A UK-based email prankster used social engineering tactics to fool several top White House officials into responding to his messages, including the Trump administration’s cybersecurity chief, who gave out his private email address last week. Massive Fail.
The prankster shared the emails with CNN. Although the incidents showed more mischief rather than criminal intent, they demonstrate how untrained even the highest levels of government are to spear phishing attacks.
“I try and keep it on the humorous side of things,” the email prankster told CNN on Monday. “I’m not trying to get the keys to the vault or anything like that.” But spear-phishing incidents can be catastrophic. The White House told CNN it took the incidents “very seriously and are looking into these incidents further.”
In one message thread, the prankster, who goes by the Twitter handle @SINON—REBORN, created an Outlook email account in the name of Jared Kushner, President Donald Trump’s son-in-law and top adviser.
The faux Kushner emailed Homeland Security adviser and cybersecurity chief Tom Bossert (picture) and invited him to a party. Bossert responded: “Thanks, Jared. With a promise like that, I can’t refuse. Also, if you ever need it, my personal email is (redacted).” OUCH.
Using a mail.com email address, SINON also pretended to be former chief of staff Reince Priebus, and emailed then-communications chief Anthony Scaramucci on Saturday, the day after Priebus was forced to resign. The real Scaramucci replied which again is a massive fail.
Jon Huntsman, Trump's pick to be America's ambassador to Russia and Trump’s son Eric were also fooled by the prankster, who is a very accomplished hacker and social engineer. Earlier this summer, SINON aimed his social engineering attacks at Wall Street, baiting Goldman Sachs CEO Lloyd Blankfein and Citigroup CEO Michael Corbat, as well as Citibank consumer-banking chief Stephen Bird, and in May he fooled Barclay’s CEO Jes Staley and Bank of England Gov. Mark Carney.
John Podesta, chairman of Hillary Clinton’s campaign, became a victim last year, exposing a number of emails which were later released on WikiLeaks and proved embarrassing to her campaign.
It is clear that security awareness training is needed for everyone and especially at the very highest levels of any organization.
Free Phishing Security Test
Did you know that 91% of successful data breaches started with a spear-phishing attack?
Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test. Did you know that KnowBe4 also supports "Vishing" where you can actually send your users simulated voice mail attacks?
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: