off.

It eventually took threats from someone in senior management to get people to quit it.

Can email service providers do more?

[Jeremi]

It seems like relying solely on peoples' good judgement to figure out which emails are legitimate vs which ones are phishing spam (or worse, spear-phishing spam) is asking for trouble.

I can imagine email service providers using cryptographic signing techniques to assist the email client in reliably identifying which emails are definitely coming from their boss (or at least, from their boss's legitimate email account) vs which ones are unauthenticated and could have been written by anyone.

With that implemented, after a few weeks people would grow used to seeing the happy green "sender authenticated" sign at the top of each email from their boss, and if an email came in purporting to be from the boss, but with a big angry red "WARNING -- UNAUTHENTICATED MESSAGE -- MAY BE FRAUDULENT" (or whatever) sign at the top, they'd be less likely to hand over the company jewels without first confirming the email's validity.

Does something like this exist? If so, it seems like it's not widely used. If GMail/hotmail/yahoo could agree on a method and then start implementing it by default, I think that would go a long way towards reducing the effectiveness of email phishing attacks.

Re:

[guruevi]

How about just rendering everything as text? Avoid rendering URL's or HTML and you'll solve most of the problems.

Re:

[Obfuscant]

How about just rendering everything as text? Avoid rendering URL's or HTML and you'll solve most of the problems.

There are too many broken email clients that send HTML documents without the correct headers saying it is HTML, so too many broken email clients automatically render messages that LOOK like HTML because that's probably what they ought to do.

And then you get idiots who think they need to send 50k of HTML for a one-sentence email, and get pissy when you tell them that you don't read HTML and to resend whatever the hell it was in text if they want you to get the message.

I'm pretty sure that none of the cli

Re:

[KGIII]

Are you saying I have no right to control the content on my computer? How odd... If I want to read email in plain text, and I do enforce this and reply only in plain text, then I am going to. That you think I have no right to do so is absurd. I am not obligated to allow any content on my system nor am I obligated to view something in the way which you intended. Fucking moron. Get off my internet. You *are* the problem.

Re:

[quantaman]

How about just rendering everything as text? Avoid rendering URL's or HTML and you'll solve most of the problems.

Not going to happen, HTML email is a feature, a feature a lot of people find very useful and will not give up without a big fight.

Re:

[Obfuscant]

Does something like this exist?

Many mail clients have provisions for PGP signing of messages. It is one of the options I have set up on my tablet for K9 mail.

For it to work in a corporate environment, it must be mandated by the company so that everyone does it, everyone must have a client that supports it, keys must exist and be distributed, and only then can everyone rely on an unsigned message being invalid. If your boss forgets to sign a message telling you to do something and you ignore it, you better have a company policy backing

Re:

[Jeremi]

For it to work in a corporate environment, it must be mandated by the company so that everyone does it, everyone must have a client that supports it, keys must exist and be distributed

Of course in a non-corporate/general-email environment, all of those things won't happen (or at least, not all at the same time), so there is a big chicken-and-egg problem if we require all of that. Fortunately, I don't think we need to require all of that.

then can everyone rely on an unsigned message being invalid

I don't think it is necessary to rely on an unauthenticated message being invalid. An unauthenticated message is just that -- unauthenticated. It might be valid or invalid. If it's something important, the "unauthenticated" flag is an indication to th

Re:

[Obfuscant]

Of course in a non-corporate/general-email environment, all of those things won't happen (or at least, not all at the same time),

They won't happen at all in any environment where there is no authority to mandate the use of PGP or anything similar. You can't order Mom to sign all her messages any more than you can order a phisher to sign his.

I don't think it is necessary to rely on an unauthenticated message being invalid.

That's the goal. You want to know that the phishing email is invalid. Simply knowing it is neither valid nor invalid is useless, because if it is valid you should act upon it.

You wouldn't ignore it, you'd call the boss (or email him) and ask him if he really send the message you received.

Imagine a work environment where you called the boss every time he sent you an email asking him if he sent it. Imagine t

Re:

[91degrees]

For it to work in a corporate environment, it must be mandated by the company so that everyone does it, everyone must have a client that supports it, keys must exist and be distributed, and only then can everyone rely on an unsigned message being invalid. If your boss forgets to sign a message telling you to do something and you ignore it, you better have a company policy backing you up.

I don't see this as a big problem. Most people will use whatever's installed on their machines, because setting up a new

Re:

[Obfuscant]

I don't see this as a big problem. Most people will use whatever's installed on their machines, because setting up a new client is too much hassle.

At work I use, let's see, ... three different clients depending on where I am. Or is it four? Should I count different versions of Evolution as one or two? Or three?

The fact is, such a system will not work if only "most people" do it.

To deal with the other issue, we do need extra utility - clients that will automatically sign, and automatically reject and return unsigned emails from addresses with known keys.

oooh, cool. A new DDOS attack vector -- send a flood of emails pretending to be from someone with a "known key" but unsigned, to a group of people who have known keys. If the "return" function doesn't sign the return (and if it is automatic, there is probably a security is

Re:

[cheater512]

It's called DKIM.

The problem is it works very well for boss@company.com but it would also give the green light for boss@c0mp4ny.com if they also used DKIM.

Re:

[unrtst]

Two AC's already mentioned GPG/PGP and google's End-to-end project, but there is a more standardized and widely available option: S/MIME signatures.

