Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/29/2020
01:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cybercriminals Aim BEC Attacks at Education Industry

Heightened vulnerability comes at a time when the sector has been focusing on setting up a remote workforce and online learning amid the pandemic.

K-12 schools and colleges are more than twice as likely to get hit with a business email compromise (BEC) than companies outside of the education industry, new research has found.

According to Barracuda Networks, BECs accounted for 28% of all spear-phishing attacks aimed at educational institutions, while for all other verticals it was 11%. In addition, within education 57% of malicious emails came from internal – primarily students' – email accounts.

(Image: Barracuda Networks)
(Image: Barracuda Networks)

"We found that the students don't use email and administrators aren't always paying attention to those accounts," says Mike Flouton, vice president of Barracuda's email security business. "From an attacker's perspective, it's just much easier to go unnoticed."

The research, released today, is based on an analysis of more than 3.5 million spear-phishing attacks, including attacks against more than 1,000 educational institutions from June through September 2020. The point of the research, Flouton says, was to show the education community just how vulnerable it is to BEC attacks, along with the need to improve training and overall security awareness.

(Image: Barracuda Networks)
(Image: Barracuda Networks)

In the past 18 months, several BEC cases at school districts came to light. Most recently, a school district in Clark County, Nevada, refused to pay a ransom after a hacker stole private data on thousands of students. As a result, the student data was released on an underground forum.

Related Content:

Ransomware Strikes 49 School Districts & Colleges in 2019

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Tracking Down the Web Trackers

In another example, Manor Independent School District in Texas reported in January that a seemingly typical school-to-vendor transaction resulted in a loss of $2.3 million. And in April 2019, attackers used a fraudulent email to steal $3.7 million from Scott County Schools in Kentucky.

"K-12 schools are much more vulnerable than colleges and universities, as they have more reliance on email for work orders and communications … with a less mature security posture and less IT staff and … training," says Ruthbea Yesner, vice president, government insights, education and smart cities at IDC. "As a result, combined with online work because of the pandemic, we have seen a rise in ransomware and other attacks on schools. The dollar value may be lower as compared to a bank, but that's only because the hackers want to get paid and they know the capabilities of schools are limited. 

Tim Keeler, founder and CEO of privileged access security provider Remediant, points out how the education sector has become disproportionately vulnerable to BECs during the pandemic. Security teams at colleges had limited time to secure the perimeter as students, staff, faculty, and researchers were sent home to work remotely, he says. Similarly, K-12 schools were focused on setting up and enabling a blended remote/on-premises classroom and had limited time or appetite for security awareness training.

"Both colleges and schools make great targets for attackers looking for notoriety and media coverage as they are highly visible entities, yet are price-sensitive," Keeler says. "Unfortunately, the education sector has perpetually underinvested when it comes to security tools, best practices, and [full-time employees]."

BEC Prep Lesson Plan
The Barracuda report offers schools districts four tips to better prepare for BEC attacks:

1. Invest in protection against targeted phishing attacks: Attackers realize the education industry doesn't always have the same level of security sophistication as other verticals, and they take advantage of it. Schools, colleges, and universities need to prioritize email security that leverages artificial intelligence to identify unusual senders and requests. This additional layer of defense, on top of traditional email gateways, will offer substantial protection against spear-phishing attacks for both staff and students.

2. Deploy account takeover protection: Educational institutions are more susceptible to account takeover than an average organization because many don't have the necessary tools and resources to protect against this threat. Invest in technology that will let the organization identify suspicious activity and potential signs of account takeover.

3. Improve security awareness education: Educate users about BECs and other email threats. Ensure that staffers and students can recognize attacks, understand their fraudulent nature, and know how to report them. It's especially important now when remote learning has become such a big part of the education system and students and teachers rely on technology and email for both communication and educational purposes.

4. Set up internal policies to prevent wire transfer fraud: All organizations should establish and regularly review existing school policies to ensure personal and financial information gets handled properly. Help employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions. Remember: It's not always about the technology. Creating policies and procedures that people understand and will follow can go a long way to preventing attacks.

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Yenrab
50%
50%
Yenrab,
User Rank: Strategist
10/30/2020 | 9:56:42 AM
Whodda Thunk?
While I understand the concern, these are professional educators and are willing to learn nothing.  It's not worth the cost of the electricty to generate an email to those that are in charge of "edumacations" in this country and that is why they are such ripe targets.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27217
PUBLISHED: 2021-03-04
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running proce...
CVE-2021-22128
PUBLISHED: 2021-03-04
An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality.
CVE-2021-23126
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
CVE-2021-23127
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
CVE-2021-23128
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.