Pros weigh in on phishing the White House
Who needs backdoors when you can use the front?
Just before Anthony Scaramucci's 15 minutes -- er, I mean 10 days -- of White House fame were up, a man in the UK (who imaginatively calls himself "Email Prankster") had some choice words with him via email. Nothing weird there you think? Except that he did it while posing as former White House Chief of Staff Reince Priebus.
Not that getting "the Mooch's" metaphorical goat was expected to be difficult. Especially after he went ballistic on New Yorker reporter Ryan Lizza for merely mentioning his enemies. No, the remarkable thing was that Scaramucci was one of many the prankster fooled among Trump's totally cyber-savvy and not-chaotic White House cabinet of curiosities.
In successful impersonations via email, "Email Prankster" (@SINON_REBORN) communicated with high-profile officials such as Jared Kushner, White House Chief of Staff Reince Priebus, the Ambassador to Russia-designate Jon Huntsman Jr., Scaramucci pal Arthur Schwartz, and even Donald Trump Jr. Before it was picked up by CNN, the prankster made multiple tweets expressing his disbelief about how easy it was to dupe the Trump boys.
Who else did he fool? The prankster successfully exchanged multiple emails with Homeland Security Adviser Tom Bossert, Eric Trump and, of course, Scaramucci.
In a display of abysmal cybersecurity practices, our homeland security adviser instantly fell for the fake Jared Kushner; Bossert gave the prankster his personal email address in hopes of cozying up to Kushner even further. Bossert, in case you didn't know, is Trump's cyber guy. When Trump plucked him out of the Atlantic Council's Cyber Statecraft Initiative, The Donald said Bossert "has a handle on the complexity of homeland security, counterterrorism and cybersecurity challenges."
Maybe he was so busy being focused on the complexities that he didn't have time to check if anything other than the "From" field on fake-Kushner's email looked weird. "Email Prankster" said he didn't even bother to mask the sender address, saying he can "barely operate our TV remote" and that "human behaviour and weakness was my weapon." He literally just made up new email addresses with their names on Gmail, Yahoo and Mail.com.
This is not advanced spear phishing or social engineering, dear reader. This isn't even someone who was trying to accomplish anything other than lulz.
His general intention, in the rich and ribald tradition of British phone and email pranking, was to simply wind people up.
What the prankster did for laughs, and with little technical know-how, is what hackers call social engineering (SE for short) and spear phishing. These two things are tools used by infosec pros when they're hired to attack a company (called a "pentest") for the purpose of revealing weaknesses in security audits. At the Def Con hacker conference, there are social engineering contests, like the SECTV (Social Engineering Capture the Flag) in which SE pros and hobbyists compete to get information out of a company.
Of course, spies do it too. So do criminals.
This sort of thing doesn't just happen to the White House. Business email scams have raked in over $3 billion globally since January 2015. Professional phishing, social engineering and pentesting company Snowfensive LLC told Engadget, "Similar attacks (BEC scams) continue to siphon billions of dollars from businesses with this technique."
Phishing and SE also nail oodles of consumers each year; the famous Nigerian bank scam and online dating scams, for example. Last year in the UK alone, social engineering and email-based "romance scams" bilked people out of a record £39M (over $51 million).
While Eric Trump threatened "Email Prankster" with legal action, it appears that none has been taken. Richard De Vere of UK-based The AntiSocial Engineer told Engadget, "I think the FBI will take this seriously," but that "the police around here haven't got time for this."
Unlike the challenges of pentesting a business or running a dating scam, no special skills were required to phish and social engineer top White House staff (and Trump family members). Snowfensive remarked via Twitter DM that "Email Prankster" used Mail.com, Gmail and Yahoo email addresses, "yet the email recipients looked at the full name of the sender, rather than inspecting the email further."
Snowfensive explained, "While this was fun and games for him, the 'Email Prankster' could have turned the conversation to elicit sensitive information from his targets." And in some cases, he did, obtaining personal email addresses in his adventures.
Charles Henderson, global head of IBM X-Force Red told Engadget via email, "The prankster stopped at Step 1, whereas a penetration tester would have been aiming many steps ahead of information gathering." In this kind of attack, Henderson explained that "personal information, ongoing project activities or references, and information about personal relationships can all be used to build a knowledge base and move laterally within the organization."
Phishing impersonation, like this example of email pranking, once accomplished, is leverage to the next steps of attack. In this instance, it was pretty easy to get those doors open and get the targets talking.
To turn an email conversation into a network compromise wouldn't have been hard -- all the prankster (or pentester) needed his target to do is click on a link or download an attachment. And considering that none of these major players in the White House could be bothered to make sure they weren't talking to a fake or spy, their security complacency would've been a cakewalk to leverage into a network compromise. Or to infect systems with malware, ransomware, keyloggers the list goes on.
In fact, that's the first thing an attack company like Snowfensive would do. The team would get the target to download and open a tainted attachment. "When executed, the malware infects the system and provides us access to the computer. At this point, we can download data on the computer or access network shares connected to the computer."
If Snowfensive had been hired to take the pranking into the professional pentest realm, their other two goals would be to get the target to perform an action and to get information. "In the corporate world," they explain, an action "is often manifested as the attack masquerading as the CFO and targeting an employee in the accounting department with the end goal of having the employee transfer money to pay a fictitious invoice."
As for getting information, the White House targets proved that they're all too willing to engage. "This is what we see the 'Email Prankster' doing," Snowfensive said, "simply conversing with the target to have them answer sensitive questions."
None of this is reassuring about anything. As a security writer, I close my eyes and see the chaos and fire scene from Airplane! where it's the wrong week to stop sniffing glue, except glue isn't going to cut it. We wonder who else has been fake emailing with important White House people. Bad people, probably. Nigerian princes? Definitely.
In a way, I guess we're beyond asking why Trump's apparently unlimited supply of arrogant buffoons can't be bothered to do basic security. Especially the ones who are supposed to be experts on the cyber. After all, Donald Trump Jr. proved that there's no doxing like self-doxing. Asking them to make sure the person they're emailing with isn't some lulzy rando with a computer would probably be like asking them to hire someone reasonably qualified for any post. It's crazy talk, I tell ya.
Maybe they'll stop falling for the equivalent of a cut-rate romance scam when everything calms down in the White House.