S/MIME sigs have (at least) one "problem"... they require a centralized certificate authority. However, you can get a personal S/MIME cert for free from several of the big CA's: http://kb.mozillazine.org/Gett... [mozillazine.org]

That said, there are two HUGE problems with expecting this to solve the phishing problem:

1. Bad email doesn't look bad. You end up with:
a) email with a

Re:

[KGIII]

Regarding your number 2... Frequently get tampered with in transit? Really? I have, literally, never seen this. I suppose I could be not seeing it because it is done in transit but I never even hear of this happening other than proposals as to why it is a problem. I am subjected to countless spearphish attacks and regular phishing attacks. I still have my *ceo*@tld.com address (when I sold the businesses I was allowed to keep the address as I had used it for personal emails way back when the company was ver

Re:

[jc42]

Regarding your number 2... Frequently get tampered with in transit? Really? I have, literally, never seen this....

You're lucky there. I see such tampering several times per day, and fixing the problem often takes a lot of time (and soto-voce swearing ;-).

The reason is that I deal with a lot of data that's "plain text", but is computer data of some sort, not a natural language like English (which is sorts stretching the meaning of "natural", but you know what I mean). Or it's in a human language, but not English, and the character encoding uses some 2-byte or longer characters.

The simplest example is computer sou

Re:

[KGIII]

I have never seen that problem or, at least, never attributed that problem to interference in transit or by the client. I had, wrongly, assumed you had meant human interference such as a MITM altering data to insert content for the purposes of evil. I have not seen that either.

I have mailed and received mail with source in it. It was usually an attachment however or a snippet. I also do not allow my email application to insert line breaks or to use line breaks - break the text where it was either sent or wh

Re:

[unrtst]

These modifications that would affect message signatures happen in many places.

I was having a hell of a time picturing someone manually inserting malicious headers into emails via MITM attacks...

FYI, S/MIME signatures do NOT sign the email headers. For example, you can alter the "Subject" header of a valid signed message you got from somewhere else, then bounce it off to a different recipient (ie. send as if from that same person), and the recipient will see a valid signature on the message with an altered subject line. The signature is on the message body only (more specifically, it's on a mime part and everything below

Re:

[mwvdlee]

It exists and It's called DKIM
https://en.wikipedia.org/wiki/... [wikipedia.org]

Just like Belgium

[rossdee]

Streetwalkers sweet talk you out of your spare change
And your sweet madame makes it seem just like Belgium

Again?

[meerling]

So yet again a member of a government organization has willfully engaged in Identity Theft and/or Copyright or Trademark Infringement. Will they get arrested? Of course no. Heck, they won't even get a slap on the wrist as soon as the press quiets down. I guess it doesn't matter what country it is, they seem to think the laws apply to other people.

Re:

[guruevi]

Care to elaborate?

Re:

[Antique Geekmeister]

It's generally not known to American students, no. The lack of direct US military involvement, and the slaughter of millions by wealth seeking remote nationals doesn't garner the same sympathy 100 years later as the genocide of a nation's own citizens that occurred in Nazi Germany and in their conquered territories, a genocide that American military forces became directly involved in stopping and witnessed directly. There are few people alive who remember it personally, but the availability of popular media

Re:

[SilenceBE]

Americans and their "geographical" knowledge [boredpanda.com]. We now all seem to live in Germany suddenly... . Mendel was german that big country - how the hell can you mis it ? - next to Belgium.

He speaks perhaps of the infamous Congo Troubles?

These weren't medical from nature but had everything to do with the greed of King Leopold II [wordpress.com] and his rubber plantages. If you need to make a list of colonial crimes you will need to have a lot of time at your hands.

It is also extremely cynical to bring the Flemish governm

Nevada's tax department is sending goofy stuff too

[Anonymous Coward]

Sounds like standard government cluelessness on behalf of the Belgians. A throwaway address I use on Mailinator has been getting some fails from Nevada's State Department of Taxation. They keep sending out mails like this,

From: nobody@nowhere.us
Subject: Large Test Run

This is a test. There will be 16039 recipients.

The origin is TAXCCVAP03.taxation.state.nv.us. They've sent this crap 5 or 6 times this week and I wonder if they even know what they're doing. I keep waiting for them to accidentally attach some j

At least....

[mark-t]

... now they know how they would react. Mission accomplished, right?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Nikademus]

It works even without government :)
http://www.washingtonmonthly.c... [washingtonmonthly.com]

Phishing done right

[iTrawl]

Isn't it a point of phishing that you don't tell the impersonated entity that you're using their identity to scam other people? Even when you run a mock test, isn't it better to not tell anybody you're doing it, to avoid any false negatives (people that would have clicked, but won't now, because they know it's not their Nigerian friend, but the government impersonating him) and/or false positives (people that wouldn't click, but will now, to fuck with the government).

Thalys should know how to respond when p

A for effort

[The-Ixian]

We conduct internal phishing tests from time-to-time. We find them to be a valuable part of our overall security framework.

I think that their biggest mistake here was not notifying their employees that random phishing tests will be conducted and to stay vigilant.

It probably would have also been better to start small on their first round.... "click here to take a survey and receive a free x" instead of, you know, instilling the fear of financial ruin...

contacting the cops

[roc97007]

Wait... isn't contacting the cops what they're *supposed* to do?