Attackers Pose as University Support Team to Target Students

Higher education institutions continue to be prime targets for attack as cybercrimianls prey on unsuspecting students. In a recent attack uncovered by Abnormal, a credential phishing attacker impersonated the university support team to steal student credentials.

Summary of Attack

• Target: University Students

• Platform: Outlook 365

• Bypassed Secure Email Gateway: Yes

• Payload: Phishing Link

• Technique: Spoofed Internal Account

In this attack, cybercriminals attempted to spoof, or forge authentication, of a university support team email. Lucky for them, the secure email gateway (SEG) the university uses experienced an error in verifying sender credentials and allowed the malicious actor to pose as the support team in a way that is almost undetectable.

The attacker did this by including a subject line that contains what appears to be a benign password expiration notification coming from a legitimate university support team email domain. The body of the email contains a message stating that the password for the email account will expire later in the evening, a button which is connected to a link, and an urgent note stating that email may not be delivered if the account password is not verified. Finally, the footer contains the name of the distributing organization on campus: the IT support team.

After clicking on the link, recipients are directed to a simple web page containing a login prompt where the username is already filled in, a tactic typically used by attackers. The prompt contains the university name and logo and the name of a well-known security brand, Norton.

While this does not necessarily look like a Microsoft login page, the attackers are likely betting on the fact that students either may not know the difference, or may be too distracted to pay attention to these details.

After inputting the password to the email address, the user is informed that the password is invalid. However, behind the scenes, the password is collected by the attacker and will then be used later to access the compromised student account.

This attack appears to be basic in nature, but it is incredibly effective. Starting with the initial email, the malicious actor made a very convincing display of legitimacy. The use of the ‘Support Team’ name, the placement of the university name and logo, the inclusion of a well-known security brand, and the urgency in verifying the credentials all leads the student to take immediate action in order to avoid being locked out of his or her account.

With thousands of students needing access to email in order to complete their schoolwork, there is little doubt that a number of them could fall for this attack. And once the malicious actor has access to those passwords, there is little telling what additional damage could be done from within the accounts themselves. In fact, the attacker could use those credentials to access a number of university applications, programs, and personal information.

This attack was successful in bypassing a popular secure email gateway used by the university. To do so, the attacker first sent identifying information of the university support team email to the university network servers from a location outside the university in an attempt to fool the server into thinking that the attacker was the legitimate owner of the compromised account. This act of forging authentication is known as spoofing.

Spoofing is typically detectable by secure email gateways, which identify and verify authentication information from senders. However, due to the extra steps taken by the attackers, the email bypassed the SEG, which grabbed the wrong credentials for means of authentication and allowed the email to be sent to recipients. This is typical of modern-day gateawys and stands as a testament to the importance of API solutions like Abnormal Security.

Despite the failure of the SEG, Abnormal Security was able to detect the attack at multiple levels, including the potentially spoofed sender email, and prevent the recipient from falling victim to the credential theft campaign.

Even though this attack was observed at this particular university, there is nothing stopping attackers from branching out into other vulnerable locations where unsuspecting students, faculty, and auxiliary systems could become potential victims. It is critically important to be aware of the errors that come with SEGs and be prepared to employ innovative API technology in preventing these attacks—a critical change that could help students and faculty alike.

To learn more about how Abnormal stops this attack and those like it,request a demo of the platform today.