Cyber Attacker Targets Schools with Suspicious Email

It has been reported that a suspicious email is currently being sent to an education sector association. An attacker is contacting individuals and purporting to represent the association.An attacker is contacting individuals and purporting to represent the association with a version of the following statement:

“On behalf [Association name] it gives me great pleasure to ask, Would you like to obtain a 2020 [Association Name] Member List.?”

The email contains the association logo in the footer. 9ine's investigations have determined that this is an open source intelligence attempt to compromise the email accounts and systems of member and accredited schools.

How does open source intelligence work in this instance?

1. The association website has a directory of all member schools
2. The hacker visits a school website that is a member school
3. The hacker identifies key members of staff at the school who are likely to process valuable personal data; personal data that would generate ransomware reward or fraud.
4. The hacker gathers intelligence from the social media profile of the staff targeted. This includes Linkedin, Facebook, Twitter, Instagram etc.
5. Using this intelligence and other publicly available information the hacker uses tools available on the internet and the dark web to identify an email address associated with that staff member.
6. Once confident, the hacker sends an email purporting to be from the association to coerce the target into communication with the hacker

In the scenario reported to us today, the attacker is seeking to send a 'Member List’ to the target as a file. That file is likely to be loaded with  malware or other viruses. Given the current circumstances we have been warned to expect an increase in attacks on remote workers, unprotected by school security measures. 

What do I need to do to protect my school?

1. You must act immediately. Your school's IT team must undertake a global search for an email from ‘Susan Jones’ with an email address of evenstat4@evenstat.a2hosted.com. Do not open the emails. Delete the emails and block the sender immediately.
2. Ensure all members of the school community understand that they are at greater risk of attack given the current circumstances. We would suggest sending an email using some of the information contained in this communication.
3. Ensure a risk assessment of your IT Systems has been completed to ensure adequate security defences are in place. If you need support in completing this, 9ine have developed a Systems & Security Business Continuity framework that schools can access. We can also provide support in the instance of a potential incident. 
4. Have in place an incident management plan specifically tailored for a potential cyber security breach. This includes steps to identify the origin of the incident (your own systems, someone else’s or open source intelligence).
5. Strongly consider implementing protections, such as two-factor authentication, for those individuals who have access to or process personal data that if disclosed, would have a significant impact.