Tech & Learning | Lateral Phishing: What K-12 Schools Need to Know

by Sateesh Narahari, Tech & Learning

Students and teachers in K-12 school districts use technology in the classroom for learning, teaching, administrative operations, and to have real-time conversations. With the rise of cloud apps such as Google G Suite and Microsoft Office 365, it’s no secret that students and staff are online during the school day–sending emails and sharing files–more than ever before. In the education sector, email apps like Gmail, Outlook, and Exchange are a must-have to share files and assignments in order to support today’s age of digital learning. As a result, billions of emails are sent every day.

What Is Lateral Phishing?

Lateral phishing is a phishing campaign executed by an external threat–such as a hacker–but the email is sent from a school district’s compromised account to other accounts within the organization. In the case of K-12 school districts, this means the email is sent from a student, staff, or faculty member’s hijacked account.

Since the email with malicious content is being sent from an internal school district account, the attack may not be caught by IT teams and can operate undetected for a long period of time. this could lead to more than one account becoming compromised in the same school, or another school within the district and the task of putting a stop to the phishing campaign becomes exponentially more difficult to contain.

In K-12, The Perimeter Is No More

K-12 education now lives in a post-perimeter world. Not only do IT teams need to monitor inbound and outbound traffic, but they also need to be monitoring what is inside the internal emails exchanged within a school district. Whether it be an email from a student to a teacher (or vice versa), a teacher to another teacher, or a teacher to a staff member (or vice versa).

Today, students, staff, and faculty bring their laptops and mobile devices home–outside of a school’s network–but still exchange data with one another inside a cloud application. This means a school district’s security perimeter isn’t as defined as it once was. Furthermore, one could argue a perimeter no longer exists because people are more mobile today than before.

But yet, the education market continues to look at cybersecurity from a traditional view, focusing on network firewalls, email gateways, and message transfer agents (MTA). When in reality, K-12 education needs to shift focus to monitoring what is taking place inside an application at all times. Here are three reasons why…



Yesterday’s Google Docs Phishing Scheme: OAuth as an Attack Vector

OAuth is a very good security standard that has been carefully designed to balance user experience and security and is a solid security protocol that has been used across many apps. OAuth is a standard many SaaS vendors support for REST API access. When something is as popular as OAuth, it quickly becomes an attractive target for hackers and bad guys, like with yesterday’s Google Docs attack.

There are indications that Russian-based spies are starting to leverage loopholes in end-user cognition to get access to corporate data. This is a clever mix of social engineering and exploiting user familiarity. The goal is to conduct corporate or political espionage or to use the data to demand ransom from targeted companies. Trend Micro has dubbed this attack “Pawn Storm”.

This Gmail attack works by asking the user to grant permissions to specific capabilities in Google G Suite, including the ability to read and write emails and documents, and access user information such as name, email address, age etc. Below are some potential scenarios:

  • An email sent from what appears to be the CEO to CFO authorizing payment to a third party
  • CryptoLocker-style attacks
  • Analyze sharing behavior and identify with which other domains the company has been sharing documents
  • A targeted corporate espionage program intending to predict upcoming M&A or funding activities

The sky is the limit for a skillful hacker once they get access to a targeted individual corporate Gmail and G Suite account. A more sophisticated attacker might even plant their code and strike at the perfect moment for maximum impact. In the case of yesterday’s Google Docs attack, it appears to have been carried out by an inexperienced hacker who went for maximum publicity instead of maximum damage. (Likely script kiddies, but we won’t ever know for sure.) Fortunately, Google reacted quickly and shut them down. However, not every attack will be as visible as that one.

You can read about the Google Docs attack in yesterday’s article on NetworkWorld.

Even some seemingly benign apps ask for broad permissions. For example, the Fox News app requests permission to read your email. That means that if the Fox News app is compromised, your organizational data may also be compromised. It’s never a good idea for employees to use corporate Gmail for these type of consumer applications, but they often do it anyway for convenience.

How to Protect Your Company Against Attack
Most advice on how to defend against this type of attack is focused on users checking the permissions they granted to different apps. However, this advice falls short for enterprises since it is harder to enforce due to limited visibility.

ManagedMethods’ Cloud Access Monitor tool provides that critical visibility, so an administrator can review all the apps that employees have authorized and what permissions were granted to those apps:

Administrators can also search which apps have permission to read users’ emails or access documents in G Suite:

And finally, administrators can revoke access to these apps right from Cloud Access Monitor:

Don’t wait for another phishing attack to put your company at risk. Request your free Third Party App Permissions Audit today.