The Federal Bureau of Investigation (FBI) Cyber Division has issued a new private industry notification, warning US colleges and universities that higher education degrees have been offered for sale in online criminal marketplaces and accessible sites to the public.
According to FBI data, as of January 2022, Russian cybercriminal forums offered access to credentials of several US-based universities and colleges across the country, with prices ranging from a few to several thousand. US dollars.
The same document suggested that in May 2021, more than 36,000 email and password combinations (some of which may be duplicates) for email accounts ending in .edu had been found on a platform of publicly available instant messaging.
The private industry notification also pointed out that exposure of such sensitive network credentials and access information could lead to cyberattacks against individual users or affiliated organizations, particularly in the case of user accounts. privileged users.
“If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, mine or resell credit card numbers and other personally identifiable information, submit fraudulent transactions, ‘exploit for further criminal activity against the account holder or use for further attacks on affiliated organizations,’ the document read.
Describing the threat in more detail, the FBI document explained that the collection of identifying information against organizations is often caused by spear-phishing, ransomware, or other cyber-intrusion tactics.
To mitigate these threats, the document called on colleges, universities, and all academic entities to establish and maintain strong relationships with the FBI field office in their region.
Additionally, the Bureau is issuing a number of additional recommendations, including updating all systems and software, implementing user training programs and phishing drills for students and corps members. faculty and the implementation of strict password hygiene measures.
A complete list of recommendations is available in the Private Industry Notification’s original text.
The publication of the document is indicative of a larger problem with data breaches at US universities, especially during the pandemic.