• March 31, 2023

Google Hit With New Lawsuit For Restricting Ad Competition

Google is facing a multi-billion dollar lawsuit in the UK, brought by a British journalist, claiming it has a stranglehold on the ad tech market. The collective claim for £3.6 billion …

End Of CARES Act Home Confinement Is Near For Many Federal Prisoners

The United States Senate voted Wednesday to terminate a COVID-19 pandemic ​national emergency order which had recently been extended by President Joe Biden. The CARES Act was set to expire on …

Supreme Court Will Decide How Aggressive The IRS Can Be When Hunting For A Delinquent Taxpayer’s Assets

As taxpayers and politicians argue about the impact of additional IRS funding, the Supreme Court is taking a look at the rules for collecting financial and other information without notice to …

The FBI is warning US universities and colleges that their network credentials and virtual private network (VPN) access are being advertised for sale by criminals.

The logins, harvested through spear-phishing, ransomware, or other tactics, are reportedly being sold on both online criminal marketplaces and publicly accessible forums.

“The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” the FBI warns in an advisory.

“If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”


Over the last two years, the use of these techniques has increased, with logins stolen through Covid-related phishing attacks. In late 2020, for example, around 2,000 unique university account usernames and passwords with the domain .edu were found for sale on the dark web, while in May 2021 over 36,000 email and password combinations for email accounts ending in .edu were identified on a publicly-available instant messaging platform.

And as of January 2022, Russian cybercriminal forums were offering the network credentials and virtual private network accesses to universities and colleges across the US, some of which included screenshots as proof of access. Prices varied from a few dollars to several thousand.

The FBI suggests that colleges and universities should liaise with their local FBI Field Office and update their incident response and communication plans.

“Hybrid and remote learning models have exposed the higher education sector to a plethora of attacks that expose unmanaged and unsecured accounts. Threat-actors continue to exploit unprotected accounts for their benefit and their tactics are increasing in sophistication and, as a result, often harder to spot and stop,” says Steven Hope, CEO and co-founder of password management firm Authlogics.

“Universities, especially, should be providing students and staff with training to spot convincing phishing emails and the steps to undertake when opening various attachments or emails. Students are an easy target, because unlike in a work environment, they often lack the necessary understanding to spot these types of attacks.”


Leave a Reply

Your email address will not be published.