The U.S. Air Force has awarded a $750,000 contract to Wombat Security Technologies for the creation of a "micro-game platform" that trains people not to fall for phishing schemes. Wombat is best known for anti-phishing training games with cartoon-like graphics and names like Anti-Phishing Phyllis, Anti-Phishing Phil, and PhishGuru.
This is the second Small Business Innovation Research (SBIR) contract the USAF has awarded to Wombat. The SBIR program is basically a R&D grant program awarded to small businesses developing promising technology for government use.
Anti-Phishing Phyllis and her goldfish-like boyfriend Anti-Phishing Phil teach corporate users how to avoid evil e-mails. The Phyllis game appears to be aimed at players who prefer kindergarten-level action rather than, say, Call of Duty. Which category do you think the average Air Force employee would fall into (just sayin')? PhishGuru allows the admin to craft fake e-mails to try and find out which employees avoid the phish hook and which ones are susceptible.
Wow... just, wow.
The news that the Air Force base is going on an anti-phishing training offensive shouldn't be a big surprise. In April the military organization was greatly embarrassed when it's anti-phishing penetration test (would you call that a phen test? or a pish test?) convinced so many airman to bite, the phish made news. The e-mail said "Transformers 3" was to be filmed on Guam and airmen were invited to participate if they headed over to a linked Website and shared their personal information. They did so in droves, and then shared the e-mail invite with others and posted info about it on at least one Transformer fan site.
Security testers at the Guam Air Force base's 36th Communications Squadron then had to explain to all concerned that the e-mail was an in-house crafted hoax. A month later, Wombat announced that the USAF gave it its first SBIR award, for an undisclosed amount.
Wombart has since been using the Air Force phishing snafu (snaphew?) as a what-not-to-do in its marketing literature. In September, a Wambat press release named the situation as a worst-case scenario. I suspect the $750K may cause that press release to suddenly vanish from Wombat's Web site, so here's the relevant snippet:
"One such case of a penetration test going wrong involved security testers at Andersen Air Force Base sending an in-house simulated phishing email to airmen. The email stated that Transformers 3 would be filmed in Guam and invited the airmen to fill out online applications asking for sensitive information. This kind of exercise is routine for the military and major corporations, but it worked too well when personnel not only responded to the email, but then forwarded the email outside of the base. The rumor that Transformers 3 would be casting extras for the upcoming film spread like wildfire on fan sites and local media. The base had to begin the long and tedious process of informing their employees and local press about the simulated attack."
Seems like public fingerpointing, simplistic graphics and elementary game logic is motivation enough to grant the company an additional three-quarters of a million dollars. I may be treating the subject with irreverence, but you tell me if I'm exaggerating. Here's a glimpse of Wombat's Antii-Phishing Phyllis training program from its promotional video posted on YouTube.
In all fairness, phishing training is a great idea and this contract not only covers the custom development of a new (and hopefully improved) training game, but it also gives the Department of Defense access to Wombat Security Technologies' Anti-Phishing Phyllis game. That certainly seems wise, given the USAF's history. Phyllis is SCORM and 508 compliant and provides users with copious reports.
Still, I can't help but hope that the for the money, the Air Force will help Wombat build a graphically beautiful game that let's trainees shoot phishy e-mails from, perhaps, an F-35 jet. Oops, I guess I mean PH-35.