Media ‘machine’ and White House fail simple security measures against phishing

No matter the company, humans are fallible. Never has this been more apparent than with the recent email “pranks” pulled in the past month, directed at the White House administration and officials.

The pranks – though some might call them phishing attacks – were aimed at several White House officials and the editors of Breitbart, a right-leaning online publication. And the prankster posted them to his Twitter account, @SINON_REBORN, a reference to the Trojan Horse and the Greek spy who allowed it into Troy.

Calling himself a “lazy anarchist,” he’s promised not to go after the White House again after his first stint, but that apparently doesn’t include former White House officials. While some were entertained by the political antics, each incident provided a clear need to tighten White House security against basic phishing attempts. Here’s a rundown of the pranksters email victims and the resulting fallout:

  1. Homeland Security Advisor Tom Bossert was emailed concerning a dinner party. The prankster emailed:

    “Tom, we are arranging a bit of a soirée towards the end of August. It would be great if you could make it, I promise food of at least comparible [sic] quality to that which we ate in Iraq. Should be a great evening.”

    In what turned out to be a successful spear phishing attempt, Bassert – again, the security advisor – gave out his personal email in his reply:

    “Thanks, Jared. With a promise like that, I can’t refuse. Also, if you ever need it, my personal email is [redacted].”

    Even if the prankster’s attempt wasn’t to get personal information out of his targets, he didn’t need to try very hard to get the info in this case. All it took was a tongue-in-cheek dinner invite.

  2. After Reince Priebus was removed as Chief of Staff, the prankster posed as him to email the then Media Chief, Anthony Scaramucci. The fake Priebus goaded Scaramucci and defended his work as Chief of Staff, exchanging barbs with Scaramucci. There was no love lost between the two, who had come to media blows in the past, but in this case Scaramucci told the poser to “Read Shakespeare. Particularly Othello.” Advice to read a classic not-withstanding, Scaramucci was removed from the White House shortly after.
  3. Trump’s son, Eric Trump, was also a target. The prankster in this case posed as Eric’s older brother, sending him a link to a long-ranged hunting rifle and asking if he wanted to go hunting that weekend. Eric perhaps had the best response, asking where the link would go and that he was in a meeting and wouldn’t just randomly click on links. After a few exchanges, Eric told the prankster that he forwarded the emails to the proper authorities and cut contact. All around, props to Eric for investigating the email address – there was a period missing in the fake email address.
  4. Lastly, editors from Breitbart were targeted by a fake Steve Bannon, who has gone back to working with Breitbart after his removal from the White House. Fake Bannon said he was poised to take on Ivanka and Jared, and the editors responded that “I spooked ’em today. Did five stories on globalist takeover positioning you as only hope to stop it. You need to own that, just have surrogates do the dirty work. Boyle, Raheem, me, Tony have been waiting for this,” said Breitbart Editor-in-Chief Alex Marlow.But the prankster didn’t stop with Alex, moving on to Joel Pollak, Breitbart’s senior editor-at-large. He sent the email:

    “Had a good chat with Alex. Seems he’s already aligning the crosshairs and making me the masked puppeteer.”

    Pollak responded with his personal phone number, much like how Bossert had replied to the fake email with his personal email. While a phone conversation is harder to fake, the prankster now has more information than he had before, which can make future phishing emails all the harder to predict and catch.

In each case, the prankster’s email accounts were fake. He didn’t hack existing email accounts. This means each address was easily identifiable from the real sender, either by spelling Stephen instead of Steven, or dropping a period that was supposed to be after Jr.

These events caught global media attention because of the scale of the victims, but it goes to show how easy it is to fool humans. After all, the prankster was four for five in convincing people he was someone they knew. Those aren’t the kind of odds you can risk at your company.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy