A UK hacker reportedly fooled top White House officials into engaging in fake email exchanges.
The self-proclaimed “email prankster” convinced a senior cyber security adviser he was the president’s son-in-law, Jared Kushner, CNN says.
He also goaded the then media chief, Anthony Scaramucci, in the guise of ex-chief of staff Reince Priebus.
Concerns about cyber security are running high amid claims hackers interfered in the US election.
The White House told CNN it was investigating the latest incident and took the issue very seriously.
The prankster posted some of the email exchanges on Twitter, where he describes himself as a “lazy anarchist”, and said he was doing it for fun. On Tuesday he promised not to target the White House again, but said “you need to tighten up IT policy”.
Here are three of the most memorable parts of the hoax:
1. Security adviser gives out personal email address
Homeland Security Adviser Tom Bossert was apparently tricked into believing Mr Kushner had invited him to a party and gave out his personal email address unsolicited.
“Tom, we are arranging a bit of a soirée towards the end of August,” the fake Mr Kushner wrote in emails shared with CNN. “It would be great if you could make it, I promise food of at least comparible [sic] quality to that which we ate in Iraq. Should be a great evening.”
Mr Bossert replied: “Thanks, Jared. With a promise like that, I can’t refuse. Also, if you ever need it, my personal email is [redacted].”
The cyber security adviser has not commented publicly on the reports.
2. Scaramucci row: A Shakespearean tale of jealousy and betrayal?
A day after Mr Priebus was removed as White House chief of staff, the hacker emailed then-White House media chief Mr Scaramucci pretending to be his adversary.
The fake Mr Priebus accused Mr Scaramucci of being “breathtakingly hypocritical” and acting in a way not “even remotely classy”.
Mr Scaramucci, appointed communications director a week earlier, had accused Mr Priebus – a Republican Party stalwart – of leaking to the press. He also phoned a reporter to unleash a profanity-filled rant against Mr Priebus, whom he called a “paranoid schizophrenic”.
Tricked by the fake emails on Saturday, the real Mr Scaramucci said: “You know what you did. We all do. Even today. But rest assured we were prepared. A Man would apologize.”
When the pretend Mr Priebus wrote back defending his work, Mr Scaramucci responded: “Read Shakespeare. Particularly Othello.”
Mr Scaramucci was sacked as President Trump’s media chief on Monday.
3. Donald Trump Jr cottons on
Eric Trump, too, was briefly hoodwinked by the prankster emailing as his older brother, Donald Trump Jr, about a long-range hunting rifle.
But Donald Jr soon realised it was a scam and replied: “I have sent this to law enforcement who will handle from here.”
Experts told CNN the incidents showed how even the most powerful people in America remained vulnerable to phishing attacks, where hackers send fake emails to induce individuals to reveal personal information.
Concern about politicians being targeted is particularly high after the attack on the Democratic National Committee during the US presidential election.
US authorities attributed that incident to Russia and said that a significant component of the attack involved phishing.
More recently, the electoral campaign of President Emmanuel Macron in France was targeted by a similar campaign.
Analysis: ‘All they do is spoof the email’
Chris Baraniuk, BBC News technology reporter
If you think your email address is proof of who you are, think again. It’s long been a feature of the technology that someone can set up a mail server to send emails that look as though they have come from another person. Say “firstname.lastname@example.org”.
But in such cases, any reply to that message will go to the real “email@example.com”. The email prankster was able to receive the replies, of course, because he or she published them. How?
While we don’t know the details, it’s possible that an email address was set up at a domain name that was very similar to “whitehouse.gov”.
It’s a well-known problem, says cyber security expert Prof Alan Woodward at the University of Surrey. He points out that scammers in the UK have been known to email house buyers with an apparent message from their solicitor. It asks them to transfer payment to the scammer’s account.
“All they do is they spoof the email by changing one character,” says Prof Woodward. The recipient’s eye hastily skims over the altered or missing letter, and the message is simply taken as legitimate.