Cybercriminals are taking advantage of summer exam pressures by offering black market grade-hacking services and fake qualifications online, and ensuring these opportunities are easy to find with a quick internet search, Kaspersky researchers have found.
Reports of young people breaking into school systems to change grades, improve attendance records or disrupt test processes are not new, and nor is the availability of fake certificates and diplomas. Over the years, a thriving underground industry has grown up to facilitate cheating when it comes to academic achievements. This includes discussion fora and how-to guides and videos. Kaspersky researchers decided to take a closer look at such education fraud.
A single online search on June 12 immediately revealed a supplier of grade hacking services and fake diplomas, with an easy-to-follow order form enabling the customer to select the subject, level of degree and issuing institution of their choice. School certificates covering a long list of subjects were also available.
The researchers also looked at some of the most widely used school information systems and found that alongside a history of reported bugs, many relied only on user names and passwords to authenticate access for students, parents and teachers – making them worryingly easy to hack using stolen or re-used credentials.
“As education becomes more digital and connected, the information systems that support learning provide new opportunities for even moderately skilled hackers, and if you don’t want to do it yourself you can find a hacking service online to do it for you. Our research also uncovered a black market vendor who, in return for a fee, would create a certificate of your choice. For the majority of young people, working hard to prepare for and take exams, and the schools and colleges supporting them, such cheating can be very demoralizing – and that’s aside from the fact that education fraud is a criminal offence. Teachers are not security specialists and may not naturally know or remember what to do, but fortunately there are some simple steps educational institutions, and employers looking to verify achievements can take to stay safe,” said David Jacoby, security evangelist at Kaspersky.
Kaspersky recommends the following measures to safeguard systems and young people against education fraud:
· If a qualification looks suspicious, check with the issuing institution as they will have the official record of who achieved what.
· Introduce some form of two-factor authentication for information systems, especially web-based ones, and particularly for access to student records, grades and assessments. Set strong and appropriate access controls, so that it is not easy for a hacker to move laterally through the system.
· Run security awareness training for staff, explaining how to securely implement and use passwords.
· On campus, have two separate and secure wireless networks, one for staff and one for students, and another one for visitors if you need it.
· Don’t be tempted to put everything online or on the web-based portal if it doesn’t need to be there.
· Introduce and enforce a robust staff password policy and encourage everyone to keep their access credentials confidential at all times.
· Use a reliable security solution for comprehensive protection from a wide range of threats, such as Kaspersky Endpoint Security for Business.