TitanHQ Blog

Alert - Phishing Attacks Targeting Schools

Posted by Geraldine Hunt on Tue, Dec 12th, 2017

For cybercriminals, nothing is sacred when it comes to money making exploits. Education is currently the biggest target for ransomware and phishing attacks. The Multi-State Information Sharing and Analytics Center (MS-ISAC), a division of U.S. Homeland Security, released an alert on December 4, 2017, to all K12 school districts.  The threat summary is as follows:

“Attackers are using phishing attacks to capture the login credentials of school employees who access their direct deposit paycheck accounts and then using the captured information to change the direct deposit information to load prepaid cards to be used by the attacker. “

The discovered scheme works like this:

  • Attackers send phishing emails to district employees containing a weaponized Microsoft Office document that captures the recipient’s inbox and sends additional phishing emails.  The malware is launched via the preview feature of MSO and does not require the user to open the document.
  • The email spoofs the payroll department and informs staff that they are updating the online payment portal.  Naturally, an embedded link is included so that staff members can update their direct deposit information and credentials.  The email includes the school logo to make it look authentic.  
  • The link redirects users to a third party domain managed by the hackers who then capture the user’s login credentials.  The email then automatically deletes itself from the client’s outlook to erase its footprint.
  • The cybercriminals then use the captured information to log into the compromised accounts and redirect payments to a series of prepaid cards.

The Importance of Update Patching

There are two takeaways from this new threat.  The first is that the attack is mitigated if your Microsoft Office is fully patched as the threat takes advantage of a vulnerability within the MSO preview feature.  Keeping your systems fully patched is one of the most effective ways to counter a majority of cyber attacks.  

The other takeaway is this: school districts are easy targets!  This is due to small IT staffs that are consumed with tickets, troubleshooting and maintenance and don’t have the time or in many cases, the knowledge base to enforce cybersecurity.  According to an education publication, The Journal, it takes K12 organizations 221 days to identify a breach and 83 days to contain it, compared to 155 days and 34 for the financial industry. 

School districts often have more information on people than most businesses.  Hackers target school districts to breach their information systems to steal personal information of students and staff such as social security numbers and tax information.  In some cases, it may take years for the victims to learn that their personal information has been compromised.  Data on teenagers is particularly attractive to hackers who are patient enough to wait until these students begin to establish credit later in life.  A number of schools have been targets of ransomware attacks, schools are excellent targets since so many schools are now completely dependent on technology for classroom instruction.  Schools even have to worry about attacks from students who attempt to alter grades, steal tests, and implement DDoS attacks in order to disrupt online testing.

Because school districts are considered such weak targets, they are sometimes used as a means to break into other government institutions.  Last October, a hacking group breached four Florida school districts in an attempt to breach other sensitive government systems including the state voting systems.

Considering the weak security reputation of school districts, it should be no surprise that there were 445 security incidents in the education sector last year according to the 2017 Verizon Data Breach Investigation Report.  What is surprising is the results of a recent survey conducted by the Consortium for School Networking (SoSN) and the Education Week Research Center.  The results of the survey point to a relaxed attitude amongst school technology leaders.  According to the survey, only 15% reported having implemented a cybersecurity plan in their own district.  Some of the results included:

  • 37% cited phishing scams as a significant threat while 11% identify it as very significant
  • 27% cited malware/viruses as a significant threat while 6% identify it as very significant
  • 20% cited ransomware as a significant threat while 7% identify it as very significant
  • 12% cited DDoS attacks as a significant threat while 6% identify it as very significant
  • 10% cited identity theft as a significant threat while 6% identify it as very significant

Recommendations of MS-ISAC to counter the mentioned active threat are a good place to start:

  • Use two-factor authentication for access to employee direct deposit websites.
  • MSO 365 environments should not be configured for mobile connection without system or IP verification
  • Manually type the web address of the website for your employee direct deposit account; do not trust hyperlinks embedded in unsolicited emails purporting to be from your employee direct deposit website
  • Changes to the employee direct deposit website should include a challenge question
  • Do not provide personal or financial information in response to an email request.

Just as school districts have recognized the value of integrating technology in the classroom, they also need to begin acknowledging the vulnerability of the digital world.  Don't let hackers walk through the front door of your school. Failing to secure every device that connects to the school's network provides the ultimate open space for hackers.  

Are you an IT professional at a school, that wants to ensure sensitive school, student, and staff data and devices are protected?  Talk to a specialist or  Email us at info@titanhq.com with any questions.

Never Miss a Blog Post

Sign-up for email updates...

Get Your 30 Day FREE Trial

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us