Phishing for Student Email Accounts

Phishing StudentUniversity student accounts are being exploited for business email compromise. Researchers at Avanan have observed a rise in attacks that compromise legitimate college student accounts in order to carry out business email compromise (BEC) attacks. “In this attack,” the researchers say, “hackers are compromising student accounts to launch broader BEC and credential harvesting attacks.”

“We’ve seen a generous uptick in threat actors compromising student accounts, and then using them to send out BEC and credential harvesting messages. In this case, this same compromised account sent out numerous messages to a variety of organizations. The university, based in Arizona, is not an Avanan customer, and it’s not clear how the compromise began.

Regardless, this represents an effective tactic by hackers. Compromising a student account can be done quite efficiently. From there, leveraging the legitimacy of that email account, it’s easy to send out multiple of the same messages to a variety of targets. That makes this an effective way for hackers to send out a wide spectrum of messages with just one compromise.”

The phishing emails sent from the accounts appear to be support messages informing the user that several emails are being held for review. The user is directed to click a link in order to view the blocked emails. Avanan notes that there are several red flags in the emails, “such as where the URL goes to and also the fact that a university account wouldn’t be used to send support messages.”

The goal of acquiring credentials to university email accounts, then, is to enable further phishing operations. Avanan suggests that the ultimate goal of the phishing would be business email compromise, a form of cybercrime based on social engineering that’s growing increasingly dangerous. New school security awareness training, however, can afford any organization a measure of protection, both from the initial phishing and the subsequent BEC attempts.

Avanan has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews