Attackers are targeting email accounts from well-known universities, including US Purdue & Oxford, to launch attacks that get around DMARC & SPF.
Cyber-criminals are hijacking legitimate email accounts from more than 12 universities – including US Purdue University, The University of Oxford, & California’s Stanford University, & using the accounts to bypass detection & trick victims into giving out their email credentials or installing malware.
Dave Bagget, CEO & Co-Founder of INKY, explained that there is no indication of how the accounts were compromised, however, he speculated that the victims fell for a credential-harvesting scheme. Bagget also added that this Oct. researchers continued to see phishing emails from real university accounts, so some accounts appear to still be affected.
“A student may never change an originally assigned password, or may share it with a friend or friends,” according to Inky researchers on Thurs.
“A professor may give a student the password to an account for a particular project & never change it when the project is done. Hackers tapping around find these carelessly handled accounts, take them over, & change the passwords themselves, locking out the original owner.”
Researchers explained, in 2020 so far, they have discovered a number of malicious campaigns using compromised emails from at least 13 different universities. The highest number of phishing emails detected came from compromised Purdue University accounts (2,068), stolen in campaigns from Jan. to Sept.
2nd to US Purdue University was Oxford (714 phishing emails detected), then N. American located Hunter College (709) & Worcester Polytechnic Institute (393).
Threat players have utilised these legitimate emails for different types of attacks. In one, victims received a message from a Stanford University account purporting to be a Microsoft “system message,” which tells users about the status of some quarantined messages.
The email offered various links to view the quarantined messages, which, when clicked, led to a Microsoft Outlook credential-harvesting site, or would start a malicious code infection.
An easy ‘red flag’ is that the sender’s email address is a legitimate university account, yet the email purports to come from Microsoft, researchers indicated.
What gives the cyber-criminals an advantage in this incident is that the header of the email confirms that this phishing email originated from ‘Stanford University servers’, allowing the sender to pass Sender Policy Framework (SPF) filtering for university domains, researchers warned.
SPF is an email authentication method that aims to prevent sender address forgery.
The attackers were able to bypass SPF because the commercial organisation of the victim has a policy accepting email from Stanford servers, according to researchers.
“Search-engine results also confirm that the address sending this phishing email corresponds to a real university profile (e.g., of a student, faculty member, staffer or research publication),” observed researchers.
Oxford & Purdue
Attackers also use various different other ‘lures’ in their use of compromised university emails to target victims. For example, researchers found emails from legitimate Oxford & Purdue accounts telling victims that they have a missed call & linking to an attachment that pretends to be the voicemail.
In another incident, researchers said that the Oxford had an improperly configured Simple Mail Transfer Protocol (SMTP) server, a communication protocol for electronic mail transmission. They claimed a bad actor was able to abuse this & cause it to automatically generate email addresses, from which phishing emails were then sent, outlined researchers.
“By using Oxford’s servers as an open mail relay, a bad actor was able to send phishing emails that passed both SPF & DMARC for the University of Oxford,” suggested researchers. “To prevent this type of abuse, SMTP servers must be configured to not accept & forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and authorised users.”
Other threats have troubled the higher-education sector, including recent campaigns called “Silent Librarian” that have been actively targeting students and faculty at universities via spear-phishing campaigns.
The threat group behind the attacks (also known as TA407 & Cobalt Dickens), which operates out of Iran, has been operating since the start of the 2019 school year, launching low-volume, highly-targeted, socially engineered emails that eventually trick victims into handing over their login credentials.
Bagget noted that with the proliferation of the pandemic moving many classes & universities remote, cyber-criminals have also ‘upped their game’ with cyber-attacks against the higher-ed sector.
“We started to detect these types of attacks in Summer 2019, & the number of hijacked accounts increased during the pandemic lockdowns,”
Bagget concluded. “The number of distinct schools targeted also increased in the pandemic.”