US White House emails found vulnerable to spoofing

Study: White House email domains at risk of being misused for phishing scams

Most of the White House's email domains have yet to deploy an email authentication protocol known as DMARC that is designed to reduce the risk of attackers impersonating legitimate email addresses for distributing spam or phishing messages.

Most of the White House’s email domains have yet to deploy an email authentication protocol known as DMARC that is designed to reduce the risk of attackers impersonating legitimate email addresses for distributing spam or phishing messages.

Nearly all email domains overseen by the Executive Office of the President (EOP) of the United States – including WhiteHouse.gov – are vulnerable to being hijacked for large-scale phishing campaigns, a report by the Global Cyber Alliance (GCA) has shown.

According to the security advocacy group, only one out of 26 email domains managed by the EOP has fully implemented the Domain-based Message, Authentication, Reporting and Conformance (DMARC) protocol, which is intended to detect and prevent email spoofing.

Another seven domains have put the email authentication protocol in place, but only at a level of implementation that allows for monitoring emails; it does not actually prevent delivery of spoofed emails. The remaining 18 email domains under the EOP’s purview have yet to even begin implementing the protocol.

Email spoofing involves creating email messages using forged sender details so that the e-mail appears to come from someone other than the actual sender. Such spoofing is commonly used for distributing spam or phishing messages that contain malicious attachments or links.

The GCA found that the highest setting of the DMARC policy has only been deployed for the max.gov email domain. The policy for this domain is set at “reject”, making sure that messages that fail authentication are blocked at the email server, before they can actually be delivered.

Results of the GCA’s testing (source: Global Cyber Alliance website)

The Alliance notes that the subpar level of DMARC’s deployment is “surprising”, given that the US Department of Homeland Security issued a directive on October 16, 2017, requiring all federal agencies to have the protocol in place this year. The directive mandates at least the lowest DMARC policy for all second-level agency domains within 90 days (i.e. mid-January). The highest-level DMARC policy is required to be implemented within a year since the directive was issued. The measure is designed to increase security for anyone who receives email from federal agencies.

“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” Philip Reitinger, president and CEO of the Global Cyber Alliance, is quoted as saying. He added that the lack of full DMARC deployment “poses a national security risk”. The EOP manages a range of domains – including Budget.gov, OMB.gov or USTR.gov – that could be valuable for phishers.

Discussion