The US Capitol Police will be opening an investigation into a flurry of hoax news releases announcing the deaths of prominent Democratic senators.
An email was sent to several news outlets on Tuesday, falsely stating that Sen. Patrick Leahy (D-VT) had died of liver cancer. "It was spoofed to look as if it had come from the office," Leahy spokesman David Carle explained.
According to WTOP radio in Washington, DC, "The email looked so authentic, a spokesperson from Leahy's office first told WTOP the email did originate from the senator's office and that they were trying to figure out who sent it."
Similar hoax messages have been sent out since Monday announced the deaths of Sen. Dianne Feinstein (D-CA) and Sen. Frank Lautenberg (D-NJ). All three messages were nearly identical.
Leahy, who requested the investigation by computer security experts with the Capitol Police, made light of the incident in an interview with Vermont Public Radio.
"Well, [my wife] Marcelle and I were kind of surprised to hear about this," Leahy told the interviewer. "And she said, Ã¢â‚¬ËœDoes that mean I don't have to get dinner tonight?' Sort of like the old Mark Twain thing: The news of my demise is greatly exaggerated."
Leahy was concerned, however, that the hoax revealed a more serious vulnerability. "If they're able to hack into my system, they can hack into anybody else's system," he suggested. "And there are a lot of senators who would be terribly upset to have something like this happen. But I also want to make sure that they're not sending out things that are making people think I've taken this position on an issue or that position on an issue."
Cybersecurity expert Gary Kessler explained to VPR, however, that spoofing someone's email address does not require gaining access to their system. All it takes is entering the other person's address as the sender, a technique often used by spammers.
As The New York Times pointed out, "A close look at the detailed header of the message makes clear that it did not originate from the Senate computer system but rather from an outside domain, 000.webhost.com -- a sign that government computers were not hacked."
Unfortunately, as Kessler noted, spoofing an email address is "very, very easy to do" and can be very difficult to track down.