Stolen university credentials up for sale by Russian crooks, FBI warns

Forget dark-web souks, thousands of these are already being traded on public bazaars


Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

"The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

In May 2021, more than 36,000 email and password combinations for email accounts ending in ".edu" were listed for sale on a "publically available instant messaging platform," according to the bureau, although it did note that some of these may have been duplicates. 

Regardless, it's high time to button down — and stop reusing — passwords and implement multi-factor authentication.

The FBI also cited attacks in 2017 during which cybercriminals cloned university login pages and emailed links to the sites in phishing emails to harvest unsuspecting people's details. "Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021," the security alert noted. 

Simply put: phishing still works, according to identity firm Token CEO John Gunn.

"Phishing is still highly effective and now has become a numbers game — the more frequent the attacks, the more victims get fatigued and fall prey," Gunn told The Register. "We are seeing the same approach to stealing business user credentials which underscores the need for multifactor authentication and a passwordless approach to access control. No credentials means nothing to phish and ends this massive vulnerability."

The latest FBI warning also comes as US colleges and universities face an uptick ransomware attacks.

Miscreants in 2021 attacked a total of 26 colleges and universities with ransomware, and 2022 is already on track to meet or exceed that number. At least 15 higher-ed schools have been hit with ransomware so far this year, according to Brett Callow, a threat analyst at Emsisoft.

 "The education sector continues to make for attractive targets as it's very rare that a university focuses on its cyber security stack as its No. 1 priority," said Brad Hong, customer success manager at penetration testing firm Horizon3ai. 

"As the majority of colleges in the US, especially ones who are not focused on protecting the intellectual property of their research institutes, have neither the staff nor the budget to implement next-generation cyber tools to combat next generation cyber-attacks, the effort to payoff is several tiers lower than any other industry as a whole," he told The Register, citing a Sophos study that found the education sector ties for retail with the most ransomware attacks across various industries.

That report [PDF] also found 44 percent of all education organizations surveyed had experienced a ransomware attack. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022