A U.K.-based hacker managed to phish and spoof the accounts of a number of White House officials tricking other officials into believing they were conversing with colleagues.
In one incident, the self-described “email prankster” managed to fool Homeland Security Adviser Tom Bossert, who advises on cybersecurity, into believing he/she was President Donald Trump's son-in-law Jared Kushner and convince him into disclosing his personal email address.
The prankster shared the email exchange with CNN.
"Tom, we are arranging a bit of a soirée towards the end of August," the fake Jared Kushner said on an Outlook account. "It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening."
Bossert responded: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is (redacted)."
The Whitehouse acknowledged the incidents adding that they are looking further into them and that they take cyber related issues very seriously. Although the perpetrator considers their actions a prank, security professionals warn it follows a trend of similar attacks that have been used to carry out malicious acts.
“While these particular incidents were undertaken to be funny, the implications of how easily the individuals involved were entrapped should be clear,” Tripwire Vice President of Product Management and Strategy Tim Erlin told SC Media. “The difference between this prankster and a serious criminal is only in the disclosure of the results.”
Erlin added that a serious criminal wouldn't have shared the outcome with the press and that the Whitehouse should take a close look at email security and training their staff to recognize spearphishing attempts.
“This prank follows a rise in similar attacks asking for wire transfers or confidential data like HR records or tax information,” Mimecast cyber resilience expert Hiwot Mendahun told SC Media. “Spear phishing and impersonation attacks are easy to launch with free email addresses or by registering lookalike domains.”