Former College Kids Guilty Plea To Hacking Highlights Low-Tech DB Theft

  /     /     /  
Publicated : 22/11/2024   Category : security


Former College Kids Guilty Plea To Hacking Highlights Low-Tech DB Theft


Defendants targeted universitys databases of faculty, staff, alumni, and student information, and financial accounts with a social engineering scheme that used poisoned USBs, phishing emails



A former University of Central Missouri (UCM) student this week copped a guilty plea to computer hacking and fraud charges in a case that security experts believe stands as a testament to how low the barrier to entry has fallen for stealing database information and committing financial fraud.
Daniel Fowler admitted to a U.S. magistrate judge to a scheme in which he and alleged co-conspirator Joseph Camp used the SpectorPro and Poison Ivy keylogger malware kits to help infect machines across the UCM campus in 2009. Under federal statutes, Fowler is subject to a sentence of up to 15 years in federal prison without parole, plus a fine of up to $500,000 and an order of restitution. Camp is still awaiting trial.
The defendants obtained, or attempted to obtain, access to portions of the computer network which would allow them to change grades, view and download large databases of faculty, staff, alumni and student information, and transfer money to their student accounts, read the indictment against Fowler and Camp. The defendants additionally sought to profit from these computer intrusions.
Investigators reported that Fowler used a number of different methods to get his hands on sensitive data and accounts capable of adding cash to his student account. In some cases, he and Camp would offer to show vacation photos to fellow students using a USB drive laden with malware. They also manually installed malware on public computers in the library and computer labs. Additionally, the suspects sent email messages promising vacation photos with the malware embedded in attachments. The malware would then give them access to files on victims computers and keystroke information to gather credentials to more sensitive systems within the universitys network.
This is a very straightforward hacking process -- there is nothing horrendously sophisticated about it, says Rob Rachwald, director of security strategy at Imperva. It follows the standard procedure of spreading some malware, getting the credentials, and then stealing the goods. Its what happens on the black market every day. It is just a new innovation because it is a way of taking the cookie-cutter template to a different target.
While the scheme does involve the infiltration of expensive university systems, security expert Mike Murray, managing partner at MAD Security, says that Fowler hardly deserves any props as a master hacker. He says this is where common crime is trending these days as the prevalence of hacking software floods the black market.
Its funny that this is a hacking story because really it is just an opportunity story. Its not like the kid had any skills from what I can tell, Murray says. He used an off-the-shelf rootkit and walked around with a USB key.
According to Murray, there are no endpoint protections that can ultimately solve the social engineering problems posed by criminals like Fowler. As a society, we just have to get used to this new era of computer-based crime by getting street smart about these issues.
There is hope, though: Even within this case, there are signs that some peoples thinking is starting to evolve. At one point, Fowler tried to get the university presidents secretary to plug in a USB device into the presidents computer with the pretext that Fowlers lawyer needed the president to look at some documents on the USB stick. She was spooked and refused to do so.
Long-term, its not a technology issue. The technology just enables the criminal in the same way that a crowbar enables a criminal breaking into your car, Murray says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Former College Kids Guilty Plea To Hacking Highlights Low-Tech DB Theft