Universities and their population of students have been marked out as the next soft target by online criminals, security company RSA has reported.
In recent weeks, the company has detected a sudden rise in targeted attacks on US universities — particularly public state institutions — against internal websites used to serve students with services such as webmail. Such servers often contain personal data such as grades, names, addresses, and payment information.
The company offers screenshots from one attack in its February Online Fraud Report, that of a bogus website purporting to belong to an unnamed university. It is not clear how a student would have found such a site assuming a direct URL was already in existence, but any student logging into what appeared to be the official webmail site would have had their data harvested. RSA is unsure as to the specific motivation for the hacks, but speculates that gaining access to an internal server could serve various purposes, including launching phishing attacks that impersonate official communication, gaining access to personal data to launch identity theft attacks at a later date, or setting up student loan scams.
It is also possible, the company says, that criminals want student contacts details in order to recruit them to act as digital 'mules' for funds stolen from online banks accounts, although there is no hard evidence that students would be any more likely to engage in illegal activity of this kind than other groups.
The surprise is perhaps that universities have thus far been relatively ignored. Uniquely, they feature large populations of inexperienced internet users open to most forms of digital experimentation going.
"Today's college students are very Internet-savvy and open to sharing lots of personal information online, and unfortunately, not as concerned when it comes to taking appropriate measures to protect their identity online," comment the report authors.
"The recent spike in phishing attacks on US colleges and universities will hopefully serve as a wake-up call for these institutions to take proactive measures to safeguard the personal information of their students and staff members," they conclude.
The report deals with US-based institutions but could also apply to universities and students elsewhere. UK universities use web and Intranet systems with similar-looking login pages. The US's special vulnerability is the size and value of its education sector.