The Digital Citizens Alliance teams with cybersecurity researchers to find which schools’ account credentials are most commonly found on the Dark Web
Also, Fake “.edus” are common, popular, and used for criminal activity
Washington, DC – Cyber criminals are aggressively sharing credentials to .edu e-mail accounts - including stolen accounts, fake e-mails, and older e-mail accounts. The Digital Citizens Alliance saw evidence showing threat actors of all types – including hacktivists, scam artists, and terrorists – putting credentials (e-mails and passwords) up for sale, trade, or, in some cases, just given away.
For the new report, Cyber Criminals, College Credentials, and the Dark Web, Digital Citizens researchers talked with researchers at three cybersecurity companies about sales on Dark Web. Digital Citizens research also talked with a hacktivist who once publicly shared tens of thousands of HEI credentials. The report includes research on:
- rankings showing the total number of stolen credentials for the 300 largest university and college communities found within Dark Web sites.
- sites selling Higher Education Institutions (HEIs) credentials on the Dark Web. These e-mails include those stolen from faculty, staff, students, and alumni, as well as criminals who have created fake e-mails.
- clear web sites where vendors sell credentials.
- why fake e-mails are valuable and how they can be used in scams.
The Digital Citizens Alliance’s Deputy Executive Director Adam Benson said the Washington, DC nonprofit wanted to demonstrate the scale of the problem and the complexity facing large organizations trying to protect e-mail users. “Higher Education Institutions have deployed resources and talent to make university communities safer, but highly-skilled and opportunistic
cyber criminals make it a challenge to protect large groups of highly-desirable digital targets,” Benson said. “We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with an .edu account.”
The HEIs Most Commonly Found on Dark Web
Researchers from ID Agent, a Washington, DC based security firm reviewed the email domains for the top 300 Higher Education Institutions (HEIs) in the United States. Using their Dark Web ID technology, ID Agent researchers determined which schools had the highest total of stolen email accounts available to cyber criminals, which included fake e-mails and e-mails with domains designed to resemble those of the HEIs.
During eight years of scanning the Dark Web, ID Agent researchers have discovered 13,930,176 e-mail addresses and passwords belonging to faculty, staff, students, and alumni at U.S. HEIs available to cyber criminals on Dark Web sites. 79 percent of the nearly 14 million credentials were discovered by ID Agent researchers over the 12 months.
Large, Midwestern schools dominated the top ID Agent rankings: The University of Michigan was number one, followed by Penn State University, the University of Minnesota, Michigan State University, The Ohio State University, the University of Illinois, New York University, University of Florida, Virginia Tech University, and Harvard University.
ID Agent’s Managing Partner Brian Dunn said, “Cyber criminals are motivated to be successful, so it’s not surprising to see a significant number of stolen .edu accounts attributed to large and prestigious technical schools.”
Researchers did not find a reason why Michigan was number one or why Midwestern schools tended to be at the top of the list. “It could just a matter of the size of these HEIs,” said Benson, who is himself an alumnus of the University of Michigan. “I don’t think there is a security issue unique to the Midwestern schools. Many threat actors just want to disrupt and all HEIs offer something appealing to cyber criminals.”
To demonstrate how size of the university community matters, ID Agent compared the schools’ total population (faculty, staff, and students) to stolen e-mail accounts. When ID Agent researchers looked at those numbers, The Massachusetts Institute of Technology (MIT) had the highest ratio of total stolen e-mail accounts to total current users, followed by Baylor, Cornell, Carnegie Mellon, and Virginia Tech.
Credentials for sale on both the clear web and the Dark Web
A hacktivist who once posted thousands of .edus online showed Digital Citizens several sites where .edus are for sale right now. The hacktivist, who used the name “DeadMellox”, told Digital Citizens that “most people simply create and then sell them, instead of actually taking them from a site.” Fake e-mails can be used to scam others in the university and college communities. Criminals can also use fakes to take advantage of discounts offered to students and faculty on software and various other products.
