Cyber Incident Victim: University of California, Davis
Date:
Jul 2019
Location:
United States of America
Summary
Attackers compromised legitimate email accounts at multiple universities to conduct phishing campaigns distributing malware and harvesting credentials, bypassing email authentication protocols like SPF and DMARC by leveraging hijacked institutional domains. Compromised accounts sent fraudulent messages appearing as system alerts or missed-call notifications, directing victims to malicious links or attachments; misconfigured SMTP servers at some institutions enabled further abuse by allowing unauthorized email relay. These attacks exploited poorly secured credentials and increased during pandemic-related remote learning transitions, impacting educational communities through credential theft and malware infections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A significant cyber incident occurred when cybercriminals hijacked legitimate email accounts from over a dozen universities, including Stanford and Purdue. The attackers used these compromised accounts to send phishing emails and malware, which appeared to come from the universities themselves. This clever tactic allowed the attackers to bypass security measures and trick victims into handing over their credentials or installing malware.
The incident was discovered when researchers noticed a surge in phishing emails coming from legitimate university email accounts. Upon further investigation, it was found that the attackers had gained unauthorized access to the email accounts and were using them to send malicious emails. The emails were designed to appear as if they were coming from the universities, making it difficult for victims to distinguish between legitimate and malicious emails.
The attackers used various tactics to hijack the email accounts. In some cases, they exploited weak passwords or poor email security practices, such as using the same password across multiple accounts or sharing passwords with others. In other cases, they used more sophisticated methods, such as phishing or spear-phishing attacks, to gain access to the accounts.
Once the attackers gained access to the email accounts, they used them to send phishing emails that appeared to come from the universities. The emails were designed to trick victims into revealing sensitive information, such as login credentials or financial information. In some cases, the emails contained malicious attachments or links that, when clicked, would install malware on the victim's device.
The attackers also used the compromised email accounts to send emails that appeared to be from Microsoft, claiming that the victim's account had been compromised and that they needed to reset their password. The emails contained links to fake Microsoft websites that were designed to steal the victim's login credentials. This tactic was particularly effective, as many people trust emails that appear to come from well-known companies like Microsoft.
The incident highlights the vulnerability of universities to email-based attacks. Universities often have large and diverse user bases, including students, faculty, and staff, which can make it difficult to implement and enforce robust email security measures. Additionally, universities often have a culture of openness and collaboration, which can make it easier for attackers to gain access to sensitive information.
The incident also highlights the importance of robust email security measures. Universities should implement measures such as two-factor authentication, password management policies, and email encryption to protect against email-based attacks. They should also educate users about the risks of phishing and spear-phishing attacks and provide them with the tools and resources they need to protect themselves.
The attackers' use of hijacked email accounts to send phishing emails and malware is a common tactic used by cybercriminals. This tactic is often referred to as "email spoofing" and can be difficult to detect and prevent. Email providers and security vendors are working to develop new technologies and techniques to detect and prevent email spoofing, but it remains a significant challenge.
The incident also raises concerns about the use of email as a means of communication. Email is a widely used and convenient means of communication, but it is also vulnerable to security threats. Users should be aware of the risks of email-based attacks and take steps to protect themselves, such as being cautious when clicking on links or opening attachments from unknown senders.
The hijacking of university email accounts is a serious incident that highlights the vulnerabilities of email-based communication. It is a reminder of the importance of robust email security measures and the need for users to be aware of the risks of email-based attacks.