Security Experts:

DMARC in Higher Education: A Formidable Defense Against Targeted Scams

DMARC Can Be Effective in Defending Against Targeted Phishing Attacks And Student Loan Scams

As the new academic year starts, so starts the "Fresher" phishing scam. Second year students are also targeted, but the new first year university intake is the most vulnerable. It has already begun in the UK where the year starts earlier than in the U.S. -- but will follow wherever there are new students who rely on loans.

ActionFraud, which recently issued a warningis operated by the City of London Police, the lead agency for action against fraud in the UK. The phishing campaign has leveraged the Student Loan Company (SLC), which governs loans to students. The phishing email claims that there is a problem with the loan, and that new students should log into their account (on a phishing site) to update their information.

"Because tens of thousands of students will be starting university this month," warns John Wilson, field CTO at Agari, "cyber criminals can send out broad, untargeted phishing campaigns to huge databases and be confident they will reach a large number of victims."

Phishing Scams Target Universitities

But there is a solution to this type of phishing, where the scammer pretends to be a specific organization -- such as the SLC or a particular university. Those organizations should implement Domain-based Message Authentication, Reporting and Conformance (DMARC).

DMARC effectively whitelists the genuine emails from genuine domains, so that ISPs and receiving organizations (such as universities) can reject or block spoofed mails. "DMARC is an open source email authentication standard that will reject unauthorized messages using the domain, preventing them from ever being delivered," explains Wilson. 

The UK government is a big supporter, and DMARC is used, for example, by the UK tax office (HMRC). Last year, Ian Levy, technical director of the National Cyber Security Centre (NCSC, part of GCHQ) said that all 5,700 domains used by the UK government will be adopting DMARC. Once this is achieved, he intends to apply pressure on industry in general to force them to do the same. "I'm going to point and laugh at everybody who doesn't do the same -- publicly," said Levy. "Because there is no excuse not to do DMARC on a high value domain anymore."

The NCSC did not respond to SecurityWeek's inquiry over whether it now recommends that SLC and UK universities should implement DMARC. SecurityWeek also asked SLC whether it uses DMARC to protect the students, and was told, "Due to the sensitivity of the topic we wouldn't comment on the range of tools and methods that we use to counter fraud."

However, when SecurityWeek spoke to the security industry, there was less reluctance to comment. Is the same issue a problem in America? Yes, says Dan Lohrmann, chief security officer at Security Mentor -- although he hasn't seen any elevated concern yet this year (he's more concerned with Hurricanes Harvey- and Irma-related phishing scams right now).

"The back-to-school timeframe is perfect for malicious actors, as students are headed back to the classroom with their latest devices and are expecting a number of emails to be hitting their inboxes from faculty and staff," comments Jordan Wright, senior R&D engineer at Duo Security. "This scenario is just as prevalent in the US as it is anywhere else, with bogus emails purporting to have a student's grades ready for viewing, the latest assignment(s) for completion, student loan changes or simply a call to update personal information for the university's system."

"We see this type of phishing attack every year," adds Lohrmann, "especially in the Fall in 'back-to-school' season. Going after new University students with financial scams has been happening for years, and specific loan-related phishing is an ongoing challenge."

DMARC Implementation

Asaf Cidon, VP of content security at Barracuda, agrees. "Phishing is a growing problem for educational institutions. We've seen a particularly sharp increase in Office 365 account compromise attacks -- where criminals attempt to steal login credentials and ultimately gain access to launch attacks from within an organization. One customer we spoke with recently had some 200 accounts hijacked -- including the Dean and multiple faculty, students, and staff."

Should universities and related organizations (such as SLC in the UK) implement DMARC?

"Universities should absolutely implement DMARC," Cidon adds. "Universities send a wide variety of messages, often from multiple departments, alumni, and third-parties. DMARC is a great tool to prevent domain spoofing, and also to ensure deliverability of legitimate mail (which is important for EDUs looking at planned giving, recruitment, and other activities)."

DMARC is, however, complex to implement. Martin Zinaich, information security officer for the City of Tampa, told SecurityWeek, "it goes a long way to reducing spoofed messages (which is usually how an account gets compromised in the first place). But," he added, "even dmarc.org recognizes that fully deploying this framework is not easy: 'Many senders have a complex email environment with many systems sending email, often including 3rd party service providers. Ensuring that every message can be authenticated using SPF or DKIM is a complex task, particularly given that these environments are in a perpetual state of flux.'"

Alan Levine, a security advisor to phishing specialist Wombat, adds, "DMARC does help in terms of domain authentication, but it is not close to a panacea. Any attacker with a particular target will register a 'like' domain, something close to and almost indiscernible from the targeted organization's domain. Then, DMARC won't help, because the domain will appear legit, even though the mission is malicious."

So, while the first step would be to implement DMARC, an important second step would be to seek control over potential look-alike domains that could be used as phishing sites. While this is in progress, users such as students will remain vulnerable. At this point, security awareness training is an important option.

"Universities should create internal awareness and education programs within their institution," says Wright. "Teaching users how to spot, report and prevent phishing attacks and emails can be a great way to reduce the risk of falling prey to such attacks. Universities can assist this by setting up dedicated web pages that flag ongoing phishing attacks for students and, whenever a phishing attack is detected as targeting their university, the IT Team can send out alerts for students."

But there is an important addendum to this. While this phishing scam is targeted against students, student loan organizations and universities, nobody and no organization is ignored by the scammers.

"Young and old alike," explains Tim Ayling, a fraud and risk intelligence director at RSA Security, "the public needs to have greater awareness of spoofing attacks and take better care to protect themselves online. Much of this comes down to basic security hygiene. Our advice would be: first and foremost, avoid clicking on links to websites from emails and any unknown sources. If in any doubt, search for the website using an engine -- particularly in cases like this where the email would've come from a random email alias, with a generic introduction that suggests it was sent to others. Secondly, the devil is in the detail. Always be sure to check the URL of a site that you are visiting to make sure that it is correct -- often spoofed sites have typos in their address that will give clues that it is not official. Lastly, check the address bar to ensure you are visiting a secure site and there are no warnings."

It's not just Freshers who get phished.

Related: Researchers Devise Hopeful Defense Against Credential Spear Phishing Attacks

RelatedHigher Education Institutions Face Greater Risks 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.