White House E-Mail Domains Vulnerable to Phishing Attack
April 10, 2018More than 95 percent of email domains managed by the Executive Office of the President (EOP) are in danger of being used in a large-scale phishing attack. Only the Max.gov email domain has fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). Seven of the domains have implemented the Domain Message Authentication Reporting & Conformance (DMARC) protocol at the lowest level “none” which monitors email but does not prevent delivery of spoofed emails. Further, GCA found that 18 of the 26 email domains under management haven’t started the deployment of DMARC.
Without DMARC implemented, scammers and criminals can easily “hijack” an email domain to steal money, trade secrets or even jeopardize national security. DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the 2017 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed. The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward. The EOP domains that have recently deployed DMARC at its lowest setting includes WhiteHouse.gov and EOP.gov, two of the most significant government domains. I hope that the government will move rapidly to block phishing attempts across all EOP domains.”
Domains under the control of the EOP include Budget.gov, OMB.gov, WhiteHouse.gov, USTR.gov, OSTP.gov and EOP.gov – all well-known email domains that are valuable for phishers looking to trick government employees, government contractors, and U.S. citizens.
The weak DMARC deployment by the EOP is surprising after the U.S. Department of Homeland Security mandated that all federal agencies implement DMARC last year. Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC, for pushing government agencies to quickly implement DMARC at the highest level possible.
Using GCA’s DMARC tools, the researchers scanned the 26 EOP email domains:
GCA has published five reviews of DMARC implementation – two looking at organizations in cybersecurity, one looking at banks, one examining public and private hospitals, and most recently a look at the top tax software providers. When Agari looked at Fortune 500 companies last August, they found 8 percent protected their companies’ domains with DMARC.