Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:22 PM

Former College Kid's Guilty Plea To Hacking Highlights Low-Tech DB Theft

Defendants targeted university's databases of faculty, staff, alumni, and student information, and financial accounts with a social engineering scheme that used poisoned USBs, phishing emails

A former University of Central Missouri (UCM) student this week copped a guilty plea to computer hacking and fraud charges in a case that security experts believe stands as a testament to how low the barrier to entry has fallen for stealing database information and committing financial fraud.

Daniel Fowler admitted to a U.S. magistrate judge to a scheme in which he and alleged co-conspirator Joseph Camp used the SpectorPro and Poison Ivy keylogger malware kits to help infect machines across the UCM campus in 2009. Under federal statutes, Fowler is subject to a sentence of up to 15 years in federal prison without parole, plus a fine of up to $500,000 and an order of restitution. Camp is still awaiting trial.

"The defendants obtained, or attempted to obtain, access to portions of the computer network which would allow them to change grades, view and download large databases of faculty, staff, alumni and student information, and transfer money to their student accounts," read the indictment against Fowler and Camp. "The defendants additionally sought to profit from these computer intrusions."

Investigators reported that Fowler used a number of different methods to get his hands on sensitive data and accounts capable of adding cash to his student account. In some cases, he and Camp would offer to show vacation photos to fellow students using a USB drive laden with malware. They also manually installed malware on public computers in the library and computer labs. Additionally, the suspects sent email messages promising vacation photos with the malware embedded in attachments. The malware would then give them access to files on victims' computers and keystroke information to gather credentials to more sensitive systems within the university's network.

"This is a very straightforward hacking process -- there is nothing horrendously sophisticated about it," says Rob Rachwald, director of security strategy at Imperva. "It follows the standard procedure of spreading some malware, getting the credentials, and then stealing the goods. It's what happens on the black market every day. It is just a new innovation because it is a way of taking the cookie-cutter template to a different target."

While the scheme does involve the infiltration of expensive university systems, security expert Mike Murray, managing partner at MAD Security, says that Fowler hardly deserves any props as a master hacker. He says this is where common crime is trending these days as the prevalence of hacking software floods the black market.

"It's funny that this is a 'hacking' story because really it is just an opportunity story. It's not like the kid had any skills from what I can tell," Murray says. "He used an off-the-shelf rootkit and walked around with a USB key."

According to Murray, there are no endpoint protections that can ultimately solve the social engineering problems posed by criminals like Fowler. As a society, we just have to get used to this new era of computer-based crime by getting street smart about these issues.

There is hope, though: Even within this case, there are signs that some people's thinking is starting to evolve. At one point, Fowler tried to get the university president's secretary to plug in a USB device into the president's computer with the pretext that Fowler's lawyer needed the president to look at some documents on the USB stick. She was spooked and refused to do so.

"Long-term, it's not a technology issue. The technology just enables the criminal in the same way that a crowbar enables a criminal breaking into your car," Murray says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.