Cyber Incident Victim: University of Chicago
Date:
Oct 2020
Location:
United States of America
Summary
Attackers compromised legitimate email accounts at multiple universities to distribute phishing emails and malware, bypassing email authentication protocols like SPF and DMARC. The hijacked accounts sent fraudulent messages appearing as system alerts or missed-call notifications, directing victims to credential-harvesting sites or malicious attachments. Researchers observed campaigns exploiting improperly configured SMTP servers and abused institutional trust to evade security filters. Compromised credentials from weak password practices or shared access enabled the takeover. The shift to remote learning during the pandemic correlated with increased account hijackings targeting academic institutions, facilitating credential theft and malware infections through socially engineered lures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident involved a series of attacks on universities in which cybercriminals hijacked legitimate email accounts to bypass detection and trick victims into handing over their email credentials or installing malware. The attackers used compromised email accounts from over a dozen universities, including Purdue University, University of Oxford, and Stanford University, to send phishing emails that appeared to come from the universities' own servers. The emails were designed to look legitimate, with the sender's email address corresponding to a real university profile, and were able to bypass Sender Policy Framework filtering for university domains. The attackers also used various other lures, such as emails telling victims that they had a missed call and linking to an attachment that purported to be the voicemail. The attacks were likely motivated by personal gain, with the attackers seeking to steal sensitive information or install malware.
The incident was discovered by researchers who found that the attackers were using compromised email accounts to send phishing emails. The researchers also discovered that some accounts appeared to still be compromised, even after the initial attack. The incident highlights the importance of properly securing email accounts and the need for users to be vigilant when receiving emails from unknown or suspicious senders.
The attackers were able to bypass security measures by exploiting vulnerabilities in the email systems of the universities. For example, in one incident, the attackers were able to use an improperly configured Simple Mail Transfer Protocol server to send phishing emails that passed both Sender Policy Framework and DMARC filtering for the University of Oxford. The attackers were also able to use the compromised email accounts to send emails that appeared to come from legitimate university accounts, making it difficult for victims to determine whether the emails were legitimate or not.
The incident has significant implications for the higher education sector, which has been targeted by cyberattacks in the past. The use of compromised email accounts to send phishing emails is a common tactic used by attackers, and universities need to take steps to protect themselves against such attacks. This includes implementing proper security measures, such as multi-factor authentication and encryption, and educating users about the dangers of phishing emails.
The incident also highlights the importance of properly configuring email servers to prevent attacks. For example, SMTP servers should be configured to not accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and authorized users. This can help prevent attackers from using compromised email accounts to send phishing emails.
The attackers' use of compromised email accounts to send phishing emails is a common tactic used in cyberattacks. The attackers are able to use the compromised accounts to send emails that appear to come from legitimate sources, making it difficult for victims to determine whether the emails are legitimate or not. The use of phishing emails is a popular tactic used by attackers because it is relatively easy to carry out and can be highly effective.
The incident has significant implications for the cybersecurity of universities and other organizations. The use of compromised email accounts to send phishing emails is a common tactic used by attackers, and organizations need to take steps to protect themselves against such attacks. This includes implementing proper security measures, such as multi-factor authentication and encryption, and educating users about the dangers of phishing emails.
The attackers' ability to bypass security measures by exploiting vulnerabilities in the email systems of the universities is a significant concern. The use of improperly configured SMTP servers, for example, can allow attackers to send phishing emails that pass both Sender Policy Framework and DMARC filtering. This highlights the importance of properly configuring email servers to prevent attacks.
The incident also highlights the importance of educating users about the dangers of phishing emails. Users need to be vigilant when receiving emails from unknown or suspicious senders and should not click on links or download attachments from emails that they are not sure are legitimate. This can help prevent attackers from using compromised email accounts to send phishing emails.
The use of phishing emails is a popular tactic used by attackers because it is relatively easy to carry out and can be highly effective. The attackers are able to use compromised email accounts to send emails that appear to come from legitimate sources, making it difficult for victims to determine whether the emails are legitimate or not. The incident highlights the importance of properly securing email accounts and the need for users to be vigilant when receiving emails from unknown or suspicious senders.
The incident has significant implications for the cybersecurity of universities and other organizations. The use of compromised email accounts to send phishing emails is a common tactic used by attackers, and organizations need to take steps to protect themselves against such attacks. This includes implementing proper security measures, such as multi-factor authentication and encryption, and educating users about the dangers of phishing emails.
The attackers' ability to bypass security measures by exploiting vulnerabilities in the email systems of the universities is a significant concern. The use of improperly configured SMTP servers, for example, can allow attackers to send phishing emails that pass both Sender Policy Framework and DMARC filtering. This highlights the importance of properly configuring email servers to prevent attacks.
The incident also highlights the importance of properly securing email accounts. This includes implementing proper security measures, such as multi-factor authentication and encryption, and educating users about the dangers of phishing emails. Users need to be vigilant when receiving emails from unknown or suspicious senders