Cyber Incident Victim: University of Massachusetts-Amherst

On or around April 20, 2023, a malicious spam campaign targeting university websites was identified. The incident involved the compromise of wiki and documentation pages hosted by multiple U.S. educational institutions, including the University of Massachusetts-Amherst. The affected websites were running either the TWiki or MediaWiki content management system platforms. Researchers observed that these university sub-domains had been hacked to serve content promoting fraudulent offers. The spam pages, uploaded by threat actors, lured visitors with promises of free gift cards, Fortnite Bucks, and game cheats. These pages directed users to bogus websites that loaded fake Fortnite-themed content. The ultimate goal of these pages was to function as phishing forms that prompted users to enter their credentials, thereby harvesting them.

The scope of the incident extended beyond the University of Massachusetts-Amherst to include other prominent universities such as Stanford, MIT, Berkeley, Northeastern, Caltech, and the University of Michigan. The campaign was not limited to academic institutions; government websites were also targeted. This included mini-sites hosted by a Brazilian state government and the European Union's Europa.eu domain. On the Europa.eu website, the threat actors specifically abused the Europass e-Portfolio service. This job search portal allows users to create and upload CVs and cover letters as PDF documents, and the attackers exploited this functionality to upload spam PDFs alongside their malicious web pages.

The initial public identification of the campaign was made by a Twitter user known as g0njxa, who identified over a dozen compromised university sub-domains. The security news website BleepingComputer subsequently confirmed these findings and reported that the malicious campaign was live at the time of publication. The technical method of compromise, specifically the exploit or vulnerability leveraged by the threat actors to upload their spam content, remained undetermined and under investigation at the time of reporting. Although the MediaWiki platform had released security updates the previous month to address multiple vulnerabilities, none of these patched issues appeared to be directly relevant to the ongoing malicious campaign.

The primary impact of the incident was the defacement of university web properties and the abuse of their trusted domains to host phishing and spam content. By hosting this content on legitimate `.edu` and `.eu` domains, the threat actors increased the perceived credibility of their fraudulent schemes, potentially increasing the success rate of their phishing attempts. The consequences for end-users included the risk of credential theft and falling victim to online scams after completing bogus surveys promoted on the pages. For the affected organizations, the consequences included reputational damage due to the compromise of their web assets and the operational task of identifying and removing all malicious content.

In response to the incident, BleepingComputer and researchers recommended that system administrators responsible for MediaWiki and TWiki installations sweep their websites for spam and malicious content. This cleanup effort was advised to focus on resources containing keywords associated with the campaign, such as 'gift card' and 'Fortnite.' As a protective measure for potential victims, users were advised to refrain from clicking on suspicious links found within the compromised wiki pages. The investigation into the root cause of the widespread compromises was ongoing at the time the article was published.