According to the FBI, Russian scammers are selling network credentials and access to a virtual private network for a “multitude” of American universities and colleges in criminal markets.

According to a warning released Thursday, these stolen credentials are selling for thousands of dollars on the dark web and in public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

“The exposure of usernames and passwords can lead to brute-force credential stuffing computer network attacks, whereby attackers attempt to log into various Internet sites or exploit them to subsequent cyberattacks, as criminal actors take advantage of recycling the same credentials across multiple accounts, websites, and services,” the Fed alert [PDF] said.

In May 2021, more than 36,000 combinations of email addresses and passwords for email accounts ending in “.edu” were offered for sale on a “publicly available instant messaging platform” , according to the office, although it noted that some of them may have been duplicates.

Either way, it’s high time to stop and stop reusing passwords and implement multi-factor authentication.

The FBI also cited attacks in 2017 in which cybercriminals cloned university login pages and emailed links to the sites in phishing emails to harvest the details of unsuspecting people. “Such tactics continued to prevail and escalated with COVID-themed phishing attacks to steal college login credentials, according to security researchers at a US-based company in December 2021,” the security alert noted.

Simply put: phishing still works, according to John Gunn, CEO of identity company Token.

“Phishing is still very effective and has now become a numbers game – the more frequent the attacks, the more victims become fatigued and preyed upon,” Gunn said. The register. “We see the same approach to stealing credentials from business users, highlighting the need for multi-factor authentication and a passwordless approach to access control. No credentials mean nothing to phishing and puts an end to this huge vulnerability.”

The FBI’s latest warning also comes as US colleges and universities face an increase in ransomware attacks.

In 2021, criminals attacked a total of 26 colleges and universities with ransomware, and 2022 is already on track to meet or exceed that number. At least 15 colleges have been hit by ransomware so far this year, according to Emsisoft threat analyst Brett Callow.

“The education sector continues to be attractive targets because it’s very rare for a university to focus on its cybersecurity stack as its #1 priority,” said Brad Hong, chief customer success officer at the company. Horizon3ai penetration testing.

“Since the majority of colleges in the United States, especially those that are not focused on protecting the intellectual property of their research institutions, do not have the staff or the budget to implement cyber tools for next-gen to combat next-gen cyber attacks, the effort yield is several levels lower than any other industry as a whole,” he said. The registerciting a Sophos study which found that the education sector is tied to retail with the highest number of ransomware attacks across various industries.

This report [PDF] also found that 44% of all educational organizations surveyed had experienced a ransomware attack. ®