Top Universities Expose Students, Faculty, and Staff to Email Crime

Almost all of the top 10 universities in the US, UK and Australia put their students, faculty and staff at risk of email compromise by failing to prevent attackers from spoofing the domains of school messaging.

According to a report released Tuesday by enterprise security firm Proofpoint, US universities are most at risk with the lowest levels of protection, followed by the UK and then Australia.

The report is based on an analysis of domain-based message authentication, reporting, and compliance (DMARC) records at schools. DMARC is a nearly decade-old email validation protocol used to authenticate a sender’s domain before delivering an email to its destination.

The protocol offers three levels of protection: monitor, quarantine, and the highest level, reject. None of the top universities in any of the countries have activated the rejection protection level, according to the report.

“Higher education institutions hold masses of sensitive personal and financial data, perhaps more than any industry outside of healthcare,” said Ryan Kalember, Proofpoint’s executive vice president for cybersecurity strategy. , in a press release.

“This, unfortunately, makes these institutions a very attractive target for cybercriminals,” he continued. “The pandemic and the rapid shift to remote learning have further heightened cybersecurity challenges for higher education institutions and exposed them to significant risks from malicious email-based cyberattacks, such as phishing.”

Barriers to DMARC adoption

Universities aren’t the only ones with poor DMARC implementation.

A recent analysis of 64 million domains worldwide by Red Sift, a London-based maker of an integrated email and brand protection platform, found that only 2.1% of domains had DMARC work. Additionally, only 28% of all publicly traded companies globally have fully implemented the protocol, while 41% have activated only the basic level.

There can be a number of reasons why an organization does not adopt DMARC. “There may be a lack of awareness of the importance of implementing DMARC policies, as well as companies not being fully aware of how to begin implementing the protocol,” explained Ryan Witt, Chief Strategy and Solutions Officer of Proofpoint Industries.

“Additionally,” he continued, “a lack of government policy to mandate DMARC as a requirement could be a contributing factor.”

“Additionally,” he added, “with the pandemic and the current economy, organizations may find it difficult to transform their business model, so competing priorities and lack of resources are also likely factors. “.

The technology can also be difficult to set up. “This requires the ability to publish DNS records, which requires systems and network administration experience,” explained Craig Lurey, CTO and co-founder of Keeper Security, a zero-trust cybersecurity software provider. and zero-knowledge, in Chicago.

Additionally, he told TechNewsWorld, “There are multiple layers of configuration required for DMARC to be properly implemented. It should be closely monitored during policy implementation and deployment to ensure that valid emails are not blocked.

No bullet for identity theft

Nicole Hoffman, principal cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions in San Francisco, agreed that implementing DMARC can be a daunting task. “If implemented poorly, it can break things and disrupt business operations,” she told TechNewsWorld.

“Some organizations engage third parties to help with implementation, but this requires financial resources that must be approved,” she added.

She warned that DMARC will not protect against all types of email domain spoofing.

“If you receive an email that appears to be from Bob at Google, but the email is actually from Yahoo Mail, DMARC will detect it,” she explained. “However, if a malicious actor registered a domain that closely resembles Google’s domain, such as Googl3, DMARC would not detect it.”

Unused domains can also be a way to evade DMARC. “Domains that are registered, but unused, are also at risk of email domain spoofing,” Lurey explained. “Even when organizations have DMARC implemented on their primary domain, failure to enable DMARC on unused domains makes them potential targets for spoofing.”

The Unique Challenges of Universities

Universities can have their own set of challenges when it comes to implementing DMARC.

“Often universities don’t have a centralized IT department,” Brian Westnedge, senior director of global channels for Red Sift, told TechNewsWorld. “Each college has its own IT department operating in silos. This can make it difficult to implement DMARC across an organization because everyone does something a little different with email. »

Witt added that the ever-changing student population at universities, combined with a culture of openness and information sharing, can conflict with the rules and controls often needed to effectively protect users and systems from abuse. attacks and compromises.

Additionally, he continued, many academic institutions have an associated healthcare system, so they must adhere to the controls associated with a regulated industry.

Funding can also be an issue at universities, noted John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based IT operations and digital security firm. “The biggest challenge for universities is low funding for security teams – if they have one – and low funding for IT teams in general,” he told TechNewsWorld.

“Universities don’t pay particularly well, so part of that is a lack of knowledge,” he said.

“There is also a culture in many universities against implementing any policy that might hinder research,” he added. “When I worked at a university 15 years ago, there were repeated fights against mandatory antiviruses on workstations.”

Costly problem

Mark Arnold, vice president of consulting services at Lares, an information security consulting firm in Denver, noted that domain spoofing is a significant threat to organizations and the technique of choice for security players. threat to impersonate businesses and employees.

“Organizational threat models should account for this widespread threat,” he told TechNewsWorld. “Implementing DMARC allows organizations to filter and validate messages and help thwart phishing campaigns and other business email compromises.”

Business email compromise (BEC) is probably the costliest issue in all of cybersecurity, Witt said. According to the FBI, $43 billion was lost to BEC thieves between June 2016 and December 2021.

“Most people don’t realize how extraordinarily easy it is to spoof email,” Witt said. “Anyone can send a BEC email to an intended target, and they have a high probability of getting through, especially if the spoofed organization doesn’t authenticate their email.”

“These messages often don’t include malicious links or attachments, bypassing traditional security solutions that scan messages for these characteristics,” he continued. “Instead, emails are simply sent with text designed to trick the victim into action.”

“Domain spoofing and its cousin typosquatting are the lowest payoff for cybercriminals,” Bambenek added. “If you can get people to click on your emails because they appear to be from their own university, you get a higher click-through rate and, by extension, more fraud losses, stolen credentials and successful cybercrime.”

“For the past few years,” he said, “attackers have been stealing student financial aid repayments. There’s a lot of money to be made by criminals here.