Cyber Attacker Targets Schools with Suspicious Email
By Mark Orchison - March 20, 2020
It has been reported that a suspicious email is currently being sent to an education sector association. An attacker is contacting individuals and purporting to represent the association.
An attacker is contacting individuals and purporting to represent the association with a version of the following statement:
“On behalf [Association name] it gives me great pleasure to ask, Would you like to obtain a 2020 [Association Name] Member List.?”
The email contains the association logo in the footer. 9ine's investigations have determined that this is an open source intelligence attempt to compromise the email accounts and systems of member and accredited schools.
How does open source intelligence work in this instance?
The association website has a directory of all member schools
The hacker visits a school website that is a member school
The hacker identifies key members of staff at the school who are likely to process valuable personal data; personal data that would generate ransomware reward or fraud.
The hacker gathers intelligence from the social media profile of the staff targeted. This includes Linkedin, Facebook, Twitter, Instagram etc.
Using this intelligence and other publicly available information the hacker uses tools available on the internet and the dark web to identify an email address associated with that staff member.
Once confident, the hacker sends an email purporting to be from the association to coerce the target into communication with the hacker
What is business continuity planning (BCP) and why is it important? Read 9ine's recent blog on supporting schools with business continuity planning.
In the scenario reported to us today, the attacker is seeking to send a 'Member List’ to the target as a file. That file is likely to be loaded with malware or other viruses. Given the current circumstances we have been warned to expect an increase in attacks on remote workers, unprotected by school security measures.
What do I need to do to protect my school?
You must act immediately. Your school's IT team must undertake a global search for an email from ‘Susan Jones’ with an email address of email@example.com. Do not open the emails. Delete the emails and block the sender immediately.
Ensure all members of the school community understand that they are at greater risk of attack given the current circumstances. We would suggest sending an email using some of the information contained in this communication.
Have in place an incident management plan specifically tailored for a potential cyber security breach. This includes steps to identify the origin of the incident (your own systems, someone else’s or open source intelligence).
Strongly consider implementing protections, such as two-factor authentication, for those individuals who have access to or process personal data that if disclosed, would have a significant impact.
For further information on data protection and information security see the following articles on password security, malware and why the education sector is at high risk of being targeted take a look at the following related resources: