Possession of a student’s university account is desirable for threat actors. It enables them to impersonate the student and steal their identity. More advanced threat actors can use this as the first step to a more powerful attack, such as accessing student data, educational records, financial data, and even highly-sensitive cutting-edge research. Attackers can also deploy ransomware and extort institutions for millions of dollars.
In this research, we investigated the dark web exposure of the 65 universities that comprise the Power 5 conferences of Division I sports. Specifically, we searched for compromised credentials (usernames, often including passwords) and compromised endpoints logged in to university accounts.
While the Big Ten conference has not produced a basketball champion since 2000, it is the unrivaled leader in compromised credentials. Together, its universities produced nearly a million more exposed usernames than the others.
Figure 1: top conferences with compromised credentials
These usernames and passwords were most likely procured through data breaches, whether of the university itself or a third party for which the student used their university email to log in. (figure 2). The information is usually posted on the deep and dark web as a data dump or compiled into a combo file or combo list, which is a list of username-password combinations. (figure 3). Attackers can use these combo lists in attacks such as impersonation and credential stuffing.
On underground forums, we can find .edu-specific combo lists, some with thousands of entries. Because on their own, these are relatively low-value, many of these lists are shared for free.
Figure 2: threat actor shares 1000 cracked mail addresses from educational institutions
Figure 3: threat actor shared 18.6k .edu usernames and passwords
It is important to note that not all of these usernames and passwords are valid logins for university accounts. For example, suppose they were found in a third-party breach for which the student used a university email address as a username. In that case, the actual university account is not compromised as long as the student uses a different password for each service. Furthermore, if the university enforced rules for password expiration, the leaked passwords may no longer be valid.
Thus, to validate credentials, threat actors use automated tools to test user-password combinations. Validated logins, known as logs, are far more valuable than credentials and are often sold underground.
In the underground economy, the services of initial access brokers are in high demand for any aspiring cybercriminal. For a fee, various markets sell access to compromised endpoints or remote protocols such as RDP, allowing other cybercriminals to buy the first step into their targets’ networks. Items on these markets list accounts to which the system is logged-in, and anyone that purchases access to the endpoint can presumably access the logged-in accounts. From this initial beachhead, the attackers may be able to spread within the network and carry out a further attack.
The west coast is the undisputed leader in this category. Altogether, underground markets listed 6,207 compromised endpoints from Pac-12 universities beginning in the 2021 school year through the end of August, 2022. The Big Ten accounted for just over half of that figure, and the other conferences even less.
Figure 4: Top university accounts in compromised endpoints (9/1/21 to 8/31/22)
Sometimes the markets’ listings give additional information, such as a compromised subdomain. This can allow analysts to understand a bit more about which machine and resources have been compromised.
Figure 5: part of a log file for sale with login information of the University of Minnesota domain
Figure 6: part of a log file for sale with information from the UMichdomain
Universities have complex digital estates with desirable data for attackers. Indeed, according to Jisc’s ‘Cyber Impact 2022’ report, schools and universities are facing unprecedented ransomware attacks as incidents continue to impact the education sector severely. In addition, the deep and dark web provides millions of compromised credentials and accounts, with which threat actors can launch attacks against students and institutions.
To counter these threats, we strongly recommend that universities follow best practices, including password complexity and expiration, multifactor authentication, least privilege, and network segmentation. Furthermore, universities should monitor underground channels to detect and lock down compromised assets before they are purchased and used.