A new report from the FBI raises warnings about a credential theft threat targeting academic partners of identified US colleges and universities.
The constant credential theft threat
The first goal for these attacks is to collect valid credentials, which are often exposed on public and private cybercriminals forums or marketplaces.
These attacks use several different vectors to be successful: Phishing attacks launched at a wide scale and hitting millions of email boxes, spear phishing attacks that are more targeted and sent in lesser volumes or other social engineering techniques using instant messaging.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
These credential stuffing attacks are particularly concerning, because once an attacker is in possession of one login credential, he might run tools like OpenBullet to automatically check if they are valid for dozens or hundreds of other websites. As people tend to use the same password on websites, it is frequent that once an attacker owns valid credentials for one mailbox system, they might be able to access other mailboxes or online services.
The specific threat on U.S. academics
As an example, the FBI mentions a credential harvesting campaign that targeted .EDU accounts in 2017. The attackers made copies of the login pages from universities, embedding credential harvesting code inside the copy. Once an unsuspecting user entered his credentials, they were immediately sent by email to the cybercriminals.
Academics are not new targets for cybercriminals. The University of California at Berkeley shared dozens of phishing examples that have targeted them since 2015. While some of these examples are quite generic, others are very specific to universities. One example is a message targeting students with a request to reactivate their library services account and aims at collecting the students credentials.
In May 2022, Yale reported an increase in COVID-19 phishing attempts toward higher education institutions, aiming once again for university credentials.
The FBI mentions that tactics evolve and recent phishing cases hitting U.S. universities have been reported.
Academic credentials for sale, sometimes for free
The FBI has observed incidents of stolen higher education credentials posted on publicly accessible cybercriminal forums or marketplaces. In January 2022, Russian cybercriminal forums offered network credentials and virtual private network access to a multitude of identified American universities and colleges. Sometimes, screenshots were included as proof of access. Prices for those credentials varied from one to multiple thousands of US dollars.
In May 2021, more than 36,000 login combinations for .EDU email accounts were found on a publicly available instant messaging platform.
In late 2020, a seller on the dark web listed approximately 2,000 unique usernames and their associated passwords from .EDU domains and asked for donations to be made on an identified Bitcoin wallet.
With the business of initial access brokers still active, it is no wonder that credential harvesting is ongoing, targeting multiple industries and sectors of activities including academics and research.
Those credentials might of course be used for an attacker to read the emails of the victim, but they might also lead to more fraud – to steal credit card information, or access the internal network of the institution to do more harm, like planting ransomware or launching a cyberespionage campaign
How to protect yourself from this threat
All operating systems and software running in the institution need to be kept up to date. As noted by the FBI, “timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats”.
User training programs and phishing simulation exercises need to be deployed to students but also to all other employees of the institution. Awareness needs to be raised on phishing attempts and on the risk of visiting suspicious websites or clicking on suspicious links or file attachments.
A strong and unique password policy needs to be enforced. Alerts need to be set for incorrect login attempts.
Multi-factor authentication also needs to be set for every possible service that needs credentials. If remote desktop protocol access is needed, it needs to be secured with MFA and a VPN.
The principle of least privilege should also be deployed. Account privileges need to be defined clearly and no user should have extra privileges that are not mandatory to their activity.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.