The FBI issued an alert to inform the higher education sector about the availability of login credentials on dark web forums that can be used by threat actors to launch attacks against individuals and organizations in the industry. The availability of this data is the result of continued attacks conducted by threat actors against US colleges and universities. The alert also includes recommendations and mitigations for these attacks.
“The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publically accessible forums. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations.” reads the alert published by the FBI.
Crooks obtain the information by conducting spear-phishing and ransomware attacks, or other means.
In 2017, crooks launched a phishing campaign against universities to compromise .edu accounts. The attackers set up fake university login pages and embedded a credential harvester link in phishing emails.
In late 2020, credentials for US-based universities were found for sale on the dark web. The seller listed approximately 2,000 unique credentials.
In May 2021, cybercriminals offered more than 36,000 login credentials for .edu email accounts and advertised the data on an instant messaging platform.
In May 2021, over 36,000 email and password combinations for .edu email accounts were offered for sale on a publically available instant messaging platform.
Recently, in January 2022, threat actors have been observed offering for sale network and VPN access credentials belonging to US-based universities and colleges on Russian cybercrime forums.
“The FBI has observed incidents of stolen higher education credential information posted on publically accessible online forums or listed for sale on criminal marketplaces. The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” concludes the alert. “If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, FBI)
[adrotate banner=”5″]
[adrotate banner=”13″]