The FBI said Friday that thousands of compromised credentials collected from US college and university networks are circulating on online crime forums in Russia and elsewhere — and could lead to security breaches that install ransomware or steal data.
“The FBI informs academic partners about identified US college and university diplomas for sale on criminal online marketplaces and public-facing forums,” the agency said said. “This disclosure of sensitive credentials and network access information, particularly privileged user accounts, could lead to subsequent cyberattacks against individual users or connected organizations.”
Login names and passwords are routinely harvested in phishing attacks, which may use fake account breach claims or a COVID-themed pitch to lure victims. Often, the threat actors who carry out these attacks sell the data on crime forums. The data can then be picked up by other threat actors that focus on server infections for the purpose of ransomware, cryptojacking, or espionage.
For example, in 2017, the FBI observed criminals targeting universities to hack .edu accounts by “cloning university login pages and embedding a link to collect credentials in phishing emails.” The attackers would then receive compromised credentials directly from the university server.
Friday’s bulletin listed observed examples of compromised university account details, including:
- As of January 2022, Russian cybercrime forums offered for sale or made available for public access the network credentials and virtual private network access to a variety of identified US universities and colleges across the country, some of which included screenshots as proof of access. Websites that offer credentials for sale typically list prices ranging from a few to several thousand dollars.
- As of May 2021, over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were identified on a publicly available instant messaging platform. The group that published the compromised data appeared to be involved in trading stolen credentials and other cybercriminal activities.
- In late 2020, university account usernames and passwords on US territory with the .edu domain went on sale on the dark web. The seller listed approximately 2,000 unique usernames with associated passwords and asked for donations to an identified bitcoin wallet. As of early 2022, the credential website was no longer accessible.
Both the FBI and independent security researchers recommend IT professionals at universities and other organizations to “establish and maintain strong liaison relationships with the FBI field office in their region.” This can make it easier for those involved to communicate in an emergency.
This article was previously published on Source link