Thought leadership. threat analysis, news and alerts.
Rise of Phishing and DDoS Attacks in the Education Sector
COVID-19 resulted in the temporary shutdown of schools and universities across the world. This has given rise to online classes, whereby classes are conducted remotely and on digital platforms.
As schools and universities across the world reopen, many opt for mixed physical and online classes, while some still opting for purely online classes. The shift to online classes, however, has opened a window for malicious actors to exploit.
The shift to online classes gives rise to phishing attacks and distributed denial of service (DDoS) attacks directed against the education sector.
Phishing is one of the oldest and popular forms of cybercrimes. In a phishing campaign, intended victims, whether targeted or random individuals, are tricked into clicking something leading to the stealing of data or the downloading of malicious software (malware).
Microsoft Security Intelligence has found that as of September 7, 2020, out of the nearly 8.7 million malware encounters reported in the last 30 days, 59.84% came from the education sector, making it the most affected sector.
In the report “Digital Education: The cyberrisks of the online classroom”, Kaspersky Lab said that attackers lure victims in downloading malware by bundling fake versions of popular video meeting apps and online course platforms as legitimate application installers. Victims encounter these fake video meeting apps and online course platform installers through phishing websites – referring to sites designed to look like legitimate websites supposedly for downloading popular video meeting apps and online course platform app installers.
Another way by which victims encounter these fake video meeting apps and online course platform installers is through phishing emails that masquerade as special offers or notifications. Downloading of the fake video meeting apps and online course platform installers either from phishing websites or phishing emails could lead to the installation and running of malicious software on the victim’s computer or stealing of sensitive data.
In April of this year, researchers at Check Point reported that in just a span of 3 weeks, nearly 2,500 new websites relating to the video conferencing app Zoom were registered. Out of these 2,500 new Zoom-related websites, 1.5% of these websites were found as malicious and the other 13% were found as suspicious. The researchers added that cybercriminals impersonated other video conferencing apps such as Microsoft Teams and Google Meet.
Researchers at Check Point reported that victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams“. The phishing emails contained a malicious website URL, which on the first glance looks similar to the legitimate Microsoft Teams URL. A double-check, however, of this URL shows that this URL is a fake one and victims who landed on this fake Microsoft Team site ended up downloading a malware.
Distributed Denial-of-Service (DDoS) Attacks
In a DDoS attack, a botnet – referring to a network of computers infected with self-propagating malware – is used by an attacker in overwhelming the target or its surrounding infrastructure with a flood of internet traffic. According to Kaspersky Lab, between January 2020 and June 2020, the number of DDoS attacks affecting the education sector increased by at least 350% when compared to the corresponding month in 2019.
Authorities recently arrested a 16-year-old in connection with a series of DDoS attacks on Miami-Dade County Public Schools that disrupted the district's first week of online classes. The teenager admitted to launching the DDoS attacks using Low Orbit Ion Cannon (LOIC).
LOIC is a decade-old application developed originally used for network stress testing. Since becoming an open-source application it has been used for malicious activities such as DDoS attacks. A successful DDoS attack using LOIC floods a target server with TCP, UDP, or HTTP packets with the goal of disrupting service.
A DDoS attack via LOIC uses IRC chat channels to run a “Hivemind” version of the LOIC. This allows a primary user of the IRC chat to control secondary computers, creating a botnet – referring to a network of computers controlled by the primary user for malicious activities such as DDoS.
LOIC was used in the past to launch DDoS attacks against Visa and MasterCard websites in response to the freezing of payments to WikiLeaks. The thing about using LOIC in launching DDoS attacks is that attackers are unable to hide their IP addresses, making it easy for authorities to track them down. Due to this IP address visibility, authorities in many countries have taken legal actions against DDoS attackers leveraging LOIC.
Preventive and Mitigating Measures Against Phishing and DDoS Attacks
To stay safe from phishing attacks, be wary of clicking anything online as these could lead you to phishing sites. Also double-check URLs as a difference in one letter or character could lead you to a malicious site.
To stay safe against DDoS attacks, including DDoS attacks leveraging LOIC, use WAF, short for Web Application Firewall. WAF specifically provides strong protection against HTTP floods. As protection against TCP and UDP, use a dedicated DDoS protection.
Steve E. Driz, I.S.P., ITCP