Email prank horse

Email “prankster” phishes White House: Time for exec training?

Well, here are some simply smashing jolly japes. This fine chap from Manchester, England, has been trolling White House officials.

It could barely be described as phishing, phrankly. He, very simply, sent email pretending to be from other staffers, with no need to forge or hack. He just created some regular webmail accounts, such as <>

So timeō Danaōs et dōna ferentēs (beware of Greeks bearing gifts). In this week’s Security Blogwatch, we ignore Laocoön's warning.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A hilarious old aviation story 

What’s the craic? Jake Tapper breathlessly brings us White House officials tricked by email prankster:

A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials. … "We take all cyber related issues very seriously and are looking into these incidents further," [said] White House press secretary Sarah Huckabee Sanders.

No one in any of these situations clicked any links making them vulnerable, and the prankster appears motivated by mischief [only]. But spear-phishers often begin the process by falsely posing as a friend or associate before asking the victim to take further action.

In June [the prankster] hoodwinked Lloyd Blankfein, CEO of Goldman Sachs and Michael Corbat of Citigroup, and he did the same to Barclays CEO Jes Staley in May.

Who did he fool? “Aunty” BBC speaks truth unto nations: [You’re fired—Ed.]

The prankster … describes himself as a "lazy anarchist," and said [to] the White House … "you need to tighten up IT policy."

Homeland Security Adviser Tom Bossert was apparently tricked into believing Mr Kushner had invited him to a party. … The fake Mr Priebus accused Mr Scaramucci of being "breathtakingly hypocritical" and acting in a way not "even remotely classy." … Eric Trump, too, was briefly hoodwinked by the prankster emailing as his older brother, Donald Trump Jr.

Let’s hear from the (Trojan) horse’s mouth. He calls himself Sinon Reborn:

I've been busy ☺️

Truth is definitely stranger than fiction.

White House - FYI I won't be pranking you any longer, point made. I'm just a dude with a iPhone

[But] I targeted @Scaramucci as I've suffered from mental health problems all my life, and he seems to think paranoid schizophrenia is a put down. … I was in rehab 3 months ago. Just goes to show. Follow your calling even if it seems utterly … unconventional.

No masking the addresses I used. No 'hacking' either. I can barely operate our TV remote. Human behaviour and weakness was my weapon.

It’s “extremely troubling.” Or so says shaunc:

For top administration officials to behave so recklessly defies belief.

[Bossert,] Eric Trump, Scaramucci, and the newly appointed ambassador to Russia. … How many times have they fallen for a similar ruse that wasn't a prank, but a real social engineering exercise perpetrated by a hostile actor?

These folks either haven't been given any security training or simply don't care, and there's no excuse for either answer. … The White House [is] fully capable of doing this properly.

I just want to pound my head on the desk.

And TheRealTJ agrees:

Ideally our government officials should be signing their emails with encryption keys, while in reality they are on the same level of tech literacy as my grandma.

Like your humble blogwatcher, AmazinglySquidly wants to keep the discussion away from politics:

This isn't an issue specific to the Trump team. … This is a systemic problem in the US. Not just government.

Most people are fundamentally incompetent when it comes to tech. Other countries are far smarter than we are, and they will kick our *** with scams like this.

Democrat, Republican and everything in between, everyone is a moron when it comes to phishing and other scams. That should terrify you.

Does this cloud have a silver lining? John Moser thinks so:

The guy might be making an *** of folks, but that's harmless. People can do the same thing to cause harm. By his actions, he's made people more vigilant.

However, they need to … instill permanent policies, as that vigilance is only temporary.

What sort of harm, fr’example? Allison Wikoff and others from the SecureWorks CTU relate The Curious Case of Mia Ash:

[We] observed … spearphishing and social engineering attacks from a threat actor using the name Mia Ash … targeting several entities in the Middle East and North Africa. … The threat actor [had] a well-established collection of fake social media profiles that appear intended to build trust and rapport.

[We] assess that COBALT GYPSY (formerly known as TG-2889), a threat group associated with Iranian government-directed cyber operations, is likely responsible. … The Mia Ash persona is a fake identity used to perform reconnaissance on and establish relationships with employees of targeted organizations.

[It] reinforces the importance of recurring social engineering training. Organizations must provide employees with clear social media guidance and instructions for reporting potential phishing messages received through corporate email, personal email, and social media platforms.

But did it work? Yep. Paul “@paulfroberts” Roberts calls it Operation Lonely Guy:

The attacks … were highly successful. In some cases, the attacks lasted months – and long after the compromise of the employee – with the targets engaged in a flirtation with a woman they believed was a young, attractive female photographer.

The Mia Ash persona is a fake identity based loosely on … a Romanian photographer [Cristina Matei] who has posted her work prolifically online. … Victims were targeted with the PupyRAT … remote access trojan (RAT) used to take control of a victim’s system and harvest credentials.

How are people so dumb? Here to explain is aepervius:

Everybody and their grandma … will tell you, you use social weakness to bypass security. Since men comprise most of security teams, the use of attractive women … makes so much sense.

Do you think the US or Russia are using buff men [in] social engineering of a mostly hetero sexual male population?

The moral of the story? Ignore the politics. If Bossert, Huntsman, and Scaramucci can be fooled this easily, what about your executives? Time for some Red Team exercises?

Gartner Magic Quadrant for Application Security Testing 2018

And finally …

Hilarious old aviation story: SR-71 Blackbird pilot Major Brian Shul on pimping every other airplane in the sky

An excerpt from this hour-long speech at Lawrence Livermore

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or

Image source: Tama Leaver (cc:by)

Gartner Magic Quadrant for Application Security Testing 2018
Topics: Security