In the news
From the Email Pr ankster with Love
If the exploits of a man who calls himself the email prankster have taught us anything, it’s that many high-profile figures aren’t taking cybersecurity as seriously as they should. Daniel Davies looks at some of the prankster’s most notorious schemes and asks the cybersecurity industry what, if anything, we can learn from them
There aren’t many things that unite the UK Shadow Home Secretary Diane Abbot, governor of the Bank of England Mark Carney, short-lived White House communications director Anthony Scaramucci and beneficiary of nepotism Eric Trump, but one thing the quartet do have in common is that they have all been unwitting victims of the scourge of the elite: the so-called ‘email prankster’.
That’s if ‘victim’ is really the right word to describe any of the people who’ve fallen foul of the rogue. Their role is really more of a straight man to the prankster comedian who goes by the Twitter handle @SINON_REBORN, which is a reference to Sinon, the Greek soldier who convinced the Trojans to think nothing of accepting a giant wooden horse as a gift. In essence, they’re the Oliver Hardy to the prankster’s Stan Laurel; the Stewart Lee to the rapscallion’s Richard Herring; the Marge to @SINON_REBORN’s Homer.
That’s because the email prankster doesn’t have nefarious motives in mind when he pranks the rich and influential. He simply registers email addresses that look like they could plausibly belong to someone connected to the high-profile target, and shoots them an email with a thought-provoking subject. When the email prankster reached out to James Gorman, the head of Morgan Stanley, he did so while pretending to be the former UK chancellor Alistair Darling, who, conveniently, also sits on the board of Morgan Stanley. The prankster sent Gorman an email that was supposedly meant for a journalist with a photo of Darling attached. He quickly followed this up with another in which he apologised for emailing the 'wrong' person.
The email prankster’s techniques are brilliant in their simplicity, but they’re hardly ingenious, carefully thought-out schemes, so what does it say about cybersecurity when some of the people we entrust with keeping us safe, both physically and financially, divulge information so easily to someone using a slightly different email address to the one they may have expected?
Teach a man to phish...
The japes carried out by the email prankster are an example of spear phishing – although, pranking or even catfishing seem like more appropriate titles for the practise. But while the email prankster’s motives weren’t criminal in their intent, usually when spear phishing occurs and an email arrives, apparently from a trustworthy source, the intention is to lead recipients to a bogus website full of malware. The email prankster, though, hasn’t demonstrated any malevolent intentions and that’s why he doesn’t fear prosecution.
The email prankster argues that his communications are too absurd to be taken seriously and therefore any legal action taken against him would only serve to heighten the sense that elites live in some kind of surreal comedy. For example, writing as advisor to American President Jared Kushner late last month, the email prankster invited Homeland Security Adviser Tom Bossert to a “soirée”.
“Tom, we are arranging a bit of a soirée towards the end of August,” the prankster wrote. “It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening.” Bossert wrote back: “Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is [redacted].” As the prankster points out, imagine something like that being taken to court. “Do you admit Mr Sinon,” the email prankster wrote on Twitter. “That you knowingly invited Head of Homeland Security, Tom Bossert, to a party?”
“Spear phishing is designed to look like legitimate communication, and it often contains information that’s specifically targeted to an individual.”
Although, @SINON_REBORN has played his communications for laughs – “teach the world to phish and they'll never run out of laughter,” he writes – he has said that there is a serious point to his campaign. In a Twitter post, he wrote: “I’ve no political agenda. I just want us all safe. If you’re responsible for others health/ money/ safety then no personal email address in my opinion.” In response to his contact with Diane Abbott, the hacker went on to say: “In all seriousness, if I was a North Korean or Russian hacker I could have sent her God knows what to download.”
Speaking to Verdict Encrypt via email, Tim Erlin, vice president at the cybersecurity firm Tripwire said that high-profile figures like Diane Abbott should be looking to evaluate their online presence in order to avoid potential threats.
