Top Colleges Do Not Properly Protect Against Email Domain Spoofing

According to Proofpoint researchers, nearly all of the top 10 universities in the US, UK and Australia have proactively blocked attackers from spoofing their email domains. Pictured: Cyclists pass Hoover Tower on the Stanford University campus on March 12, 2019 in Stanford, California. (Photo by Justin Sullivan/Getty Images)

Point of Evidence Tuesday reported that some 97% of the top 10 universities in the US, UK and Australia are not taking appropriate steps to proactively prevent attackers from spoofing their email domains, increasing the risk of email fraud.

Proofpoint researchers found that universities in the US are most at risk with the lowest levels of email protection, followed by the UK and Australia.

“Email remains the most common vector for security compromise across industries,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “In recent years, the frequency, sophistication and cost of cyberattacks against universities have increased. It is the combination of these factors that makes it particularly concerning that America’s top universities are currently the most vulnerable to attack.

Proofpoint’s findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top 10 universities in each country. Here are some of the main points raised by the study:

  • None of the top US and UK universities had a rejection policy in place, which actively prevents fraudulent emails from reaching their targets, meaning all of them leave students open to email fraud.
  • Five of the top 10 US universities do not publish any DMARC record level.
  • 65% of top US and UK universities had a basic level of DMARC (monitoring and quarantine) protection in place.
  • 17 (57%) of all universities surveyed have a surveillance policy in place, while only four (13%) of 30 universities have a quarantine policy in place.

Domain spoofing and its cousin typo-squatting are the lowest payoff for cybercriminals, said John Bambenek, principal threat hunter at Netenrich. Bambenek said that if bad actors can get people to click on emails because they appear to be from the victim’s own university, they get a higher click-through rate and, by extension, more lost money. fraud, stolen credentials and successful cybercrime. In recent years, attackers have stolen student financial aid refunds.

“So why aren’t more organizations implementing DMARC,” Bambenek asked. “Universities don’t pay particularly well, so it’s partly a lack of knowledge. There is also a culture in many universities against implementing policies that might hinder research. When I worked at a university 15 years ago, there were devastating fights against mandatory antivirus on workstations. The biggest challenges for universities are low funding for security teams (if they have one) and low funding for IT teams in general. There is also the perception that they are not an attractive target for cybercriminals, or that attacks on students are simply not much of an institutional concern.

Chloe Messdaghi, head of impact at Cybrary, added that one of the main reasons this continues to happen is that universities are not investing enough in security or their security teams. Messdaghi said higher education as a sector often operates in a reactive, not proactive mode when it comes to security approaches and the ongoing training of security teams.

“It’s extremely short,” Messdaghi said. “They need to educate and invest in the team. The lack of attention puts the children and the institution at risk. Let’s face it. College and university students pay a lot of money for their education, and the students, donors, alumni, and people at the institution all deserve better protection.