School Principal's Email Hijacked, Scary Simple Website to Blame
By: Marci Manley, KARK 4 News
Updated: April 24, 2012
"It talked about how the school was closing next year," she said, clicking through a long list of emails.
Assistant Principal Jodie Heslep of LISA Academy North is still puzzled over the message sent from her boss's email account last Thursday night.
"When you glanced at the email, at first you read through it and it kind of made you question," she said.
Two emails were sent telling the same story. At 3:17 p.m. an email sent to dozens of staff members.
"It talked about how the school was closing next year and that our principal would be happy to write letters of recommendations for all of us," she said.
The second, around 6:00 p.m. to hundreds of parents, claiming Principal Fatih Bogrek, claiming he had failed to file the proper paperwork to secure renewal and the campus would close.
"I was shocked when I had a call from my Assistant Principal that I sent an email to all staff and parents," Bogrek said. "It's absolutely untrue. Our renewal process doesn't even come up until next year."
Not only that, but Bogrek said the school is performing at high standards and a waiting list of some 500 students shows the demand to keep the doors open. So the email, coming out of left field for many who received it.
That's likely because Principal Bogrek did not author the email landing in local accounts. The message came from a website across the globe. It's a proxy website in the Czech Republic, allowing the Internet prankster to impersonate the principal and pretty much anyone else.
"They can send an email from your email account if they know your email account, or they can send email from Governor Beebe's email account to anybody else," said IT Services Manager Ersin Demirci.
"It seems to be a deficiency in most email servers," he said. "That includes Google, Yahoo Mail, and Hotmail."
To see just how simple it could be, we set up a dummy account, typed the information into the fake email website, and hit send. Within seconds, the email popped up saying it was from the legitimate sender.
While Gmail did alert, once inside the email, that the message may not be from whom it appeared, not all email clients offered that warning.
"It is a nightmare for everybody. It is a nightmare for our staff, a nightmare for our parents," Demirci said.
LISA Academy did notify parents of the some 450 students affected within minutes of the inbox bombardment.
"We sent a legitimate email out to parents letting them know that there was nothing to worry about," Heslep said. "In fact, when the staff email was delivered we notified parents of what was going on so some had an idea it wasn't authentic. Other parents, even those without email addresses, we called to let them know they shouldn't worry despite what they might hear."
Apparently, both emails were sent to groups of email addresses for staff and current parents. How those addresses came to be acquired remains a mystery at this point.
"It's really strange, because we bcc(blind carbon copy) when we send out emails," Heslep said. "There's nothing to have to gain, other than putting some parents in a panic."
When asked whether it could be someone actually did hack the system or simply had knowledge of the mailing lists, Demicri wasn't sure.
"We really don't know that right now. But we've reported this to Sherwood Police, the FBI, and the Arkansas Department of Education," he said. "So, a lot of people are looking into this, and I'm confident we'll find the person responsible.
Still, the damage of the cyber attack is done: lingering questions of who and why as well as knowing a hit like this could happen to countless companies, schools, and individual accounts.
"It does make you question if they went through the school's lists what else could they go through or what else could someone do," Heslep said.
With the Internet, prosecution can depend on individual cases. In this instance, fraud could be a legitimate concern and charges could follow for the culprit, dependent upon harm and the intent for sending on the message.
The school is beefing up its security to change settings, hopefully blocking additional websites that allow spamming schemes like this to operate within the email server.
One tip for protecting email addresses, particularly when sending out mass emails, is to blind carbon copy addresses versus listing them all in the "to" field. You can also set up your email to send to yourself and bccing the recipients you intend to send it to.
If you do believe someone has phished or scammed your email account or other online identities (bank accounts, etc.) you should report that to your local police, the Arkansas Attorney General's Consumer Protection Division, and the FBI's Internet Crimes complaint center so the instances can be tracked and the perpetrators caught.
Assistant Principal Jodie Heslep of LISA Academy North is still puzzled over the message sent from her boss's email account last Thursday night.
"When you glanced at the email, at first you read through it and it kind of made you question," she said.
Two emails were sent telling the same story. At 3:17 p.m. an email sent to dozens of staff members.
"It talked about how the school was closing next year and that our principal would be happy to write letters of recommendations for all of us," she said.
The second, around 6:00 p.m. to hundreds of parents, claiming Principal Fatih Bogrek, claiming he had failed to file the proper paperwork to secure renewal and the campus would close.
"I was shocked when I had a call from my Assistant Principal that I sent an email to all staff and parents," Bogrek said. "It's absolutely untrue. Our renewal process doesn't even come up until next year."
Not only that, but Bogrek said the school is performing at high standards and a waiting list of some 500 students shows the demand to keep the doors open. So the email, coming out of left field for many who received it.
That's likely because Principal Bogrek did not author the email landing in local accounts. The message came from a website across the globe. It's a proxy website in the Czech Republic, allowing the Internet prankster to impersonate the principal and pretty much anyone else.
"They can send an email from your email account if they know your email account, or they can send email from Governor Beebe's email account to anybody else," said IT Services Manager Ersin Demirci.
"It seems to be a deficiency in most email servers," he said. "That includes Google, Yahoo Mail, and Hotmail."
To see just how simple it could be, we set up a dummy account, typed the information into the fake email website, and hit send. Within seconds, the email popped up saying it was from the legitimate sender.
While Gmail did alert, once inside the email, that the message may not be from whom it appeared, not all email clients offered that warning.
"It is a nightmare for everybody. It is a nightmare for our staff, a nightmare for our parents," Demirci said.
LISA Academy did notify parents of the some 450 students affected within minutes of the inbox bombardment.
"We sent a legitimate email out to parents letting them know that there was nothing to worry about," Heslep said. "In fact, when the staff email was delivered we notified parents of what was going on so some had an idea it wasn't authentic. Other parents, even those without email addresses, we called to let them know they shouldn't worry despite what they might hear."
Apparently, both emails were sent to groups of email addresses for staff and current parents. How those addresses came to be acquired remains a mystery at this point.
"It's really strange, because we bcc(blind carbon copy) when we send out emails," Heslep said. "There's nothing to have to gain, other than putting some parents in a panic."
When asked whether it could be someone actually did hack the system or simply had knowledge of the mailing lists, Demicri wasn't sure.
"We really don't know that right now. But we've reported this to Sherwood Police, the FBI, and the Arkansas Department of Education," he said. "So, a lot of people are looking into this, and I'm confident we'll find the person responsible.
Still, the damage of the cyber attack is done: lingering questions of who and why as well as knowing a hit like this could happen to countless companies, schools, and individual accounts.
"It does make you question if they went through the school's lists what else could they go through or what else could someone do," Heslep said.
With the Internet, prosecution can depend on individual cases. In this instance, fraud could be a legitimate concern and charges could follow for the culprit, dependent upon harm and the intent for sending on the message.
The school is beefing up its security to change settings, hopefully blocking additional websites that allow spamming schemes like this to operate within the email server.
One tip for protecting email addresses, particularly when sending out mass emails, is to blind carbon copy addresses versus listing them all in the "to" field. You can also set up your email to send to yourself and bccing the recipients you intend to send it to.
If you do believe someone has phished or scammed your email account or other online identities (bank accounts, etc.) you should report that to your local police, the Arkansas Attorney General's Consumer Protection Division, and the FBI's Internet Crimes complaint center so the instances can be tracked and the perpetrators caught.
