Connect with us

Hi, what are you looking for?



Cybercriminals Increasingly Attacking University Networks

Universities face unique challenges keeping their servers and networks secure from cyber-criminals while accommodating the influx of student and faculty-owned devices each year. A recent analysis of online transaction data highlighted to what extent some universities have already been compromised.

Universities face unique challenges keeping their servers and networks secure from cyber-criminals while accommodating the influx of student and faculty-owned devices each year. A recent analysis of online transaction data highlighted to what extent some universities have already been compromised.

ThreatMetrix, a provider of anti-cybercrime prevention solutions, found that cyber-criminals had already infiltrated networks belonging to major educational institutions including New York University, George Mason University, Harvard University, Purdue University, and University of California in Irvine, Alisdair Faulkner, chief product officer at ThreatMetrix, told SecurityWeek. ThreatMextrix looked at all the data collected by its systems in September and filtered out only IP addresses that corresponded to university networks for this analysis, Faulkner said.

Universities HackedThreatMetrix collects transaction data from over 40 million devices hitting its customer Websites and servers on a daily basis. Its identity engine assigns a risk score to each piece of data so that customers can use the information to reject or accept transactions. ThreatMetrix customers review suspicious transactions and set up rules to automatically reject transactions that don’t meet a certain threshold.

With online transactions data on hand, customers can “make better decisions,” Faulkner said.

An example of a suspicious transaction would be if someone is using a credit card to buy something, and the IP address is using some kind of a proxy to make it look like it’s coming from the United States when it really is originating from another country, Faulkner said. This would be flagged as a high-risk transaction.

In its university analysis, NYU topped the list over the one-month period as being the most targeted by cyber-criminals because the flagged transactions originated from 14 different time zones, Faulkner said. These transactions collected by ThreatMetrix came from devices with university IP addresses, meaning they were either university servers or student laptops and devices connecting to the network while on-campus. Legitimate transactions then should all be from Eastern Time and not scattered across 14 different ones, Faulkner said.

Transactions from other time zones are a good indicator of someone using a proxy server, a VPN, or the fact that the network has been compromised, Faulkner said.

University networks, after being compromised, are often being used as a “jump-off” point, Faulkner said. Cyber-criminals may have subverted a Web server for their purposes to host a malicious site, a student laptop may be infected with malware to turn it into a spam relay, or a faculty member’s computer used for financial fraud, Faulkner pointed out.

Advertisement. Scroll to continue reading.

For example, Northwest Florida State College disclosed earlier this week that cyber-criminals had stolen nearly 300,000 records, and used the information to commit at least 50 acts of identity theft to take out loans from various online outfits.

Colleges Hacked

Many computers on university networks are infected with malware, whether it’s because the systems were already compromised before getting on the network, or because they were infected by another machine on the same network. Once infected, they could be remotely manipulated by cyber-criminals without user knowledge, Faulkner said.

Earlier this month, a group of hackers calling themselves Team GhostShell used SQL injection to steal personal records of students, faculty, and staff from 53 universities around the world. Several thousand email addresses, names, usernames, passwords, addresses, and phone numbers were subsequently posted on text-sharing Website Pastebin. In the posting that accompanied the data dump, the hackers noted that many of the university servers they’d targeted had already been compromised.

“When we got there, we found that a lot of them have malware injected,” the group wrote on Pastebin.

SecurityWeek correlated the list of 53 universities breached by GhostShell with the list of top 50 universities ThreatMetrix had identified as already being compromised and found 14 institutions in common. In addition to NYU, Harvard, and Purdue mentioned earlier, the infected networks included Texas A&M University, University of Maryland, Ohio State University, University of Texas, University of Florida, Boston University, University of Wisconsin, Arizona State University , University of Houston, University of Pennsylvania, University of Colorado, and University of Michigan.

Universities are in a unique position of having had to deal with the Bring Your Own Device trend long before it became an issue for corporate America, Faulkner said. Even if university servers themselves are secure, students and faculty access the network with their own computers and mobile devices, placing the university at high risk for cybercrime.

“BYOD is not new [for universities]. They’ve been dealing with it for years,” Faulkner said.

Related Reading: The College Cyber Security Tightrope: Higher Education Institutions Face Greater Risks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...