Cybersecurity Trends

Report Details Increasingly Sophisticated Phishing Attacks and Proxies Targeting Students

Monthlong Test of PhishID Reveals New Methods That Get Around Traditional Detection, Content Filters

• By Kristal Kuykendall
• 02/23/23

In a monthlong study of one U.S. school district with newly implemented PhishID security software, Identity Automation uncovered detailed markers of increasingly sophisticated phishing attacks and dangerous proxy services targeting students, according to a new report out from Identity Automation.

The cybersecurity company, which introduced its RapidIdentity PhishID solution last summer, conducted the study in January, closely monitoring infrastructure security and attempted threats for the first 30 days after the district “turned on” its new anti-phishing software, the report said. 

During that time, PhishID “detected and blocked a total of 73 malicious sites that were clicked by students and staff, including brand new phishing attacks and dangerous proxy services targeted to students,” according to the report. PhishID is powered by PIXM technology and uses AI computer vision to detect phishing attacks and unsafe proxy sites, Identity Automation said.

“While the K–12 sector is focused on preventing account takeovers leading to ransomware attacks (and rightfully so), a less well-known threat is targeting our students: account takeovers leading to the identity theft of students and minors. These types of targeted phishing campaigns dupe students into voluntarily offering their credentials,” said Identity Automation in its report, citing a study showing that one in 50 children had their identity stolen in 2021. “Unlike adults, students are a ‘blank slate’ for identity thieves. They don’t have credit reports and few parents actively monitor their child’s credit or SSN — meaning the fraud can go undetected for years. Malicious actors use students’ stolen credentials to then access their individual PII for valuable information, like a Social Security number with no credit score. Further, these attacks often occur without the end-user or administrators ever becoming aware that the incursion has taken place.”

The district — not named in the report — had previously implemented Identity Automation’s RapidIdentity access management platform for K–12 schools, and it had just added PhishID to its cyber risk management strategy, according to the report. Since the study was completed, the district has also further expanded on its cyber protections, adding multi-factor authentication, the report noted.

The study and its results offer K–12 IT and security practitioners valuable insight into threat actors’ most-used methods and ways school districts can protect student and staff and their data.

Key Findings: 30 Days of Phishing Attacks at a School

• Students are the target: “Student accounts are being targeted to gain access to their valuable personal identifiable information and their “blank slate” credit history for the purposes of identity theft and ultimately, financial gain,” the report said.
• Sophisticated, student-specificphishing: Students are targeted via emails containing links that appear to have school-related content, or the emails look like a legitimate service popular with students such as an educational site or video game — but the links actually take the students to spoofed login pages where credentials and other sensitive data can be easily intercepted and stolen, Identity Automation said.
• Evasion tactics in use: Such phishing attacks and dangerous proxy services “are extremely difficult to detect and stop by traditional means due to stealthy tactics, such as quick deploy web applications and proxy aware connections,” the report said.
• Stealthy features circumvent content filters: Malicious sites are using URL cloaking and tab cloaking features — or requiring site visitors to use them to “log in” to “their website” that is actually a malicous website — to “circumvent content filters and allow students continued access,” even after the known malicious domain is blacklisted, the report said.

Recommendations to Minimize the Phishing Threat

Identity Automation urged school districts and their IT and security leaders to take the following steps to protect against phishing attacks, verbatim from the report:

1. Don’t assume safeguarding inboxes, content filters, and regular user training are enough to protect students from phishing attacks.

2. Implement advanced anti-phishing protection that uses AI computer vision to detect phishing attempts, regardless of a threat’s origin or stealthy techniques used.

3. Protect your students’ digital identities by enforcing strong and appropriate MFA across ALL user populations — including students.

The report noted that school districts face a big enough challenge deploying MFA for all staff, let alone for students and parents, and said malicious actors are taking advantage of the gap in security, “specifically targeting students by luring them into risky behavior to access the non-district-approved sites they want to go to, and potentially causing long-lasting ramifications for these students once their identities have been stolen and sold.”

Content filters are being bypassed as a matter of course, when students are unaware they are bypassing a content filter to access a site that is actually dangerous and is not the authentic website for the game or content they are accustomed to accessing, the report said. “PhishID’s threat data further reinforces that adversaries are using stealthy techniques to get around content filters, deliver phishing attacks to students, and lure them into dangerous websites and services that are designed to steal data.”