The security of White House networks has been called into question after senior officials were duped into replying to emails from ‘colleagues’ that were actually spoofed by a UK prankster.
Perhaps the most concerning was homeland security adviser Tom Bossert, who replied to a fake Jared Kushner Outlook email address, inviting him to a party at the end of August.
“Thanks, Jared. With a promise like that, I can't refuse,” he wrote back, according to CNN. “Also, if you ever need it, my personal email is” (redacted).
The prankster goes by the Twitter handle @SINON_REBORN; a reference to the character in Greek mythology who tricked the Trojans into bringing the eponymous wooden horse inside the city of Troy.
He successfully impersonated former White House chief of staff Reince Priebus in an exchange with also departed communications director Anthony Scaramucci, using only a mail.com account.
Scaramucci fell again for another @SINON_REBORN prank, this time a Gmail account masquerading as soon-to-be Russian ambassador, Jon Huntsman Jr.
Huntsman himself was tricked into replying to a fake email account pretending to be the President’s son, Eric Trump, while the latter was hoodwinked by SINON_REBORN writing as his older brother, Donald Trump Jr., before eventually realizing his mistake.
White House press secretary Sarah Huckabee Sanders told CNN: "we take all cyber related issues very seriously and are looking into these incidents further.”
The ease with which the British prankster managed to trick not just senior officials but one security adviser should be serious cause for concern, especially given that state-sponsored spear-phishing attacks often use the same social engineering tactics.
Hiwot Mendahun, cyber resilience expert at Mimecast, argued that email was never built with security in mind.
“This prank follows a rise in similar attacks asking for wire transfers or confidential data like HR records or tax information. Spear-phishing and impersonation attacks are easy to launch with free email addresses or by registering lookalike domains. Mobile email users are particularly vulnerable,” she added.
“All organizations need to consider stamping external emails with simple warnings and conduct regular training to help employees recognize possible scams.”