Malicious websites pose threat to Air Force network



by Tech. Sgt. Scott McNabb and Christopher Kratzer
24th Air Force Public Affairs


9/9/2011 - MAXWELL AIR FORCE BASE, Ala. -- The discovery of spoofed Air Force websites means Air Force network users must maintain awareness before entering passwords into Air Force sites.

The 624th Operations Center is alerting Airmen and civilians across the service about malicious websites posing as official Department of Defense and Air Force pages appearing through Web searches.

All Airmen, civilians and Air Force contractors must ensure links and Uniform Resource Locators, or URLs, are legitimate before entering their passwords because those who don't could render the official sites vulnerable to exploitation and other threats.

"It is vitally important for everyone to watch what they do and where they go on the Net," said Col. Alan Berry, 624th OC commander. "Any site can be hacked or spoofed at any time. In this case, an unknown actor spoofed our Air Force Portal site and also found a way to elevate their fake site in the search results provided by some common search engines. They are relying on individuals to trust the search engine or act so quickly that they do not recognize their mistake."

Berry said verifying the link isn't foolproof either.

"Each person can protect themselves, and by extension the entire Air Force enterprise, by taking a little time and caution to check search results or links for accuracy and authenticity," he said.

The Air Mobility Command Threat, Analysis and Response Cell identified the spoofing threat to the 624th OC. Berry said he's proud of the men and women of his unit, but it takes a team to keep the AFNet safe.

"Tackling this event was much bigger than just the 624th OC," said the commander. "Multiple units worked this issue and developed the quick actions to counter the spoof attempt. We are the hub for much of those efforts and often the public face, but we are not the only ones working hard to keep our networks safe and available."

One of those units is the 42nd Communications Squadron at Maxwell. Brian Goff, the security manager for the communications squadron, said that these fake websites pose a serious threat to security.

"Our adversaries establish spoofed DOD websites in order to harvest our user's logon credentials. Once compromised, these credentials can be exploited by our adversaries to traverse DOD networks across the globe in a coordinated effort to identify, compromise and extract sensitive data," Goff said. "These intrusions have the potential to place our service-members lives at risk."

"(With) each instance, bogus DOD websites were displayed before legitimate DOD websites when queried via Google," Goff said. "Spoofed websites often mirror the actual site and can be difficult to spot by untrained eyes. That said, the most common indicators are misspelled words, mismatched text, outdated reference or a URL that does not reference the actual '.mil' domain."

The 624th OC recently issued a Notice to Airmen, or NOTAM, asking AFNet users to identify the actual Web address, normally listed below the heading of the search result before selecting a link. The NOTAM also pointed out official sites will normally have a ".mil" or ".gov" extension on the URL address such as the official Air Force Website address: http://www.af.mil.

Airmen who find a spoofed Air Force or Department of Defense Website should alert the local information assurance office immediately.