”Spear phishing is designed to look like legitimate communication, and it often contains information that’s specifically targeted to an individual. If it’s well-crafted, it’s anything but simple, and it’s avoidable,” he said. “We should be concerned that high-profile figures are susceptible to these kinds of attacks. These individuals are often privy to sensitive information and in control of sensitive operations. Any avenue of compromise should be evaluated and mitigated appropriately. It’s clear that there are gaps to be filled with respect to spear phishing.”
Should tech step in?
The email prankster’s most notorious phish, and the one that indicated he had cracked America, was carried out against the former White House communications director Anthony Scaramucci.
Posing as former White House chief of staff Reince Priebus, the prankster wrote to Scaramucci: “I had promised myself I would leave my hands mud free, but after reading your tweet today which stated how ‘soon we will learn who in the media has class, and who hasn't,’ has pushed me to this. That tweet was breathtakingly hypocritical, even for you. At no stage have you acted in a way that's even remotely classy yet you believe that's the standard by which everyone should behave towards you?”
Bizarrely, Scaramucci responded with, “Read Shakespeare. Particularly Othello. You are right there. My family is fine by the way and will thrive. I know what you did. No more replies from me.”
“Changes that vendors can make – coupled with the vigilance of the users – will help thwart these hackers, whether they be nefarious or just pranksters.”
While the exchange with Scaramucci is hilarious, it also demonstrates the problem organisations have with cybersecurity. Even when the most advanced screening processes are put in place, there’s little or nothing that can be done if people implicitly trust what they’re being sent is genuine and impulsively open emails that seem to be from friends and associates without impunity.
But should we be blaming people for problems that should surely be solved by technology at this point? If an acquaintance invites you to a soiree then be sceptical, but should we expect people to be suspicious of every email they receive?
Bill Evans, who handles product marketing for the cybersecurity firm One Identity, believes that technology can go a long way to helping people mitigate the threats posed by people like the email prankster.
“Perhaps a new feature in applications used to send and receive email would be to flag an email in some manner if the name and email address of the sender doesn’t match the majority of emails you have received from that person," he says. "It’s these types of changes that vendors can make – coupled with the vigilance of the users – that will help thwart these hackers, whether they be nefarious or just pranksters.”
The flamethrower approach
Rather than letting technology step in and make allowances for human error, the email prankster has suggested taking the rather extreme measure of removing personal email addresses from people in positions of power.
And while that would solve the problem of people being able to access people and information using the methods the email prankster did, it’s akin to using a flamethrower to light a gas hob. You’ll probably achieve your goal, but it’s excessive to say the least.
“I do not agree that those responsible for other people’s health, money or safety should not be permitted to have a personal email account. In 2017, that’s a bit ludicrous,” says Evans.
"Even government officials and leaders of large banks need to order from Amazon once in a while. I’m pretty sure their account should not be linked to their .gov email. That just doesn’t make sense. The right answer is training. Users have been, are and will remain the weakest link in cybersecurity. Only through training and diligence can we all win the cyberwar.”
“The right answer is training. Users have been, are and will remain the weakest link in cybersecurity. Only through training and diligence can we all win the cyberwar.”
And what next for the email prankster? He has reportedly already been suspended from his job for misusing IT equipment, but will his crusade continue and is he worried that US law enforcement agencies are now looking into the matter?
According to Lee Munson, security researcher at Comparitech, prosecuting an email prankster would be a bold move by any administration or organisation daring to take it on, and would “likely backfire in a fireball of public ridicule.”
However, Munson says: “It wouldn’t be a legally impossible task, though, the Computer Misuse Act and anti-impersonation legislation would likely both be of relevance in this case.”
If he is worried about attracting too much heat though, the email prankster has a funny way of showing it. He confirmed on his Twitter page that he has a number of pranks on the go and said “it’s going to be an interesting month.” So if you’re an interested observer then keep watching @SINON_REBORN ‘s Twitter feed. If you work in financial services or in politics on either side of the pond, however, be afraid. Be very afraid.
Image courtesy of Surian Soosay
Share this article