Russian crooks are selling network credentials and virtual private network access for a “multitude” of US universities and colleges on criminal marketplaces, according to the FBI.
According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.
“The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” the Feds’ alert [PDF] said.
In May 2021, more than 36,000 email and password combinations for email accounts ending in “.edu” were listed for sale on a “publically available instant messaging platform,” according to the bureau, although it did note that some of these may have been duplicates.
Regardless, it’s high time to button down — and stop reusing — passwords and implement multi-factor authentication.
The FBI also cited attacks in 2017 during which cybercriminals cloned university login pages and emailed links to the sites in phishing emails to harvest unsuspecting people’s details. “Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021,” the security alert noted.
Simply put: phishing still works, according to identity firm Token CEO John Gunn.