As I was poking around, one thing jumped out at me, which was not on my radar screen back when I did the big series on SEP: namely, attacks themed on topics often searched for by US military personnel (active and retired) were common enough that I took notice. In the chart in this blog post, I tracked the most common (and/or interesting) SEP attack topics, and also listed a couple of topics that probably should have been tracked.
Nowhere to be found in that post was anything themed around "US Military". But it's definitely in the traffic now. I noticed it very consistently in a recent week of logs, while I was in pursuit of another topic.
SEP Attacks Targeting Military Themes
Curious as to how high it would rank, I carefully looked through a collection of over 1500 SEP "search term sets". (As always, these represent attacks that would have been successful had we not caught them, as one of our users: (1) searched for those terms, (2) the Bad Guys had a page ready, (3) it scored high enough in Google, Bing, or Yahoo that it showed up in the top results, where the victim actually noticed it, and (4) it looked believable enough that they clicked it.)
I counted 80 search term sets themed around military topics — a bit over 5%, which would have easily qualified this theme for a spot on the chart of top themes. Here is a sample:
veterans benefits cola 2012
navair quality awards
army composite risk management answers
WHAT NATIONAL GUARD UNITS ARE IN THE PROCESS OF DEPLOYING TO AFRICA AS OF 2013?
promotion criteria army
national guard deployments
how to print army accident avoidance card
alms help desk phone number
2013 VA Disability Compensation Rates
national guard Africa 2013 deployment schedule Indiana
fort campbell deployment schedule 2012
army promotion point cutoff 2013
non recommendation to promotion board
US Air Force Guard pay
army accident avoidance course
3rd BCT 4th Infantry Division frg
army non promotion counseling
apft magic bullet
CENSECFOR Operator Training – M11 Service Pistol
navy DECKPLATE LEADERSHIP
counseling magic bullet army
Military Police commissioned officer professional development timeline
4856 non promotion
While I was in the logs, I also noticed quite a few queries on topics related to non-military departments of federal and state government. Out of the same batch of 1500+ "search term sets", I counted 32 on this theme (a bit over 2%, which wouldn't quite make my chart of top topics, but would certainly qualify for an honorable mention)…
Here's a sample from this search theme:
2013 gs pay scale
In ICS, the members of the Command Staff assume the title of
civil service practice test for administratie assistant
2013 federal pay dates
Federal Employee Payroll Calendar
fema IS-100.b answers
gs pay scale 2013 opm
opm 2013 pay scale dc locality
hawaii civil service pay scale
maine law enforcement physical fitness standards
fema 1s-700 answers
answers for is-200b exam
2013 GS-7 rate
2013 federal calendar
fema is 702 a answers
TSA Pay 2013
2013 Federal Pay Raise
Observations and Questions:
– Are the people who SHOUT AT GOOGLE IN ALL CAPS army drill sergeants? (Do they think they'll get better results if they shout? Or do they leave their CapsLock key on all the time out of habit?)
– A lot of government employees (and would-be employees) seem to be concerned about their pay scales…
– …and so they seem to be trying to score highly on their exams. (Is it legal/approved to be Googling/Binging for the answers like this?)
– As a technologist, I'm a little bit worried that the army is researching "magic bullets". 😉
– I had mixed feelings about seeing searches for things like the army's "safe home computing" and "Information Assurance" programs. On the one hand, it's nice that they have programs like this, to raise awareness of computer/network/data security, but it's rather ironic that several people searching on these topics clicked on malicous links in their search results…
– …so how about a suggestion for updating the curriculum a bit? I suggest: "As a military or government employee, I will be careful about clicking on military/government related search engine result URLs that don't end in .MIL or .GOV (after all, how likely is it that a search about a government or military topic is really going to be answered on a .BIZ or .INFO site? or even on a top-level domain belonging to another country, like .PL [Poland]?)"
In light of such attack tactics as targeted spearphishing and waterholing, I wondered if the Bad Guys were consciously choosing to target military/government personnel via SEP as a new APT vector, or if they'd just noticed these sorts of searches being common enough to be worth targeting.
Since we segment our SEP logs by "gang", this is easy to answer: since the military/government themed content is mixed in with the usual assortment of common topics in the big gangs' traffic, I would say not at this point. (But it would still worry me if I were in charge of security at one of these organizations.)
A Few More Observations:
– The biggest current health-related topic, based on our SEP attack logs, is clearly green coffee bean extract. (Which I have to say matches up nicely with our spamnet research. Raspberry ketones, your star is fading…)
– The most popular on-line game, hands-down, is Minecraft, judging by how many kids are searching for "free", "hacked", and "unblocked" (i.e., at school) versions…
– We must be getting close to Annual Performance Review time. There are a lot of people looking for sample letters to write up their accomplishments for the past year, and their goals for the next one; and a lot of managers searching for the right encouraging words to tell those people.
– And sadly, people are still far too interested in not-suitable-for-work (or school) content.
Seriously, it would be nice for people to realize that there are SEP gangs who crank out material targeting all of these topics. Every day.
Look and think before you click!
Leave a reply