Security Experts:

Cybercriminals Increasingly Attacking University Networks

Universities face unique challenges keeping their servers and networks secure from cyber-criminals while accommodating the influx of student and faculty-owned devices each year. A recent analysis of online transaction data highlighted to what extent some universities have already been compromised.

ThreatMetrix, a provider of anti-cybercrime prevention solutions, found that cyber-criminals had already infiltrated networks belonging to major educational institutions including New York University, George Mason University, Harvard University, Purdue University, and University of California in Irvine, Alisdair Faulkner, chief product officer at ThreatMetrix, told SecurityWeek. ThreatMextrix looked at all the data collected by its systems in September and filtered out only IP addresses that corresponded to university networks for this analysis, Faulkner said.

Universities HackedThreatMetrix collects transaction data from over 40 million devices hitting its customer Websites and servers on a daily basis. Its identity engine assigns a risk score to each piece of data so that customers can use the information to reject or accept transactions. ThreatMetrix customers review suspicious transactions and set up rules to automatically reject transactions that don't meet a certain threshold.

With online transactions data on hand, customers can "make better decisions," Faulkner said.

An example of a suspicious transaction would be if someone is using a credit card to buy something, and the IP address is using some kind of a proxy to make it look like it's coming from the United States when it really is originating from another country, Faulkner said. This would be flagged as a high-risk transaction.

In its university analysis, NYU topped the list over the one-month period as being the most targeted by cyber-criminals because the flagged transactions originated from 14 different time zones, Faulkner said. These transactions collected by ThreatMetrix came from devices with university IP addresses, meaning they were either university servers or student laptops and devices connecting to the network while on-campus. Legitimate transactions then should all be from Eastern Time and not scattered across 14 different ones, Faulkner said.

Transactions from other time zones are a good indicator of someone using a proxy server, a VPN, or the fact that the network has been compromised, Faulkner said.

University networks, after being compromised, are often being used as a "jump-off" point, Faulkner said. Cyber-criminals may have subverted a Web server for their purposes to host a malicious site, a student laptop may be infected with malware to turn it into a spam relay, or a faculty member's computer used for financial fraud, Faulkner pointed out.

For example, Northwest Florida State College disclosed earlier this week that cyber-criminals had stolen nearly 300,000 records, and used the information to commit at least 50 acts of identity theft to take out loans from various online outfits.

Colleges Hacked

Many computers on university networks are infected with malware, whether it's because the systems were already compromised before getting on the network, or because they were infected by another machine on the same network. Once infected, they could be remotely manipulated by cyber-criminals without user knowledge, Faulkner said.

Earlier this month, a group of hackers calling themselves Team GhostShell used SQL injection to steal personal records of students, faculty, and staff from 53 universities around the world. Several thousand email addresses, names, usernames, passwords, addresses, and phone numbers were subsequently posted on text-sharing Website Pastebin. In the posting that accompanied the data dump, the hackers noted that many of the university servers they'd targeted had already been compromised.

"When we got there, we found that a lot of them have malware injected," the group wrote on Pastebin.

SecurityWeek correlated the list of 53 universities breached by GhostShell with the list of top 50 universities ThreatMetrix had identified as already being compromised and found 14 institutions in common. In addition to NYU, Harvard, and Purdue mentioned earlier, the infected networks included Texas A&M University, University of Maryland, Ohio State University, University of Texas, University of Florida, Boston University, University of Wisconsin, Arizona State University , University of Houston, University of Pennsylvania, University of Colorado, and University of Michigan.

Universities are in a unique position of having had to deal with the Bring Your Own Device trend long before it became an issue for corporate America, Faulkner said. Even if university servers themselves are secure, students and faculty access the network with their own computers and mobile devices, placing the university at high risk for cybercrime.

"BYOD is not new [for universities]. They've been dealing with it for years," Faulkner said.

Related Reading: The College Cyber Security Tightrope: Higher Education Institutions Face Greater Risks

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.