A group of 12 and 13-year old students at Schoenbar Middle School in Ketchikan, Alaska were able to take control of over 300 computers after crafting a phishing scam and sending the emails to various teachers. The messages asked them to log in to accept a software update. When they did so, the students got their administrative privileges. It’s not clear what they did with their stolen powers or how they were caught, but the school’s principle says no data was compromised and personal information remained unseen.
“I don’t believe any hardware issues were compromised,” Casey Robinson, the principal, told community radio station Ketchikan FM. “No software issues were compromised. I don’t think there was any personal information compromised. Now that we have all the machines back in our control, nothing new can happen. How we do business is definitely going to have to change when it comes to updating programs and resources that we have on the machines.”
The group, which is said to be made up of at least 18 students, is presumably facing disciplinary action. The computers they accessed appear to all have been set up for student access only, so it doesn’t appear they tried to change grades or edit report cards. This goes to show just how easy it is to create and carry out a phishing scheme, and that even educated professionals such as teachers can, and do, fall for them. Simply educating end users isn’t enough. Networks should have strong filters in place and if appropriate, links in emails should be blocked completely. Use of blacklists can help you block known phishing sites, adding another layer of protection.