A university student who plugged keyloggers into his school’s computers to snatch staff passwords, access the exam application and jack up five test scores has been jailed.
The Telegraph reports that bioscience student Imran Uddin, 25, was sentenced to 4 months of jail time after using a keylogger to steal staff passwords at the University of Birmingham in the UK.
Uddin, who was reportedly on track to achieve at least a lower second-class degree – or 2:2 – increased his marks on five exams, including one from 57% to 73%.
According to The Telegraph, Uddin was jailed at Birmingham Crown Court after admitting six charges contrary to the Computer Misuse Act.
The newspaper quotes Judge James Burbidge QC as he addressed the cheating student:
For reasons not entirely clear to me, whether it was monetary, or pride or a desire to out-perform others, you decided to cheat and you formed a settled intention to do that. I consider your actions were planned and persistent.
This kind of conduct undermines or has the potential to undermine public confidence in the degree system, set up by this university. I have decided I cannot pass a suspended sentence because there needs to be an element of deterrence.
The court heard that Uddin attached a so-called “shadowing” device onto the backs of numerous school computers to steal staff passwords.
He came under suspicion in October when staff found a spying device while performing a routine upgrade on a computer in the bio-science building.
As a result, staff checked other computers and found three more keyloggers.
The prosecutor, Madhu Rai, told the court that one device had been attached to a computer in a “staff only” area in order to steal the password of employee Christine Chapman, who had access to exam grade software.
Upon searching his computer, police found that Uddin had looked on eBay for keyloggers and had also tried to enter the university marking system.
Balbir Singh, defending, told the court that Uddin was the only person from his family who had gone to university and at the time had put himself under so much pressure “that he could not see clearly.”
A university spokeswoman said that cheating students such as Uddin are subject to permanent expulsion:
The University cannot comment on individual cases, however, we take any criminal activity extremely seriously and work closely with West Midlands Police.
In additional to any legal sanctions, students convicted of serious crimes also face a student misconduct investigation and ultimately face permanent exclusion.
Uddin isn’t the first student we’ve heard about for hacking into school systems: last year, 11 US teenagers were expelled from a California high school after using a keylogger to gain access to school systems and bump up their grades, and a former Purdue University student was sentenced to 90 days in jail for changing his grades to straight-As, possibly by replacing professors’ keyboards with keylog-doctored versions.
Students who want to cheat aren’t the only ones who use keyloggers to steal everything someone types on a keyboard, including email passwords or logins for online bank accounts.
Spies and cybercrooks can and do attach spy hardware to public computers to steal private information: it’s happened at hotels in Texas and public libraries in England.
In fact, being careful when you use public computers or ATMs is just one thing that travelers should keep in mind as vacation season rolls in and business travelers head out to conferences.
We should all be mindful of keyloggers when we try to keep our data safe while traveling.
We should also tell our kids that boosting our grades by using keyloggers to break into school systems isn’t worth the potential jail time and criminal record.
The pressure may be high when it comes to keeping up with schoolwork and trying to look smart to prospective employers, but the reality is that it’s far better to be an honest B or C student than a student whose straight-As are as flimsy as tissue paper.
Image of mortar boarr courtesy of Shutterstock.
Learned the hard way
Years ago, I opened email attachments and clicked on links from a correspondent whom I do not know. Eventually, this person seemed to know everything I was thinking. Only in retrospect – some 2 1/2 years later – did I put the red flags together and finally twig it; (s)he had remotely installed keylogger spyware on my computer – and (s)he probably did so soon after we had started corresponding. Then I realized this person knew my email addresses and passwords (and my name, home address, financial info, and browsing and shopping habits) and that (s)he has used my email accounts and name to send messages to people whom I know.
Since my epiphany, I have stopped corresponding with that person, wiped my hard drive, changed my passwords, activated 2FA when possible, used security keys when possible, and taken other online security-related steps.
But the horse has left the barn.
Also since then, someone hacked one of my email accounts and deleted everything. I discovered the hack some 3 to 5 days after the fact. A Microsoft representative told me Microsoft could not retrieve my emails.
I must keep all of my email accounts active. If I deactivate an account, this person can assume it and resume sending messages in my name to other people.
Further, someone has posted comments in my name on various internet sites. I suspect the former correspondent wrote them.
As any seasoned politician can tell you, once someone slings mud on you, you are helpless to defend yourself against it.
I wish I had never corresponded with this person. Still, now I know something about psychopaths.
Do not open attachments or click on links from people whom you do not know! Better yet, do not open emails from strangers.
Lisa Vaas
Yikes, thanks for the first-hand testimonial, so sorry to hear you’ve suffered from such a common mistake. It’s dismaying, how little attention this gets, not only from recipients but from businesses who should know better than to send links in email. I recently refused to do business with a medical supplier who sent an email with a link, with no context to tell me who they were (they were legitimate, but were apparently ignorant of how irresponsible their email habits are).
Unfortunately, I’m back to being forced to do business with them, given that they’re the only ones who happen to supply this particular medical gadget that I need.
I’m pondering going through snail mail with them. If you can’t trust a business not to know about links in email, what other security pitfalls are they likely to make, I wonder?
Mark
It appears to be a new trend (at least to me) in that vendors are sending emails with links to ad or tracking systems on their messages to their legitimate customers. I have asked many times to no avail asking how I am supposed to differentiate from spam when their links point to nonsensical (but legitimate) addresses.
Jim
Don’t forget to change your “secret questions” that most places use. They’re probably using an account you forgot about, but that account may “know” some of your secret questions (and the answers).
Ronny Vasquez
Why only the student? The Sec admin must be in jail too, for his incompetence almost any free antivirus can detect a simple keylogger.
Mark
actually it sounds like this may have been a hardware keylogger plugged in between the keyboard and the keyboard port, no software needed. I am not an expert but I assume a usb device with enough memory to save a few million keystrokes would probably be about the same size as a thumb drive and hard to detect unless you happen to be looking at the back of the computer.
Jason Kaven
If it is a hardware keylogger that infected the computer, I think it is too dangerous and obvious, isn’t it? I thought it is more possible to be infected with a keylogger software. As far as I know, the keylogger software like Micro Keylogger really can track keystrokes and passwords invisibly and secretly, which is illegal!
thoxsie
Hardware keyloggers do not infect the computer and they are impossible to detect through software. The keyboard is plugged into the keylogger and the keylogger is plug into the system. From the view of the system it just sees a keyboard plugged into it, but what the computer doesn’t know is that the keyboard is busy saving every keystoke to local memory.
Paul Ducklin
It *may* be possible to detect hardware keyloggers using software, though it depends on how it cunningly they are implemented.
(I’m not suggesting that you rely on being able to detect them this way, or even that you will be able to find software that offers to try. Just being slightly pedantic about “impossible”. Never say never. Not in computer security :-)
Jim
I also must ask the question, why weren’t they using 2FA? Universities are ripe plums to most hackers (who may also be their students). They can help themselves quite a bit by inserting that second factor of auth. into the stream.
Anonymous
I must give him a big thumb. He is a genius. I’ve tried a lot of keyloggers and ended up with installing Micro keylogger. It monitors everything I needed. I needed more than just a keyloger. I’m interested in monitoring all types of activity including website history, keystrokes etc.
Samule Curren
Hi,
Great article, love the content, very helpful! Thanks for sharing info.