October 20, 2020by Cybersixgill

Underground Reveals Popularity of Cyberattacks on Schools

Many schools face a unique breed of insider threat: their own students.

Whether motivated by boredom or personal gain, students pose an outsized risk to their own schools. That’s due in large part to the tools and services available to them on the dark web. They can find new ways to cheat or seek out a threat actor to DDoS their school.

An analysis of dark web conversations shows that conversations around schools spike in August and September, jumping 36.4% from 2017 to 2018, and another 10% from 2018 to 2019.

It’s not just chatter. K-12 schools reported 271 cyber incidents from January through September 2020. The brief spike of 29 reported incidents in April now looks quaint in comparison to the 58 incidents in August and 69 in September.

And of course students aren’t the only threat actors involved. Schools increasingly face ransom attacks and data dumps of student and staff PII from professional hackers.

Many of these cyberthreats against schools start or end on the dark web. What are the most popular topics of conversation right now? Let’s take a look.

1. New ways to cheat

Whether they’re looking for homework help or a fake diploma, students have access to myriad services on the dark web.

A simple search for homework services returns just over 23,000 results, dating back to 2002. Some individuals are looking for help on specific assignments, while others offer assistance, quoting prices for different assignments and courses.

 homework services

Other services are a bit more complex, including the grade-changing services that have received thousands of mentions across deep and dark web sources. This service goes beyond fraud to include breaching a network and accessing grade data. Grade changing is typically one service among many a threat actor offers, much like fake diplomas are often part of a larger list of counterfeit documents customers can purchase.

But threat actors also offer students actual material for learning. Unfortunately, it involves stolen content and credentials from sites like Udemy, Pluralsight, and Codecademy.

One threat actor shared a screenshot of stolen files full of course content from Pluralsight that were available for download. Others post stolen accounts. Since the start of 2020, we’ve observed over 33,000 mentions of free courses, accounts, and access to content.

2. New ways to disrupt class

Zoom bombing was notorious when schools first shifted to virtual learning at the start of the pandemic. And while Zoom made security changes, compromised accounts can still offer access to troublemakers.

Mentions of video conferencing services have surged on the dark web in August and September.

video conferencing services dark web

Class disruption isn’t necessarily the worst or only result when threat actors crash virtual classrooms. They can also share malicious links that can install malware, steal information, or take control of webcams.

DDoS attacks are another common disruption technique. In March and April 2020, we observed a spike in DDoS discussions targeting educational institutions, including threat actors advertising DDoS services and students seeking help DDoSing their schools. Since the start of 2020, we’ve observed 1,344 offerings of DDoS-as-a-service for students to choose from.

DDoS attacks

3. Dumping student data

Educational data is in high demand from threat actors looking to commit fraud, including identity theft. Cybersixgill has collected nearly 80,000 original posts or products regarding educational institution data. As recently as July 2020, a threat actor was attempting to sell a database for the Harvard Program on Negotiation —- a course for C-level executives.

Harvard Program on Negotiation

Data exposure is often due to third-party breaches at companies like Blackboard, Pearson, and Chegg. We’ve collected thousands of posts of compromised accounts and credentials for these organizations. These data dumps not only expose personal information, but pose a threat to each student’s other accounts as well.

4. Ransomware

Like many organizations, educational institutions have become targets for ransomware. In June, the University of California, San Francisco paid $1.14 million to recover encrypted files. The University of Utah was able to recover its data, but still paid hackers $457,000 so they wouldn’t release student-related data.

When victims refuse to pay, their data is posted to leak sites, a fate suffered by Illinois Valley Community College, Austin College in Texas, and Clark County School District in Nevada.

How can we protect schools and students from fraud, cyberattacks, and digital vandalism?

In response to the attacks on schools during the early months of the pandemic, two members of the U.S. House of Representatives introduced the “Enhancing K-12 Cybersecurity Act,” which would establish a $400 million grant program to help schools fight cyberattacks.

That would be a good start, but more needs to be done, and faster. It starts, ironically enough, with education. Teach students and staff basic cyber hygiene, including recognizing phishing emails. Warn students of the risks of engaging threat actors on the dark web, not to mention the real-world consequences, both academic and legal, they could face if caught.

Schools also need to put proper precautions in place, from two-factor authentication to data backups that can be restored in the event of a ransom attack.

While the vast majority of students are victims in these incidents, some are threat actors themselves. That makes it even more important to keep an eye on the conversations around schools that continue to spread across the deep and dark web.

Read our recent threat report, Another Brick in the Firewall: Dark Web Threats to Education, to learn more about the most popular education topics among threat actors and recommendations that can help prevent cyberattacks.

You may also like

A close-up, detailed, and vibrant image of a microscopic cell with numerous tentacle-like extensions, depicted in shades of pink and purple against a blurred blue background.

May 15, 2024

Black Basta's Devastating Attack on a US Hospital System: Lessons Learned and Protective Measures

Read more
Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Chris Strand-Thumbnail

May 07, 2024

Enhancing Security Posture with Cyber Risk Intelligence Part 2

Read more