This year various flavors of a “part time job application” Google forms phishing scam have circulated the education environment. Based on reports from organizations where the scam occurred, the scam operates as follows:
Threat actors obtain credentials for one student account, where only single-factor authentication is in place. The account is accessed and utilized to send out a large number of email messages to school contacts, including many students as well as staff. The email messages contain a link, which leads to a “job application” form asking for information such as cell phone, address, type of credit card and more.
Reports of compromised accounts include that the student may have been approached via social media messaging, or the student does not know how their credentials were compromised. Student account compromise can occur, even if the institution does not allow external email messaging to student accounts. For those recipients of the Google form who add their personal information, reports include receiving potentially aggressive text messages asking for additional information.
Considerations for Prevention
Enable Context-Aware Security
Enable context-aware security to limit account use to US-based locations, only. Though this may not prevent the scam, it can help add a layer of protection.
Training Students
Students should be made aware of the following:
- Phishing, Smishing, and Vishing
- Never giving user ID or password information to anyone
- Reporting suspicious or threatening online activity
- Awareness of the possibility for internal account compromise
- Consider utilizing phishing email scenarios with students. For example, Incident IQ includes free licenses for all students when the district purchases staff licenses
Ongoing Staff Training
- Business email compromise, including student account compromise
- Reporting suspicious email activity
Multi-Factor Authentication for Student Accounts
Consider options for single sign-on that offer an MFA option that does not require SMS.
Response Planning
Planning and practice help minimize the impact of an account compromise incident. Here are proactive measures to assist with incident response:
Create an Account Compromise Playbook
Include draft communication for notifying families, students, and staff
Conduct a Hand’s-On Tabletop Exercise
Send an email with a link to a Google form to people who are aware of the tabletop, and have some of them click the link and fill out the form. Then practice the following:
- Document all tabletop actions and findings
- Suspend the account
- Revoke sign-in cookies
- Check for unexpected OAuth applications with authorized access and practice revoking OAuth access
- Verify when the account was successfully signed into
- Determine which IP address(es) signed into the account
- Determine if those IP addresses are suspicious or expected
- Determine who clicked the link
- Use IP verification to determine whether or not those who click have had their account signed into
- Check for Google Takeout events
- Check for export of Contacts
- Verify if Bookmarks were exported
- Determine if Passwords were accessed
- Check critical third party software where the password is stored in the user’s Google passwords, for user’s activity.
Now is an excellent time to assess security measures for student accounts, to prevent these types of scams.