The FBI on Friday said that thousands of compromised credentials harvested from US college and university networks are circulating on online crime forums in Russia and elsewhere—and could lead to breaches that install ransomware or steal data.
“The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publicly accessible forums,” the agency said. “This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations.”
Login names and passwords are routinely harvested in phishing attacks, which may use fake claims of an account breach or a COVID-themed pitch to lure victims. Often, the threat actors who conduct these attacks sell the data on crime forums. The data can then be scooped up by fellow threat actors who focus on server infections for purposes of ransomware, cryptojacking, or espionage.
In 2017, for example, the FBI observed criminals targeting universities to hack .edu accounts by “cloning university login pages and embedding a credential harvester link in phishing emails.” The threat actors would then receive compromised credentials directly from the university server.
Friday’s bulletin listed observed examples of compromised university account data, including:
- As of January 2022, Russian cyber criminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified US-based universities and colleges across the country, some of which included screenshots as proof of access. Sites posting credentials for sale typically listed prices varying from a few to multiple thousands of US dollars.
- In May 2021, over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were identified on a publicly available instant messaging platform. The group posting the compromised data appeared to be involved in the trafficking of stolen login credentials and other cyber criminal activities.
- In late 2020, US territory-based university account usernames and passwords with the domain .edu were found for sale on the dark web. The seller listed approximately 2,000 unique usernames with accompanying passwords and asked for donations be made to an identified bitcoin wallet. As of early 2022, the site containing the credentials was no longer accessible.
Both the FBI and independent security researchers recommend IT people inside universities and other organizations “establish and maintain strong liaison relationships with the FBI Field Office in their region.” This can make it easier for parties to communicate in the event an emergency arises.