An email address from a prestigious university and access to its library and other services can now be yours for the low, low price of 16 cents!
But wait -- there’s more!
The IT security company Palo Alto Networks last week found email accounts from 42 universities worldwide -- 19 of them in the U.S. -- for sale on Taobao, China’s version of eBay. The site is owned by the massive Alibaba Group, which specializes in ecommerce. Accounts from universities in Australia, Canada, China, Denmark, Switzerland and the United Kingdom are also listed for sale.
Some accounts can be purchased for as little as 1 Chinese yuan, or about 16 cents, but prices for the most expensive accounts reached 2,400 Chinese yuan -- about $390, based on Monday’s exchange rates. The accounts all come with valid passwords, and the listings “guaranteed that all email accounts were valid, accessible, and active.”
Universities in the U.S. are routinely bombarded with malicious attacks originating in countries such as China. Armed with a university email address, hackers may gain a trusted platform from which to launch those attacks. For example, an administrator or faculty member may not think twice about whether an email is actually a phishing attack meant to steal their credentials when it comes from a valid university account.
In fact, Palo Alto Networks found many buyers may be using the email accounts to score discounts around the Internet. Several listings walked potential buyers through the process of using their newly acquired “.edu” accounts to secure cheap software deals or memberships with online retailers. Others may use the accounts to access academic databases, journals and other resources universities subscribe to.
If the accounts are only being used for online discounts, universities don’t have any way to track it, a spokesman for Purdue University said. The institution is one of the 19 listed in the analysis. But if the buyers attempt to access Purdue’s network, he said, “then yes, they do have ways to detect that.”
The spokesman declined to go into detail to avoid compromising Purdue’s network security, as is usually the case when universities discuss the topic.
Palo Alto Networks were able to get in touch with several sellers, one of whom explained how the accounts ended up on Taobao to begin with.
“A well-stocked seller told us that every account he sold belonged to an active student at the respective university,” analysts Claud Xiao and Rob Downs wrote. “He claimed that once the account was sold, only the one buyer and the legitimate user would have access.”
Those accounts were also the least expensive. For a slightly higher price, buyers could request customized addresses. To verify the listings weren’t scams, the analysts bought an account and received a working email address four hours later.
The analysts have reported the accounts to Taobao, which is reportedly working on addressing the issue.
Jonathan Mayer, a lawyer and computer scientist at Stanford University, was getting ready to teach his first Coursera course last week when he discovered large security problems on the provider of massive open online courses. As he described on his blog, Mayer found that, among other things, any instructor could "dump the entire user database, including over 9 million names and email addresses" and that "if you are logged into your Coursera account, any website that you visit can list your course enrollments." Coursera has acknowledged the problems and said that it has fixed them. Mayer's blog says that the MOOC provider has made some but not all of the fixes.
A state audit has criticized the University of Connecticut for spending $902,000 on financial management software from Kuali that the institution didn't even use. Between 2009 and 2012, the university paid service provider SciQuest three annual licensing fees, even though it would take until the summer of 2012 before the system was up and running. The audit also criticized the university for entering into a $10.1 million contract with SciQuest without first completing a formal selection process. The news was first reported by The Hartfort Courant.
Academe may be less prepared than the finance, health care and manufacturing sectors to tackle cybersecurity breaches, according to a report from the network security provider ForeScout Technologies, Inc. After interviewing more than 1,600 IT staffers at organizations in the U.S. and abroad, researchers at IDG Connect found higher education lagged behind the other sectors on forming policies and mitigating risk. IT staffers in higher education were also the least confident that mobile device security and network monitoring tools would be improved.