CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies.

Why phishing? Simplicity is the primary reason. Instead of attempting to exploit vulnerabilities in the target's software or systems, attackers target staff, faculty, or others with access to systems within the institution that can be exploited, such as finances and databases. Because as we all know, the human factor is usually the weakest link in any cybersecurity defense.

Typically, an attacker crafts a compelling email designed to persuade the recipient to engage in a desired action. This activity could include opening an attachment, clicking a link, or executing specific instructions. Education-specific social engineering often involves sending fake university communications like offering enticing student job opportunities, which require the victim to perform certain tasks or provide sensitive information.

There has been a very dangerous recent addition to this particular attacker tool. Trustwave SpiderLabs continually monitors the use of AI and Large Language Models (LLMs) like ChatGPT in phishing attacks.

LLM technology is making identifying phishing emails difficult by being able to craft well-written, more compelling, and highly personalized messages.

Let's take a look at some of the typical phishing goals:

  • Credential Theft: An example of this would be an email that appears to be from the university's administration containing a link. When the recipient clicks this link, they are prompted to enter their login details under the pretense of accessing important information or job opportunity details.

  • Malware Insertion: This is often executed through embedding PowerShell scripts, JavaScript, or enabling Macros in a document, which is disguised as being related to the university or a student job offer.

  • Triggering Specific Actions: This could involve convincing the recipient to provide confidential information or perform other actions under the guise of a necessary step for a student job application or a university-related process.

Email Attachments are the Preferred Weapon

The most common email attachments used for phishing and malware distribution in the education sector are HTML files, executables, and PDFs, a trend that echoes observations from other industries.

HTML attachments make up 82% of malicious email attachments, according to Trustwave data. Attackers primarily use these attachments in two forms: as standalone HTML pages designed for credential phishing, often featuring sophisticated obfuscation techniques, or as HTML redirectors leading to malicious sites. Additionally, Trustwave original research has also seen a preference for the use of HTML attachments in phishing kits.

Executable files make up the second most prevalent type. These typically serve as either initial downloaders to facilitate further malware intrusion or act as the final payload, like Remote Access Trojans (RATs).

Finally, PDFs are often employed to host malicious links that initiate further malware downloads or contain deceptive text as part of a scam strategy, illustrating the diverse and evolving nature of email-based threats in education.

 

Notable Phishing Campaign Themes

In a recent phishing scheme targeting universities, Trustwave SpiderLabs researchers observed attackers sending emails masquerading as "requests for quotations" from various educational institutions. To enhance the email's authenticity, the attackers added the university's logo in the message body and incorporated the institution's name in the 'From' and 'Subject' headers and in the filenames of attachments.

In another common phishing campaign, university accounts of students, faculty, and staff were targeted with fraudulent emails purporting to be official university communications.

Threat actors know students need money. Trustwave researchers observed an uptick in scam messages targeting students with counterfeit job offers. These emails come unsolicited and usually present lucrative opportunities that promise high compensation for minimal effort and offer flexible working hours.

Employees, especially new staffers, normally trust emails from their human resources department. Aside from the student population, the education sector has a significant workforce that is highly volatile. Education has the sixth highest compounded rate of change in terms of employment projections out of the 18 industries tracked by the US Bureau of Labor Statistics. This high rate of increase in new staff could make the sector more attractive to threat actors.

Another popular method is Business Email Compromise (BEC) scams. In one campaign tracked by Trustwave SpiderLabs targeting the education space, attackers used a cleverly disguised email asking recipients to urgently process a wire transfer, allegedly for research and market development purposes. This attempt to exploit the industry's alignment with research activities is evident in the email's subject line.

 

Top of the Class Email Security

In response to these evolving threats, educational institutions must prioritize cybersecurity awareness and training programs for their staff, faculty, and students. Additionally, implementing robust email security measures and regularly updating cybersecurity protocols are essential to safeguarding sensitive information and maintaining the integrity of educational systems.

Collaboration with cybersecurity experts and leveraging advanced technologies to detect and mitigate phishing attacks are crucial steps in strengthening the cybersecurity posture of the education sector. Trust wave's industry-leading MailMarshal email security solution is one such option as it:

  • Protects against ransomware attacks, Business Email Compromise (BEC), phishing scams, malware, and Zero-Days

  • Zero clients reported ransomware infection in 20+ years

  • 99% malware and exploit capture rate

  • < 0.001% spam false positives

  • Layered threat intelligence, powered by telemetry from 5,000+ global MSS/ MDR clients and ML-powered algorithms

  • Granular control of internal SMTP traffic

  • Decades of leadership in email security supported by Trustwave SpiderLabs elite threat detection security team

  • Deploy on-prem or hybrid cloud

  • Complements Microsoft 365 and other cloud email.

Email security and Management

 

Vertical Markets Under Attack

The 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report is part of an ongoing research project conducted by Trustwave SpiderLabs that looks at how cybercriminals are attacking various vertical markets.

To gain a more comprehensive understanding of the overall situation, please also read:

Latest Trustwave Blogs

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More