The cybersecurity company GroupSense showed Digital Citizens Researchers Dark Web sites where criminals either sold .edu e-mails (in one case for as much as $17-$19) or the ability to create e-mails. GroupSense also discovered shared an example of a post from a “vendor” who claimed to be affiliated with the Islamic State and to have e-mails from a major university. He shared hundreds of examples in his post.
Putting the focus on the bad guys – the threat actors
HEIs security teams have taken dramatic steps to protect university communities. Universities are aware of the reuse problem and have worked hard to educate members of the university community how to protect themselves. We saw examples of pages on HEIs-operated websites explaining how to create effective passphrases and use two-factor authentication.
However, that only shuts down the HEI e-mail account, not another account in which the user
used the HEI e-mail address as a user ID or password. REN-ISAC notification does not directly reduce risks if you use your school’s password on social media accounts, e-commerce sites, or other e-mail.
What makes a password secure?
Many people reuse their campus username to establish accounts for online services for convenience, they may or may not use their associated .edu password. Password complexity rules differ, sometimes forcing the user to create a different password for the online service. This helps to reduce risks to campus credentials. Nothing can completely guarantee the security of a password. There are practices that can help reduce risks:
- Use a mix of uppercase, lowercase, numbers, and special characters
- Make the password as long as the system allows
- Think in terms of passphrases instead of passwords
- Use a random password generator to avoid social engineering
- Do not re-use university provided password for other systems
- Change passwords at least annually or if exposure is suspected
- Consider using a password vault to store passwords
- Never share passwords with others
- Report any suspicious activity to local law enforcement or the institutional IT incident response team
“Many of the HEIs and the school’s security professionals are doing great work under difficult circumstances, but they can’t do everything,” Benson said. “The bad guys are the threat actors sharing stolen or fake credentials. It is our hope that administrators don’t follow this report questions asking security pros ‘what are you doing wrong?’, but instead the security teams are empowered to ask stakeholders and members of the university community to do more to fight back against them cyber criminals exploiting friends and co-workers.”
Additional information about the study:
Digital Citizens has included a detailed explanation of ID Agent’s methodology in the report.
The ID Agent data used in this report includes scans of the Dark Web from 2009 through March 2, 2017.
Research included e-mail domains that matched ID Agent’s search parameters. We are certain that some e-mails are from e-mail domains not managed by the HEI. Fake e-mails designed to resemble a school’s actual e-mail also pose threats to those inside the HEI community and the public. Also, ID Agent does not confirm that account passwords are valid, i,e, provided access to the e-mail account. Attempting to gain unauthorized access to a privileged account or network is illegal.
Before sharing this report publicly, Digital Citizens and ID Agent made efforts to contact all 300 schools to inform them of the report.
About the Digital Citizens Alliance:
Digital Citizens is a consumer-oriented coalition focused on educating the public and policy makers on the threats that consumers face on the Internet and the importance for Internet stakeholders – individuals, government and industry - to make the Web a safer place. Based in Washington, DC, the Digital Citizens Alliance counts among its supporters: private citizens, the health, pharmaceutical and creative industries as well as online safety experts and other communities focused on Internet safety.
The Digital Citizens Alliance is made up of people, just like you, concerned about making the Internet a better and safer place for everyone. Our goal is simple: make the Internet:
▪ Free of dangerous drugs sold online to unsuspecting individuals.
▪ Free of illegal movies, videos, and music that steal from our citizens.
▪ Free of scams, including identity theft and misleading advertising.
The Digital Citizens Alliance will be an active voice in promoting a better and safer Internet, working with governments, policy makers, security experts, and the businesses that operate the Internet. We will carry your voice – that of the consumer – to ensure that the Internet is a place we can trust. For more information please visit website (at a new address): http://www.digitalcitizensalliances.org/index.php