SecureWorld News

Teen Uses Social Engineering Attack on Teachers and It Works

Written by SecureWorld News Team | Mon | Aug 12, 2019 | 11:30 AM Z

Let's hope this kid becomes a white hat hacker instead of a cybercriminal.

He certainly has skills.

Investigators in Riverside, California, say a 15-year-old high school student allegedly used both social engineering and hacking to change grades.

He apparently made his grades better (surprise), and gave some other kids worse grades than they actually earned.

And in the comments section? Some true classics. 

Imagine if your child's comment section on the report card read, "Sleeps in class." According to detectives, the suspect in this case put that onto a report card.

That comment, and others, led to questions and complaints to school administrators—and eventually, to the student getting caught.

How did a teenager hack school grades?

The boy used a social engineering attack called spearphishing, where he targeted four different teachers with a spoofed email to get their usernames and passwords for the school network. They fell for it.

The Riverside Press-Enterprise explains:

The teen created an email account that made it appear that his emails were coming from a high-ranking member of the school's administration, Riverside Police Detective Brian Money said.

The emails requested four teachers' usernames and passwords for school computers. Had the recipients clicked on the administrator's name, they would have seen that the extension (such as gmail.com or yahoo.com) did not come from a school account, Money said.

"It's relying on the fact that folks may not check or scrutinize when a suspicious request is made," Money said.

But the recipients apparently did not check in this case, Money said, so they forwarded their login information to the student. The student entered the school computer and altered his grades.

Why does social engineering work?

Hacker Kevin Mitnick is famous for the stories he tells about his time as a teenager. He was constantly manipulating others to get unauthorized access to phone and computer systems. It even landed him in jail a few times.

I'm reading his book Ghost in the Wires right now, and here is what he says about how and why social engineering attacks are so successful:

The basic tactic is simple. Before you start social engineering for some particular goal, you do your reconnaissance. You piece together information about the company, including how that department or business unit operates, what its function is, what information the employees have access to, the standard procedure for making requests, whom they routinely get requests from, under what conditions they release the desired information, and the lingo and terminology used in the company.

The social-engineering techniques work simply because people are very trusting of anyone who establishes credibility, such as an authorized employee of the company.

In the case of one company SecureWorld profiled, this type of trust led to $18.6 million gone in a single week because employees thought the CEO asked them to move some funds.

And in this case, the 15-year-old student tricked teachers into giving up network credentials by posing as an administrator.

Will the high school hacker be charged with a crime?

Detectives have asked that the alleged student hacker face computer intrusion charges, but ultimately, that is up to prosecutors.

In the meantime, perhaps teachers will be doing security awareness training during one of those infamous "in-service" days this year. 

[RELATED: Security Un-Awareness: Company Suing Employee for $138,000 in BEC Losses]