Cheating Companies Hacked Websites at MIT, Stanford, Columbia And More Than 100 Other Schools


By Derek Newton
Reposted from Forbes, with permission.

Jim Ridolfo at the University of Kentucky and William Hart-Davidson at Michigan State University have found that more than 100 websites of American colleges have been hacked or otherwise compromised by essay mills, the contract cheating providers that improperly sell academic work to students.

What they uncovered was a coordinated, planned pattern of hacking, information manipulation and other attacks by dark academic cheating companies that embedded their materials in top-level domains at schools of every variety including: Florida State University Law School, Clemson University, Penn State, MIT, Columbia, Purdue University of Nebraska Lincoln, and UCLA. A complete list of schools, with a map is in their research report.

Massachusetts Institute of Technology building

To find the violations and breaches, Hart-Davidson and Ridolfo took website addresses of 14 known essay mills and searched university sites for content or code related to those addresses. Over a period of just a few weeks in November and December, they found more than 100 university websites had been compromised by those dozen or so actors in ways they describe as, “systematic and illegal, and having direct implications for writing programs and universities.”

“There is actionable data here today,” Hart-Davidson said. “These illicit services are standing in the way of students getting where they need to go.”

The researchers say that, in addition to directly reaching students seeking academic support, hacking university domains assists the essay mills in gaming their search engine optimization and amplifying and sharing their messages with the fragrance of credibility stolen from the universities. Hart-Davidson described the process as “laundering a bad [web address] through a good one.”

“If you Google something like essay help and Stanford,” Ridolfo said, “you’ll get school content injected by essay mills or find pages that redirect you to their services.”

Some essay selling services have even been so bold as to embed live chat features in university sites. If you go to a university resource page seeking help and click the “chat” feature, you’re connected with paid cheating sites.

In another example, a resource page for students with dyslexia at the University of Michigan was infected with predatory information, a “compromised recomposition,” according to the research. Then that page was shared on Facebook and re-shared by other institutions and dyslexia support centers as if it were legitimate.

The research also found examples of embedded cheating site information in lists of official scholarships and as advertisements for essay contests offering cash prizes — a tactic the duo described as potentially “harvesting” academic content such as original writing or student information.

Ridolfo said these attacks, “have a lot of mirroring of the pharma hacks we’ve seen for years where legitimate medical or research information is compromised by referrals to online pharmacies.” Even so, he said, “going back three years we noted scripted SQL injections in these academic sites but did not put it together as a bot net pattern until November when there were just too many not to be done systematically,” he said.

According to the researchers, getting universities to act on these attacks with urgency has been an issue. The IT departments, they said, “just patch this stuff” and cannot see the scale of the national, systemic attack that’s happening. That’s exacerbated by a disconnect between school IT leaders and academic ones, where one person may recognize an IT problem but not recognize the academic consequences or vice versa.

Methodist University had their site hacked by contract cheaters but acted quickly. “Our IT/Web team,” said Suzanne Blum Malley, Ph.D., Provost at Methodist, “immediately responded to block the SQL injections and to set regular scans for additional paper mill intrusions.” With a priority institutional focus on writing skills, Blum Malley said that a “response to these types of systems intrusions by paper mills is also critical so that we are not unintentionally steering students to unethical choices and unethical practices that undermine the value of writing to learn and to explore.”

Even though this research uncovered more than 100 instances, Hart-Davidson and Ridolfo clearly say this is more of a warning sign than a solution — like finding a single termite or two instead of the whole nest. “We think the scope of this is much bigger, we only did a small sampling,” Ridolfo said.

They also note that these intrusions were from just 14 known cheating providers when there are probably hundreds of them. The researchers also note that they only looked at writing-related cheating but that hacks and compromised information on school websites “probably exists around problem sets and solutions too.” It’s just that no one has looked for that yet.

The pair also cautions that the attacks they found were the work of inexpensive, “absolute beginners” who exploited “run of the mill security issues.” That means this pattern of hacking legitimate university property to sell cheating services could get much more complex and much more dangerous.

“We think this is indicative of other trends of visual infrastructure being leveraged to deceive, being weaponized against students, which is a big IT and pedagogy issue,” said Ridolfo.

“Imagine that a company set up a card table outside a school’s writing center, redirecting students coming for help to some shady institutions. What would you do? You’d send the campus security and throw them out,” Hart-Davidson said. These intrusive hacks and manipulations may also have, “crossed the line” of legal conduct. “You can’t inject content on a state university site and redirect traffic to a commercial site. That’s not allowed, it’s like painting your ad on the side of a university building,” he said.

Frankly, bad as that is, as illegal as it likely is to paint an ad on a school building, hacking school websites to pass off illicit services as sanctioned conduct is probably actually worse. Since cheating is a billion-dollar, global dark market, it’s not surprising. It’s just awful. And schools should move quickly to address it, not just with patches, but with policy and policing.

Originally posted on Forbes on February 25, 2021.