Compromised US college degrees identified on various public forums and dark web

The FBI notifies college partners of identified U.S. college and university degrees advertised for sale in online criminal marketplaces and publicly available forums. This exposure of sensitive network credentials and access information, particularly privileged user accounts, could lead to subsequent cyberattacks against individual users or affiliated organizations.

Cyber ​​actors continue to carry out attacks on US colleges and universities, leading to the exposure of user information in public and cybercriminal forums. Collecting credentials against an organization is often a byproduct of spear phishing, ransomware, or other cyber-intrusion tactics. For example, in 2017, cybercriminals targeted universities to hijack .edu accounts by cloning university login pages and embedding a credential collection link in phishing emails. The successfully harvested credentials were then sent to the cybercriminals in an automated email from their servers. Such tactics have continued to prevail and escalated with COVID-themed phishing attacks to steal college login credentials, according to security researchers at a US-based company in December 2021.

The FBI has observed incidents of theft of graduate degree information posted on publicly available online forums or offered for sale in criminal marketplaces. Exposing usernames and passwords can lead to brute-force credential stuffing computer network attacks, whereby attackers attempt to log into various Internet sites or exploit them for subsequent cyberattacks, as criminal actors take advantage of recycling the same credentials across multiple accounts, websites, and services. If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, mine or resell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for further criminal activity against the account holder, or use for further attacks on affiliated organizations.

  • As of January 2022, Russian cybercriminal forums have been offering for sale or posting for public access network credentials and virtual private network access to a multitude of identified US universities and colleges across the country, some of which included screenshots as proof of access. Sites posting credentials for sale usually show prices ranging from a few thousand US dollars.
  • As of May 2021, over 36,000 email address and password combinations (some of which may be duplicates) for email accounts ending in .edu have been identified on a publicly available instant messaging platform . The group publishing the compromised data appears to be involved in trafficking stolen login credentials and other cybercriminal activities.
  • In late 2020, US-based university account usernames and passwords with the .edu domain were found for sale on the dark web. The seller listed around 2,000 unique usernames with passwords and asked for donations to be made to an identified bitcoin wallet. At the beginning of 2022, the site containing the identifiers was no longer accessible.

The FBI recommends that colleges, universities, and all academic entities establish and maintain strong liaison relationships with the FBI field office in their region. The location and contact information for all FBI field offices can be found at Through these partnerships, the FBI can help identify vulnerabilities in academia and mitigate potential threat activities.

The FBI further recommends that academic entities review and, if necessary, update incident response and communications plans that list the actions an organization will take if it is impacted by a cyber incident. Additionally, consider the following mitigation strategies to reduce the risk of compromise:

  • Keep all operating systems and software up to date. Timely patching is one of the most effective and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Check regularly for software updates and end-of-life (EOL) notifications, and prioritize patching known exploited vulnerabilities. Automate software security scanning and testing where possible.
  • Implement user education programs and phishing exercises for students and professors to educate them about the risks of visiting suspicious websites, clicking suspicious links, and opening suspicious attachments.
  • Require strong, unique passwords for all accounts with password logins and establish lockout rules for incorrect password attempts. Avoid reuse of password across multiple accounts or stored on the system that an adversary can access.
  • Require multi-factor authentication (MFA), preferably using phishing-resistant authenticators, for as many services as possible, especially for accounts that access mission-critical systems, webmail, virtual private networks (VPNs), and privileged accounts that manage backups.
  • Reduce credential exposure and enforce credential protection by restricting account and credential usage and using local device credential protection features.
  • Segment networks to prevent unauthorized access by malicious actors or the spread of malware.
  • Identify, detect, and investigate abnormal activity with network monitoring tools that record and report all network traffic, including lateral movement on a network.
  • Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts.
  • Enforce the principle of least privilege through authorization policies. Account privileges should be clearly defined, limited, and regularly audited against usage patterns.
  • Secure and closely monitor Remote Desktop Protocol (RDP) usage.
  • Limit access to resources on internal networks, including restricting RDP and using a virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict origin sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, apply account lockouts after a specified number of attempts to block brute force campaigns, log RDP connection attempts, and disable unused remote access/RDP ports.
  • Make sure devices are set up correctly and security features are enabled. Disable ports and protocols that are not used for business purposes (for example, RDP Transmission Control Protocol port 3389).
  • Limit the Server Message Block (SMB) protocol within the network to access only necessary servers, and remove or disable outdated versions of SMB (that is, SMB version 1). Threat actors use SMB to spread malware in organizations.
  • Examine the security posture of third-party vendors and those interconnected with your organization. Ensure that all connections between third-party vendors and external software or hardware are monitored and investigated for suspicious activity.
  • Implement application and remote access listing policies that only allow systems to run known and authorized programs within an established security policy.
  • Document external remote connections. Organizations should document approved solutions for remote management and maintenance and immediately investigate if an unapproved solution is installed on a workstation.

Learn more about IC3

Comments are closed.