Hackers Found Selling Stolen University Credentials
The FBI is warning US universities and colleges that their network credentials and virtual private network (VPN) access are being advertised for sale by criminals.
The logins, harvested through spear-phishing, ransomware, or other tactics, are reportedly being sold on both online criminal marketplaces and publicly accessible forums.
“The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” the FBI warns in an advisory.
“If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”
Over the last two years, the use of these techniques has increased, with logins stolen through Covid-related phishing attacks. In late 2020, for example, around 2,000 unique university account usernames and passwords with the domain .edu were found for sale on the dark web, while in May 2021 over 36,000 email and password combinations for email accounts ending in .edu were identified on a publicly-available instant messaging platform.
And as of January 2022, Russian cybercriminal forums were offering the network credentials and virtual private network accesses to universities and colleges across the US, some of which included screenshots as proof of access. Prices varied from a few dollars to several thousand.
The FBI suggests that colleges and universities should liaise with their local FBI Field Office and update their incident response and communication plans.
“Hybrid and remote learning models have exposed the higher education sector to a plethora of attacks that expose unmanaged and unsecured accounts. Threat-actors continue to exploit unprotected accounts for their benefit and their tactics are increasing in sophistication and, as a result, often harder to spot and stop,” says Steven Hope, CEO and co-founder of password management firm Authlogics.
“Universities, especially, should be providing students and staff with training to spot convincing phishing emails and the steps to undertake when opening various attachments or emails. Students are an easy target, because unlike in a work environment, they often lack the necessary understanding to spot these types of attacks.”