The cyber division of the Federal Bureau of Investigation (FBI) has published a new Private Industry Notification, warning US colleges and universities that higher education credentials have been advertised for sale on online criminal marketplaces and publically accessible sites.
According to the FBI data, as of January 2022, Russian cyber-criminal forums offered access to credentials from several US-based universities and colleges across the country, with prices ranging from a few to multiple thousands of US dollars.
The same document suggested that in May 2021, over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were found on a publicaly available instant messaging platform.
The Private Industry Notification also highlighted that the exposure of such sensitive credential and network access information could lead to cyber-attacks against individual users or affiliated organizations, particularly in the case of privileged user accounts.
“If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder or use for subsequent attacks against affiliated organizations,” read the document.
Further describing the threat, the FBI paper explained that credential harvesting against organizations is often caused by spear-phishing, ransomware or other cyber intrusion tactics.
To mitigate these threats, the document called for colleges, universities and all academic entities to establish and maintain strong relationships with the FBI Field Office in their region.
Moreover, the Bureau issues a number of additional recommendations, including keeping all systems and software up-to-date, implementing user training programs and phishing exercises for students and faculty members and implementing strong password hygiene measures.
A full list of the recommendations is available in the Private Industry Notification’s original text.
The publication of the document is indicative of a wider issue related to data breaches in US universities, particularly during the pandemic.