The FBI said on Friday that thousands of compromised credentials collected from U.S. colleges and university networks are circulating in online crime forums in Russia and elsewhere — and could lead to breaches that install ransomware or steal data.
“The FBI is notifying academic partners of identified U.S. college and university degrees for sale on online criminal marketplaces and publicly available forums,” the agency said. “This exposure of sensitive credentials and network access information, especially privileged user accounts, could lead to subsequent cyberattacks against individual users or affiliated organizations.”
Login names and passwords are routinely collected in phishing attacks, where false claims of an account breach or a COVID-themed pitch can be used to lure victims. Often, the threat actors carrying out these attacks sell the data on crime forums. The data can then be picked up by fellow threat actors targeting server infections for ransomware, cryptojacking, or espionage.
For example, in 2017, the FBI observed criminals targeting universities to hack into .edu accounts by “cloning university login pages and embedding a data-collection link in phishing emails.” The threat actors would then receive compromised credentials directly from the university server.
Friday’s bulletin listed examples of compromised college account data, including:
- As of January 2022, Russian cybercriminal forums have put up for sale or posted the network credentials and virtual private network accesses for public access to numerous identified U.S. universities and colleges across the country, some of which include screenshots as proof of access. Sites that list references for sale typically list prices ranging from several to several thousand US dollars.
- As of May 2021, more than 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were identified on a publicly available instant messaging platform. The group that posted the compromised data was found to be involved in trafficking stolen credentials and other cybercriminals.
- At the end of 2020, usernames and passwords for college accounts in the US with the domain .edu were found for sale on the dark web. The seller listed about 2,000 unique usernames with associated passwords and asked for donations to an identified bitcoin wallet. From the beginning of 2022, the site with the login details was no longer accessible.
Both the FBI and independent security researchers recommend IT staff at universities and other organizations to “build and maintain strong relationships with the FBI field office in their area.” This can make it easier for parties to communicate in the event of a disaster.