PHISHING WITH AI
Phishing scams trick people into making security mistakes, such as handing over passwords, by using familiar details to make a nefarious email seem like it came from a legitimate source. School districts regularly post a trove of information, from school board minutes and budget reports to bus schedules and break calendars, and some cybersecurity experts are pointing out that advances in AI have given cyber criminals more ways to harvest and weaponize it.
“The sophistication of this is at a point where it’s so much easier to get people to make a mistake than it is to get past cybersecurity,” he said.
And there are lots of people connected to school computer systems who could make that mistake, including teachers, students, parents and vendors. The result could be the accidental installation of ransomware or the theft of institutional data or funds.
ANATOMY OF AN ATTACK
Speaking to Government Technology on conditions of anonymity due to pending litigation, a chief technology officer (CTO) of one large public school district described how a vendor self-service portal, used for billing purposes, proved to be the weak link in an otherwise strong cybersecurity posture.
They said a bad actor is believed to have used AI to create a phishing scam, posing as a vendor needing access to the portal. The CTO said the attack seemed credible because it was full of accurate details about the vendor’s work for the district, which involved a series of large construction projects. Looking back, the CTO said these items had all been posted online, making them easy ammunition for a bad actor armed with AI.
“School district contracts for things like construction are really big contracts, and because we’re public agencies, we have to make all that business public,” the CTO said.
Believing the bad actor was actually a representative of the construction company that did business with the district, staff let them into the billing portal. From there, the criminal changed the vendor’s bank account number to their own and began to receive payments from the school district that were meant for the construction company.
Multifactor authentication on the billing portal would have required the bad actor to confirm their identity in more than one way, but the feature was not functional, the CTO said — something the district did not discover until after the money was stolen.
Given that schools often keep details of cyber attacks under wraps for legal and security reasons, the CTO said the district was also in the dark about the fact that a nearby district had been attacked the same way a few months prior.
“Because of the way we’re told not to talk about anything, nobody knew about it, and then we ended up having the exact same situation happen,” the CTO said. “Exact same platform, exact same attack type, exact same vendors that they were working to replicate.”
DISTRICT DEFENSE
To defend against such attacks, Ryan said cybersecurity staff should begin with basic preventive measures, such as putting labels on all external emails and MFA for district end users.
The CTO in the district described above said more communication among technology leaders across school districts, in confidential environments, is another way to combat these attacks.
“We need to be able to talk about what’s happening, because the attack surface is the same for all of us, and we all have the same conditions,” the CTO said. “We are public agencies that have to create public disclosure of our tools and our resources, and the contracts we have with vendors are public.”
All these details being available online — combined with varied end users and portals, loads of student data and a general lack of resources for strong cybersecurity — have made schools a prime target for cyber attacks.
“We have every condition to be sitting ducks, and you add on top of it the 'don’t ask, don’t tell'-type culture that’s existing when things happen, and this is the situation districts keep finding themselves in,” the CTO said.
While it may be a good idea to communicate more often with trusted colleagues, school leaders would be wise to share less on the open Internet, Ryan said. For example, instead of posting the email address of each staff member online, he recommends using links in their names that go through an internal filter. Other district details should be posted within MFA-protected portals whenever possible, he added, and IT staff should be careful not to publish the systems they use online.
“All this is generous public information that we provide that makes it a lot easier for the bad guys to come up with a scam,” Ryan said. “Don’t make it easy for the people who are trying to get in.”
*Note: The Center for Digital Education is part of e.Republic, Government Technology's parent company.
