In a bizarre hacking incident, teachers at a high school in California became part of a lesson in cybersecurity when it was revealed that a student of theirs had used them to access the school’s server and alter the grades of 10-15 other students.
Whenever I blog about cybersecurity, it’s always important to remind people that they are the greatest vulnerability of all when it comes to their data. NordVPN will help secure you against a vast array of online threats, but it won’t protect you from yourself. Phishing emails and other types of social engineering are designed to make you willingly relinquish sensitive information and expose yourself to hackers. And that’s just what happened at Ygnacio Valley High School.
According to local news reports, the alleged culprit – 16-year-old David Rotaro – spent only 5 minutes creating the phishing email he used to launch the attack. He sent it to the entire school’s staff, and a link in that email led to an exact (but fake) copy of the school’s website. All it took was one single careless teacher entering their log-in info on the fake site for him to gain access.
Once he logged in, Rotaro changed the grades of 10-15 students. Some were raised and others were lowered. Curiously enough, his grades remained unchanged – but if you’re clever enough to hack into your school’s server, chances are you might be clever enough for your compsci class!
Things took a more serious turn once the hack was discovered. The police eventually tracked the hack down to Rotaro’s home and broke down the door, arrest warrant in hand. Dug, a K9 detective specially trained to sniff out electronic devices, found a hidden USB stick in a box of napkins that contained evidence regarding the attack. Now, Rotaro is facing as many as 14 felony charges.
In an interview with local TV news, Rotaro boasted that the hack was “like taking candy from a baby.” While the comment probably made his lawyer facepalm hard enough to break his own nose, the amateur hacker is right. What else would you call it when a 16-year-old uses a simple, paper-thin trick to fool an entire team of educated and responsible adults?
It might be easy to blame the teachers and accuse them of being foolish for falling for such a simple attack. However, phishing and social engineering attacks are still remarkably common – and that’s because they work.
Before this attack was discovered, any of the teachers involved most likely would’ve scoffed at the idea of falling for such an attack. However, at least one of them did fall for it. How sure are you that someone won’t come up with an attack perfectly designed to fool you?
Some attacks target “low-hanging” fruit, like elderly internet users who may not be familiar with the deep bag of tricks used by social engineers, and those are the attacks that the average internet user can see right through. Even email spam filters can often see through them and eliminate them. However, spear-phishing (targeted phishing) and malware delivery via email are becoming more and more popular. These methods use tricks specifically tailored to their targets – much like Rotaro’s email, which linked to a fake website designed to fool his teachers.
This is a valuable lesson for institutions as well. If you don’t want your important data and infrastructure to be accessed and edited by teenagers, train your staff in cybersecurity!
Email scams and spear-phishing attacks are becoming more and more sophisticated. We will always advocate securing your system with NordVPN, but that’s not all it takes. Educate yourself so you can recognize any attack you encounter!
Check these posts out for some great tips on avoiding attacks like this one: