Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies.

Why phishing? Simplicity is the primary reason. Instead of attempting to exploit vulnerabilities in the target's software or systems, attackers target staff, faculty, or others with access to systems within the institution that can be exploited, such as finances and databases. Because as we all know, the human factor is usually the weakest link in any cybersecurity defense.

Typically, an attacker crafts a compelling email designed to persuade the recipient to engage in a desired action. This activity could include opening an attachment, clicking a link, or executing specific instructions. Education-specific social engineering often involves sending fake university communications like offering enticing student job opportunities, which require the victim to perform certain tasks or provide sensitive information.

There has been a very dangerous recent addition to this particular attacker tool. Trustwave SpiderLabs continually monitors the use of AI and Large Language Models (LLMs) like ChatGPT in phishing attacks.

LLM technology is making identifying phishing emails difficult by being able to craft well-written, more compelling, and highly personalized messages.

Let's take a look at some of the typical phishing goals:

• Credential Theft: An example of this would be an email that appears to be from the university's administration containing a link. When the recipient clicks this link, they are prompted to enter their login details under the pretense of accessing important information or job opportunity details.

• Malware Insertion: This is often executed through embedding PowerShell scripts, JavaScript, or enabling Macros in a document, which is disguised as being related to the university or a student job offer.

• Triggering Specific Actions: This could involve convincing the recipient to provide confidential information or perform other actions under the guise of a necessary step for a student job application or a university-related process.

Email Attachments are the Preferred Weapon

The most common email attachments used for phishing and malware distribution in the education sector are HTML files, executables, and PDFs, a trend that echoes observations from other industries.

HTML attachments make up 82% of malicious email attachments, according to Trustwave data. Attackers primarily use these attachments in two forms: as standalone HTML pages designed for credential phishing, often featuring sophisticated obfuscation techniques, or as HTML redirectors leading to malicious sites. Additionally, Trustwave original research has also seen a preference for the use of HTML attachments in phishing kits.

Executable files make up the second most prevalent type. These typically serve as either initial downloaders to facilitate further malware intrusion or act as the final payload, like Remote Access Trojans (RATs).

Finally, PDFs are often employed to host malicious links that initiate further malware downloads or contain deceptive text as part of a scam strategy, illustrating the diverse and evolving nature of email-based threats in education.

Notable Phishing Campaign Themes

In a recent phishing scheme targeting universities, Trustwave SpiderLabs researchers observed attackers sending emails masquerading as "requests for quotations" from various educational institutions. To enhance the email's authenticity, the attackers added the university's logo in the message body and incorporated the institution's name in the 'From' and 'Subject' headers and in the filenames of attachments.

In another common phishing campaign, university accounts of students, faculty, and staff were targeted with fraudulent emails purporting to be official university communications.

Threat actors know students need money. Trustwave researchers observed an uptick in scam messages targeting students with counterfeit job offers. These emails come unsolicited and usually present lucrative opportunities that promise high compensation for minimal effort and offer flexible working hours.

Employees, especially new staffers, normally trust emails from their human resources department. Aside from the student population, the education sector has a significant workforce that is highly volatile. Education has the sixth highest compounded rate of change in terms of employment projections out of the 18 industries tracked by the US Bureau of Labor Statistics. This high rate of increase in new staff could make the sector more attractive to threat actors.

Another popular method is Business Email Compromise (BEC) scams. In one campaign tracked by Trustwave SpiderLabs targeting the education space, attackers used a cleverly disguised email asking recipients to urgently process a wire transfer, allegedly for research and market development purposes. This attempt to exploit the industry's alignment with research activities is evident in the email's subject line.

Top of the Class Email Security

In response to these evolving threats, educational institutions must prioritize cybersecurity awareness and training programs for their staff, faculty, and students. Additionally, implementing robust email security measures and regularly updating cybersecurity protocols are essential to safeguarding sensitive information and maintaining the integrity of educational systems.

Collaboration with cybersecurity experts and leveraging advanced technologies to detect and mitigate phishing attacks are crucial steps in strengthening the cybersecurity posture of the education sector. Trust wave's industry-leading MailMarshal email security solution is one such option as it:

• Protects against ransomware attacks, Business Email Compromise (BEC), phishing scams, malware, and Zero-Days

• Zero clients reported ransomware infection in 20+ years

• 99% malware and exploit capture rate

• < 0.001% spam false positives

• Layered threat intelligence, powered by telemetry from 5,000+ global MSS/ MDR clients and ML-powered algorithms

• Granular control of internal SMTP traffic

• Decades of leadership in email security supported by Trustwave SpiderLabs elite threat detection security team

• Deploy on-prem or hybrid cloud

• Complements Microsoft 365 and other cloud email.

Vertical Markets Under Attack

The 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report is part of an ongoing research project conducted by Trustwave SpiderLabs that looks at how cybercriminals are attacking various vertical markets.

To gain a more comprehensive understanding of the overall situation, please also read:

• 2023 Manufacturing Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

• 2023 Retail Sector Threat Briefing and Mitigation Strategies

• 2023 Financial Services Sector Threat Briefing and Mitigation Strategies

• 2023 Hospitality Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

• Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape

Latest Trustwave Blogs