Changing Grades – One Student’s Dream
As the current Fall semester comes to a close, a young geek’s dreams turn towards…
No, not girls, why bother to even think about the impossible? The great geek dream is the hacking of the registrar’s database to fix a few grades. How many movies and TV shows have we all seen where the geek makes a few grade changes; maybe helping out that cute girl in his class to win her admiration?
A friend of mine from a major university just sent me a story of a geek who lived that dream—well almost. He was so close; if it weren’t for a few chatty office workers, his 3.5 GPA would have been assured.
I love a good Social Engineering story. Let’s look at the seven steps to a great GPA:
Step 1 – First, the student conned email credentials from an instructor at the university. Let’s be honest, this is like shooting “phish” in a barrel. With literally hundreds of instructors—many young, naïve and new—the student probably had his pick of stolen email credentials.
Step 2 – With no lack of ambition, the student set up a forged version of the university’s webmail portal. While this takes some geek credentials, it’s not really that hard. With a few simple tools, anyone can grab a website and make an identical, fake version on their own server.
Step 3 – Next, the student sent emails, using the conned email address from the instructor in Step 1, to university registrar office staff. The malicious emails pointed the registrar staff to the student’s bogus (but real looking) webmail portal. The fact that the emails came from a university instructor most likely removed any suspicion.
Step 4 – At this point, the registrar staff members that fell for the email head fake in step 3 unknowingly provided the student with their email credentials. This is a common ploy—when the each deceived registrar staff member entered his or her name and password, the student’s fake webmail portal collected the credentials. The web portal then indicated some IT problem with the advice to try latter.
Step 5 – His phishing scam successful, the student gained access to several register staff’s email
accounts and had the ability to check out writing style and look for account IDs. At this point, the student, for all practical purposes, could pretend to be one of a registrar staffer.
Step 6 – Next, the student sent emails from several registrar staffers (those whose credentials he has picked up in Step 5) accounts to other registrar staff members, asking for the passwords into the university student record database. Keep in mind the fact that the student is emulating the writing style of the sender and sending his email to friends of the conned registrar staffer. We’ve all gotten the email that starts off with: “Darn, don’t know where my brain is today – can you send me…”
Step 7 – Finally, one of the registrar staff members sent the student the requested password, probably thinking she has done her good deed for the day.
The Kid is Golden
The student is golden at this point. He now owns the entire university student record database.
Think of the potential!
You have to admit, this kid is good. He’s on his way to a 3.5 GPA, free beers from his friends and maybe a date with the cute girl who really, really needs to pass calculus.
Too bad those gossips in the registrar’s office has to blow it for him…
