Phishing attacks are easily one of the most common, and effective, methods of social engineering. Every facet of society is attacked via phishing for this reason and it appears that the academic sphere is being affected rather significantly. Back when I was in college, phishing attacks were not uncommon as my university email would become the target of social engineers with an annoying frequency. As research from Kaspersky Lab shows, however, phishing attacks against academic institutions have increased in scope and complexity.
As Nadezhda Demidova reported for the Kaspersky blog Securelist, there have currently been 131 universities targeted by phishing attacks. The majority of these universities are in the United States with the additional countries being the United Kingdom, Australia, Canada, Finland, Colombia, Hong Kong, India, Israel, the Netherlands, New Zealand, Poland, South Africa, Sweden, Switzerland, and the United Arab Emarites. Of the universities in this list, Demidova states that the most attacked institutions are the University of Washington, Cornell University, and the University of Iowa.
The actual phishing attacks involve similar tactics to banking phishing attacks in that a false website that looks identical comes up when taking the bait. As the Securelist article states, the motivation here is not financial but rather academic. The treasure trove of research findings at top universities can be just as valuable, and with the right credentials, can be easily accessed. Demidova says this about the actual phishing pages studied:
Despite the browser warning and, as in the case of the Cornell University fake page, the prompt to check the address bar (copied by the attackers from the original site), users often fail to spot the difference. While analyzing the scripts of one of the phishing pages, we noticed that alongside usernames and passwords, fraudsters collect information about IP addresses and the victim’s location. Cybercriminals can use this data to circumvent anti-fraud systems by masquerading as account holders.
The easiest way to avoid these phishing attacks is to be more diligent in noticing anything slightly “off” about the page. Considering that students and faculty log in to their college's homepage often, they should know what the proper URL is and how to detect any odd mistakes in the page like spelling errors.
Featured image: Pixabay