Cybercriminals are hijacking legitimate email accounts from more than a dozen universities – including Purdue University, University of Oxford in the U.K. and Stanford University – and using the accounts to bypass detection and trick victims into handing over their email credentials or installing malware.
Dave Bagget, CEO and co-founder of INKY, told Threatpost that there is no indication of how the accounts were compromised — but he speculated that the victims fell for a credential-harvesting scheme. Bagget also said that this month researchers continued to see phishing emails from real university accounts, so some accounts appear to still be compromised.
“A student may never change an originally assigned password, or may share it with a friend or friends,” according to Inky researchers on Thursday. “A professor may give a student the password to an account for a particular project and never change it when the project is done. Hackers tapping around find these carelessly handled accounts, take them over, and change the passwords themselves, locking out the original owner.”
Researchers said in 2020 so far they have discovered a number of malicious campaigns using compromised emails from at least 13 different universities. The highest number of phishing emails detected came from compromised Purdue University accounts (2,068), stolen in campaigns from Jan. to Sept.
Behind Purdue University was Oxford (714 phishing emails detected), Hunter College (709) and Worcester Polytechnic Institute (393).
Threat actors have utilized these legitimate emails for different types of attacks. In one, victims received a message from a Stanford University account purporting to be a Microsoft “system message,” which tells users about the status of some quarantined messages. The email offered various links to view the quarantined messages, which, once clicked on, led to a Microsoft Outlook credential-harvesting site or would initiate a malicious code infection. An easy red flag here is that the sender’s email address is a legitimate university account — yet the email purports to come from Microsoft, researchers said.
However, what gives the cybercriminals a leg up in this incident is that the header of the email confirms that this phishing email originated from Stanford University servers, allowing the sender to pass Sender Policy Framework (SPF) filtering for university domains, researchers said. SPF is an email authentication method that aims to prevent sender address forgery.
The attackers were able to bypass SPF because the commercial organization of the victim has a policy accepting email from Stanford servers, according to researchers.
“Search-engine results also confirm that the address sending this phishing email corresponds to a real university profile (e.g., of a student, faculty member, staffer or research publication),” said researchers.
Attackers also utilize various different other lures in their use of compromised university emails to target victims. For instance, researchers unearthed emails from legitimate Oxford and Purdue accounts telling victims that they have a missed call and linking to an attachment that purports to be the voicemail.
In another incident, researchers said that the Oxford had an improperly configured Simple Mail Transfer Protocol (SMTP) server; a communication protocol for electronic mail transmission. They claimed a bad actor was able to abuse this and cause it to automatically generate email addresses, from which phishing emails were then sent, said researchers.
“By using Oxford’s servers as an open mail relay, a bad actor was able to send phishing emails that passed both SPF and DMARC for the University of Oxford,” said researchers. “To prevent this type of abuse, SMTP servers must be configured to not accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and authorized users.”
Threatpost has reached out to the Oxford for further comment on this incident.
Other threats have plagued the higher-education sector, including recent campaigns called “Silent Librarian” that have been actively targeting students and faculty at universities via spear-phishing campaigns. The eponymous threat group behind the attacks (also known as TA407 and Cobalt Dickens), which operates out of Iran, has been on the prowl since the start of the 2019 school year, launching low-volume, highly-targeted, socially engineered emails that eventually trick victims into handing over their login credentials.
Bagget noted that with the proliferation of the COVID-19 pandemic moving many classes and universities remote, cybercriminals have also upped their game with cyberattacks against the higher-ed sector.
“We started to detect these types of attacks in summer 2019, and the number of hijacked accounts increased during the pandemic lockdowns,” Bagget said. “The number of distinct schools targeted also increased in the pandemic.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinaron healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.