Phishing scam caught using hijacked student accounts
Malicious hackers are taking over student email accounts and using these as a cover for social engineering scams aimed at tricking staff at other businesses into handing over sensitive data, a report has found.
“Business Email Compromise (BEC) attacks are some of the most popular and devastating attacks out there. They work, broadly, by sending an email from a spoofed or legitimate address and then asking someone to do something,” said Avanan.
In this case, that something entails clicking on a phishing link that leads the victim straight to a credential-harvesting page set up by cyber-fraudsters. Stolen data can then be sold on or used directly to facilitate further cybercriminal activities, such as ransomware attacks.
The BEC scam highlighted by Avanan involved sending bogus emails from a university in Arizona to a “variety of organizations.” Curiously, the crooks behind this scam appear to be leveraging ordinary student accounts – rather than, say, those used by college staff – to fool victims.
Though Avanan did not elaborate on precisely how this scam was supposed to work, it appears to believe that it was effective.
“This represents an effective tactic by hackers,” it said. “Compromising a student account can be done quite efficiently. From there, leveraging the legitimacy of that email account, it’s easy to send out the same messages to a variety of targets [or] a wide spectrum of messages with just one compromise.”
In one example, the victim is told their messages have been blocked and the only way to unseal them is by clicking on the malicious link embedded in the bogus email.
“There are tells in the email, such as where the URL goes to and also the fact that a university account wouldn’t be used to send support messages,” said Avanan, which added that it was not sure how the initial compromise happened.
The cybersecurity researcher recommends always checking email and website addresses when receiving seemingly urgent messages from unknown parties out of the blue, and double checking with one’s IT department if unsure.