Universities around the country, along with students and staff, may want to be a bit more vigilant online, warned Kaspersky Lab after researchers detected nearly 1,000 phishing attempts hitting at least 131 universities in 16 countries over the last year.
According to researchers, cyber-criminals are targeting users with fraudulent web pages designed to look identical to the university’s official page. The only distinction is a slightly different URL, making it difficult to detect. Once a user clicks on the link, they are delivered to credentials-stuffing pages, where they are asked to provide sensitive information, including university account credentials, IP addresses and location data.
Collecting the IP addresses allows cyber-criminals to circumvent anti-fraud systems “by masquerading as account holders,” wrote Nadezhda Demidova, security researcher at Kaspersky Lab.
“Although universities are aware of the need to protect their resources, fraudsters exploit the traditional weakest link: user inattentiveness,” Demidova wrote. “Depending on the level of access (lecturer, student, research associate), personal accounts on the university site can provide access to both general information as well as paid services and research results. Moreover, a lecturer’s account, for example, can provide attackers with information about salary, schedule, etc. All this can be used for identity theft or a targeted attack.”
The majority of the 961 attacks detected across 131 schools over the last 12 months, 83 of the institutions were located in the US. The University of Washington (11.6% of attack attempts), Cornell University (6.8%) and the University of Iowa (5.1%) were top three targeted schools. Britain was a distant second, with only 21 schools targeted. In addition, researchers noted that academic institutions in Asia, Europe and Africa have also been targeted.
“As educational institutions becomes a popular target for cyber-criminals, it is essential for university IT staff to take proactive measures to prevent phishing attacks,” said Demidova in a press release. “In addition to strengthening IT security infrastructure, university leaders should also provide training resources that can help students and staff identify and avoid targeted phishing threats.”
