According to a new report by the FBI, cybercriminals are stealing login credentials to the networks of US-based colleges and universities. These are then sold to other criminal actors or used for credential stuffing attacks, whereby attackers take advantage of victims who reuse the same credentials across multiple websites, most notably banking services. In 2017, the agency found cybercriminals cloning university login pages and embedding a credential harvester link in phishing emails. The gathered credentials were then sent to them through an automated email from their servers. Credential harvesting can also be a byproduct of other cyberattacks, such as spear-phishing or ransomware.
Earlier this year, network credentials and virtual private network accesses to multiple universities in the US were being offered for sale on Russian cybercrime forums. The prices listed were ranging up to thousands of dollars. Last year, over 36,000 email addresses using the .edu TLD and their associated passwords were discovered on a publicly-available instant messaging platform. A year prior, the agency found approximately 2,000 credential pairs listed on the dark web, with the seller asking for donations to be made to their bitcoin wallet. The document also outlines some strategies colleges and universities can follow to reduce the likelihood of such attacks.