Zero-Days of Our Lives, Episode 1: Spoofing

While we may be IT professionals and—as such—take security extremely seriously, it can occasionally help to discuss business cybersecurity with a different approach… such as a daytime soap opera. What follows is one of these occasions.

Welcome to Oak Falls, a cozy little coastal hamlet shielded by the trees that give it its name. Unfortunately, these trees do little to protect the residents from the cyberthreats that loom over us all. Like bytes through the Internet, these are the Zero-Days of Our Lives.

Bianca Cosentino flipped her hair over her shoulder, her red pen pausing over each question on the quiz that her students had completed before heading to lunch. Lips pursed, she took note of which questions most students had missed the mark on, resolving to circle back and review the problematic topics a little more.

She sighed and leaned back. Rubbing her temples, Bianca took a quick inventory of her lessons for the rest of the day… she had a government and civics class immediately after lunch, study hall, and another world history class, after which she had a student coming in for assistance with a project. She looked down at the stack of quizzes on her desk. Just a few more to go.

Instead of diving in, however, Bianca decided to check her email.

She skimmed through her inbox, reviewing the messages within. All the usual communications were there—gossip amongst teachers, a notice from the school district alerting teachers to students’ evil twins taking tests for them, and the like. Bianca dutifully reviewed them all, coming across one that seemed innocuous enough.

Oak Falls High School utilized an online portal that allowed faculty and staff to manage student information and grades, managed by the school’s technology specialist. This portal also enabled teachers and administration to communicate easily, with notifications occasionally appearing in the user’s inbox. Bianca had come across one such notification. Apparently, a parent was concerned about potential bullying and wanted some reassurance that the situation was being addressed. It seemed that this parent had reached out to the administrative staff.

“Ms. Cosentino,

It has been brought to my attention by Deborah that her son has been experiencing verbal bullying by another student. I wanted to ask if there was anything going on in class that you had found troubling so we might be able to approach the situation with all the information available to us. Please let me know as soon as possible via the portal.

I have set up a dedicated conversation to address the matter and evaluate the risk of it escalating. Here’s the link:”

The provided link looked just like any other that would take her to the portal.

“I am taking this matter extremely seriously, so please do not delay in your response.

Sincerely,
Dr. Jordan Stone
Principal, Oak Falls High School”

While Bianca didn’t recognize the name “Deborah,” there were plenty of students whose parents she had not communicated with… and if she was being honest, she was far more concerned for the safety of a young person. She quickly clicked the link to find herself looking at the portal’s login page.

Despite the seriousness of the task at hand, Bianca rolled her eyes. “You’d think it would recognize me by my email and let me in automatically,” she said to herself. Sighing, she typed in her username and password.

Bianca reviewed her portal, checking for the conversation to get herself up to speed. Strangely, no conversation like that existed. She furrowed her brow in confusion.

“What the…”

She stood from her desk and continued staring at her display. She briskly walked over to the phone that each classroom had installed near the doorways. Maybe Dr. Stone simply hadn’t sent the message yet, and misspoke. Dialing the principal’s office, she patiently waited for Janice—the principal’s receptionist and, when needed, shepherd—to answer. After the first ring, Janice picked up.

“Hi, Janice, it’s Bianca Cosentino. Is Dr. Stone in? I just got his email about a student issue, but the link he sent doesn’t seem to be working. I wondered if he hadn’t set up the conversation yet, or…”

Bianca paused as Janice interjected.

“Okay, thanks.”

After a few more rings, Bianca reached the principal.

“Hi, Dr. Stone… I got your email. I tried using the link you sent, but it didn’t bring me to your message or show me the group you set up. Could you send me another invite, by any chance?”

Again, Bianca paused, listening as her boss responded. Concern suddenly flashed across her face.

“Yes, yes… the email you sent earlier. It had the portal link to the conversation you were putting together about a student being bullied. Who was it you were referring to?”

Another pause.

“You said you had received concerns from a parent, Deborah. You wanted to set up a conversation to try and resolve the issue before it escalated—”

The concern suddenly became outright alarm.

“You didn’t send me that?”

Hanging up the phone, Bianca rushed back to her computer, returning to the email her boss had just denied sending. Looking closely, Bianca realized that the sender’s address wasn’t actually the official address that Dr. Stone would use… it was close, very close, but the school’s name was abbreviated differently than the one the school would use.

The young educator stepped back from her desk, looking dramatically out the window in her panic. She had heard of this kind of thing before—spoofing, she thought it was called—where a cybercriminal would send a fraudulent link in an email and steal the victim’s credentials when they entered them into the fake site.

Bianca quickly turned her gaze back to her computer, manually opening her browser and trying to log into the portal from there.

Access denied. The password provided does not match our records.

Feeling her heart sink, Bianca tried again. 

Access denied. The password provided does not match our records.

Bianca again turned from her computer, looking into the middle distance. Whoever had actually sent that message had already changed her credentials and locked her out. Her fear and panic rose again as she considered the information she had just handed over.

TO BE CONTINUED…

***

Next time, on Zero-Days of Our Lives, we learn what trouble is brewing for Max Cooper, owner and operator of the local Tasty Beans coffee shop, while Rhea Pennington learns the value of not using a list of passwords as a bookmark.

Zero-Days of Our Lives is brought to you by Accucom, one of New South Wales’s best options for comprehensive IT services. To learn more about how you can keep your business safe, give us a call at (02) 8825-5555.