Report shows credentials being sold on the Dark Web
Cybercrime is a concern for every industry, every individual and a new report shows us that higher education is experiencing a huge issue with illegal activities targeting their communities.
Table of Contents
ToggleCyber criminals are aggressively sharing credentials to .edu e-mail accounts – including stolen accounts, fake e-mails, and older e-mail accounts. The Digital Citizens Alliance found evidence that shows threat actors of all types – hacktivists, scam artists, terrorists and more – putting credentials up for sale, trade, or, in or even simply being given away, free of charge.
In a new report, Cyber Criminals, College Credentials, and the Dark Web, Digital Citizens researchers talked with cybersecurity researchers at three different companies about these sales on the Dark Web. Digital Citizens research also talked with a hacktivist who has previously publicly shared tens of thousands of HEI credentials. The report includes research on:
- Rankings showing the total number of stolen credentials for the 300 largest university and college communities found within Dark Web sites
- Sites selling Higher Education Institutions (HEIs) credentials on the Dark Web. These e-mails include those stolen from faculty, staff, students, and alumni, as well as from criminals who have created fake e-mails.
- Clear web sites where vendors sell credentials.
- Why fake e-mails are valuable and the ways these can be used in scams.
The Digital Citizens Alliance’s Deputy Executive Director Adam Benson said the Washington, DC non-profit wanted to demonstrate the scale of the problem and the complexity facing large organizations trying to protect e-mail users. “Higher Education Institutions have deployed resources and talent to make university communities safer, but highly-skilled and opportunistic cyber criminals make it a challenge to protect large groups of highly-desirable digital targets,” Benson said. “We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with an .edu account.”
The HEIs Most Commonly Found on Dark Web
Researchers from ID Agent, a Washington, DC based security firm has reviewed the email domains for the top 300 Higher Education Institutions (HEIs) in the United States. Using their Dark Web ID technology, ID Agent researchers determined which schools had the highest total of stolen email accounts available to cyber criminals, these included fake e-mails and e-mails with domains designed to resemble those of the HEIs.
During eight years of scanning the Dark Web, ID Agent researchers have discovered 13,930,176 e-mail addresses and passwords belonging to faculty, staff, students, and alumni at U.S. HEIs being made available to cyber criminals on Dark Web sites. Almost 80 percent of the nearly 14 million credentials were discovered by ID Agent researchers over the past 12 months.
Large, Midwestern schools dominated the top ID Agent rankings: The University of Michigan was number one, followed by Penn State University, the University of Minnesota, Michigan State University, The Ohio State University, the University of Illinois, New York University, University of Florida, Virginia Tech University, and Harvard University.
ID Agent’s Managing Partner Brian Dunn said “Cyber criminals are motivated to be successful, so it’s not surprising to see a significant number of stolen .edu accounts attributed to large and prestigious technical schools.”
Researchers did not find a reason why Michigan was number one or why Midwestern schools tended to be at the top of the list. “It could just a matter of the size of these HEIs,” said Benson, who is himself an alumnus of the University of Michigan. “I don’t think there is a security issue unique to the Midwestern schools. Many threat actors just want to disrupt and all HEIs offer something appealing to cyber criminals.”
To demonstrate how the size of the university community matters, ID Agent compared the schools’ total population (faculty, staff, and students) to stolen e-mail accounts. When ID Agent researchers looked at those numbers, The Massachusetts Institute of Technology (MIT) had the highest ratio of total stolen e-mail accounts to total current users, followed by Baylor, Cornell, Carnegie Mellon, and Virginia Tech.
Credentials for sale on both the clear web and the Dark Web
A hacktivist who once posted thousands of .edus online showed Digital Citizens several sites where .edus are currently for sale. The hacktivist, who used the name “DeadMellox”, told Digital Citizens that “most people simply create and then sell them, instead of actually taking them from a site.” Fake e-mails can be used to scam others in the university and college communities. Criminals can also use fake IDs to take advantage of discounts offered to students and faculty on software and various other products.
The cybersecurity company GroupSense showed Digital Citizens researchers Dark Web sites where criminals either sold .edu e-mails (in one case for as much as $17-$19 each) or the ability to create e-mails.
Putting the focus on the bad guys – the threat actors
Security teams from the HEIs have taken tough steps to protect university communities. In 2016, the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) notified HEIs of more than 2,197,000 compromised credentials. Universities are aware of the problem and have worked hard to educate members of the university community how to protect themselves. There are many examples of pages on HEI-operated websites explaining how to create effective passphrases and use two-factor authentication.
However, this only helps one part of the issue, as it only shuts down the HEI e-mail account, not another account where the user may have used the HEI e-mail address as a user ID or password. REN-ISAC notification does not directly reduce risks if you use your school’s password on social media accounts, e-commerce sites, or other e-mail.
What makes a password secure?
Many people reuse their campus username to establish accounts for other online services for convenience. Nothing can completely guarantee the security of a password, but there are practices that can help reduce the risks:
- Use a mix of uppercase, lowercase, numbers, and special characters
- Make the password as long as the system allows
- Think in terms of passphrases instead of passwords
- Use a random password generator to avoid social engineering
- Do not re-use university provided password for other systems
- Change passwords at least annually or if exposure is suspected
- Consider using a password vault to store passwords
- Never share passwords with others
- Report any suspicious activity to local law enforcement or the institutional IT incident response team
“Many of the HEIs and the school’s security professionals are doing great work under difficult circumstances, but they can’t do everything,” Benson said. “The bad guys are the threat actors sharing stolen or fake credentials. It is our hope that administrators don’t follow this report questions asking security pros ‘what are you doing wrong?’, but instead the security teams are empowered to ask stakeholders and members of the university community to do more to fight back against them cyber criminals exploiting friends and co-workers.”
Additional information about the study:
The ID Agent data used in this report includes scans of the Dark Web from 2009 through March 2, 2017.
Research included e-mail domains that matched ID Agent’s search parameters. The Alliance believes that some e-mails are from e-mail domains not managed by the HEI. Fake e-mails designed to resemble a school’s actual e-mail also pose threats to those inside the HEI community and the public. Also, ID Agent does not confirm that account passwords are valid, i,e, provided access to the e-mail account. Attempting to gain unauthorized access to a privileged account or network is illegal.
Before sharing this report publicly, Digital Citizens and ID Agent made efforts to contact all 300 schools to inform them of the report.
For more information, please visit the Digital Citizens Alliance website
Source: Digital Citizens Alliance