It’s no secret that college and university networks have long been prone to cyberattacks of various kinds.
Whether the incidents involve malicious attempts to bring down a school’s network, phishing attacks or using the network as the unsuspecting host for dormant malware that can be activated remotely, the open access nature of higher ed networks makes them particularly susceptible.
These days the cybergold for internet interlopers is the seemingly innocuous email address. Indeed, anything with a .edu address could potentially lead to a treasure trove of important personal information. The Digital Citizens Alliance set out to demonstrate the scale of the problem and the complexity facing large organizations trying to protect email users.
“Higher education institutions have deployed resources and talent to make university communities safer, but highly skilled and opportunistic cybercriminals make it a challenge to protect large groups of highly desirable digital targets,” said Adam Benson, the alliance’s deputy executive director.
“We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with a .edu account.”
Researchers have found nearly 14 million email addresses belonging to students, faculty, staff and alumni of major universities for sale on the dark web, a part of the internet that isn’t picked up by search engines like Google and that can be accessed only by special browsers.
That figure is according to an alliance study called “Cyber Criminals, College Credentials, and the Dark Web: A Security Challenge Facing U.S. University Communities” (UBmag.me/dca).
On the dark web, one can find an online black market for drugs, weapons, medical information, malware, movies, and the increasingly valuable .edu addresses.
What’s so special about a college email address?
For one, many companies offer substantial discounts on such things as laptops and tablets to people with a school address. A stolen email address can often lead to discovering Social Security numbers, credit card data, passwords, home addresses and phone numbers.
Finally, this information is the gateway to valuable research and intellectual property that is often targeted for corporate and government espionage. Alliance researchers discovered that a basic .edu email can sell for a few dollars per address, while addresses with additional sensitive information—such as credit card info—can fetch up to $20 each.
The University of Michigan tops the list of higher education institutions with the most credentials on the dark web with 122,556 accounts, followed by a host of other Big 10 universities including Ohio State, University of Nebraska, Pennsylvania State University, University of Minnesota and University of Illinois at Urbana-Champaign, according to the alliance.
Despite the research, it’s not clear who is stealing the information.
The alliance doesn’t think “nation states” (China, Russia, etc.) are to blame for the simple reason that these hackers don’t typically share the information they get. “.edu’s are literally the most vulnerable domains on the internet,” noted Razvan Eugen Gheorghe, a reformed Romanian hacker who advised the researchers and was quoted in the report.
“I’ve hacked and leaked hundreds since 2012 in hopes of raising awareness to this issue. They’re all vulnerable—even after all these years, I can breach them all over again.”
