Most of the White House’s email domains have
yet to deploy an email authentication protocol known as DMARC that is designed
to reduce the risk of attackers impersonating legitimate email addresses for
distributing spam or phishing messages.
Nearly all email domains overseen by the
Executive Office of the President (EOP) of the United States – including
WhiteHouse.gov – are vulnerable to being hijacked for large-scale phishing
campaigns, a report by the Global Cyber Alliance (GCA) has shown.
According to the security advocacy group,
only one out of 26 email domains managed by the EOP has fully implemented the
Domain-based Message, Authentication, Reporting and Conformance (DMARC) protocol, which is
intended to detect and prevent email spoofing.
Another seven domains have put the email
authentication protocol in place, but only at a level of implementation that
allows for monitoring emails; it does not actually prevent delivery of spoofed
emails. The remaining 18 email domains under the EOP’s purview have yet to even
begin implementing the protocol.
Email spoofing involves creating email
messages using forged sender details so that the e-mail appears to come from
someone other than the actual sender. Such spoofing is commonly used for
distributing spam
or phishing messages that contain malicious attachments or
links.
The GCA found that the highest setting of the
DMARC policy has only been deployed for the max.gov email domain. The policy
for this domain is set at “reject”, making sure that messages that fail
authentication are blocked at the email server, before they can actually be
delivered.
The Alliance notes that the subpar level of
DMARC’s deployment is “surprising”, given that the US Department of Homeland
Security issued a directive on October 16, 2017, requiring all federal
agencies to have the protocol in place this year. The directive mandates at
least the lowest DMARC policy for all second-level agency domains within 90
days (i.e. mid-January). The highest-level DMARC policy is required to be
implemented within a year since the directive was issued. The measure is
designed to increase security for anyone who receives email from federal
agencies.
“Email domains managed by the EOP are crown
jewels that criminals and foreign adversaries covet,” Philip Reitinger,
president and CEO of the Global Cyber Alliance, is quoted as saying. He added
that the lack of full DMARC deployment “poses a national security
risk”. The EOP manages a range of domains – including Budget.gov, OMB.gov
or USTR.gov – that could be valuable for phishers.