Exploit of Trust Hack in a K-12 School

I was contacted the other day and asked to assess the threat posed by the email below.  The message was sent to much of the professional staff of a local school district.  The subject line read “URGENT. MUST READ.”.  The email was from an email account at a North Carolina, US University.  The contents of the message was a link to a web site that read in part “Contact Update”.

Screen Shot 2013-05-29 of email

Following the link users were taken to a web page that looked like this (see below).  The title of the page is “School Support Team” and asks the user to enter their first and last names, date of birth, email address,  username, and password (p-word with confirmation).

Screen Shot 2013-05-29 at 12.14.38 PM

There is no title that associates the site with the school district.  If anything the form asking for a “p-word” should have raised a caution flag to anyone who saw this.

A number of people who received the email message contacted the IT department and asked what they should do.  As the IT administrators fielded more calls they sent email messages to all of the district’s users alerting them not to respond to this message.

In the end several employee’s acknowledged that they had not only received and read the email message but that they had followed the link and filled out the form.  I wish I could say that these were all low level folks who didn’t know better.  But I can’t.

When discovered by the IT staff these employees were advised to change their passwords immediately.  Should their accounts have been disabled and thus forced to choose a new password.  Probably.  But the IT staff and the district don’t have policies in place to mandate such a move.

What’s worse is that some employees complained that they could not change their passwords.  You see they would not be able to remember anything else.  And some of those same people reported that their school password matched that they use for their home email and banking.  Yes.  That was priceless.

Some employees complained that the web filter that blocked them from viewing their favorite web sites while at work should have stopped the message getting through or stopped them from being able to access the web site and form.  The reality is that the message was delivered via email address from a university.  This message exploited the trust relationship formed because the supposed sender was in the “dot edu” domain.  The chances that the web or email filter at a  school would block a message from another school is thin.  An important takeaway from this should be that web sites hosted at free web providers like this one should be blocked.  I did advise that they add the site “webs.com’ to their blacklist.

What can come of this?  I would expect that any account for which the user entered a username and password will be probed.  My guess is that this was a data gathering exercise and that the probes will not start immediately.

If you are a school district IT professional here is what you should add to your defenses.  The link in the message referred to a free web hosting site at webs dot com.

Screen Shot 2013-05-29 at 12.15.16 PM

The web site used a form that was created at the free form Freedback dot com.

Screen Shot 2013-05-29 at 12.14.53 PM

I would suggest adding these sites to your local blacklist.

I did contact Freedback dot com, Webs dot com, and the university that the email came from.  To their credit the team at Freedback dot com responded to my twitter requests to block the site within hours.  The team at webs dot com responded the next business day.  The University still has not responded.

What’s the threat here?  Given the use of the “p-word” I don’t think the attacker is local to the east coast of the US.  This could be just a person or company that sells into schools gathering data so as to avoid cold calling.  This could be an attacker trying to locate users who give up their passwords with the intent of later finding other accounts (think Yahoo Mail or GMail).

My strong recommendation to the person who called me was to step up security awareness training for all district employees.