Nearly all the top 10 universities in the United States, United Kingdom, and Australia are putting their students, faculty and staff at risk of email compromise by failing to block attackers from spoofing the schools’ email domains.
According to a report released Tuesday by enterprise security company Proofpoint, universities in the United States are most at risk with the poorest levels of protection, followed by the United Kingdom, then Australia.
The report is based on an analysis of Domain-based Message Authentication, Reporting and Conformance (DMARC) records at the schools. DMARC is a nearly decade-old email validation protocol used to authenticate a sender’s domain before delivering an email message to its destination.
The protocol offers three levels of protection — monitor, quarantine, and the strongest level, reject. None of the top universities in any of the countries had the reject level of protection enabled, the report found.
“Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside healthcare,” Proofpoint Executive Vice President for Cybersecurity Strategy Ryan Kalember said in a statement.
“This, unfortunately, makes these institutions a highly attractive target for cybercriminals,” he continued. “The pandemic and rapid shift to remote learning has further heightened the cybersecurity challenges for tertiary education institutions and opened them up to significant risks from malicious email-based cyberattacks, such as phishing.”
Barriers to DMARC Adoption
Universities aren’t alone in poor DMARC implementation.
A recent analysis of 64 million domains globally by Red Sift, a London-based maker of an integrated email and brand protection platform, found that only 2.1 percent of the domains had implemented DMARC. Moreover, only 28% of all publicly traded companies in the world have fully implemented the protocol, while 41% enabled only the basic level of it.
There can be a number of reasons for an organization not adopting DMARC. “There can be a lack of awareness around the importance of implementing DMARC policies, as well as companies not being fully aware of how to get started on implementing the protocol,” explained Proofpoint Industries Solutions and Strategy Leader Ryan Witt.
“Additionally,” he continued, “a lack of government policy to mandate DMARC as a requirement could be a contributing factor.”
“Further,” he added, “with the pandemic and current economy, organizations may be struggling to transform their business model, so competing priorities and lack of resources are also likely factors.”
The technology can be challenging to set up, too. “It requires the ability to publish DNS records, which requires systems and network administration experience,” explained Craig Lurey, CTO and co-founder of Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, in Chicago.
In addition, he told TechNewsWorld: “There are several layers of setup required for DMARC to be implemented correctly. It needs to be closely monitored during implementation of the policy and the rollout to ensure that valid email is not being blocked.”
No Bullet for Spoofing
Nicole Hoffman, a senior cyber threat intelligence analyst with Digital Shadows, a provider of digital risk protection solutions in San Francisco, agreed that implementing DMARC can be a daunting task. “If implemented incorrectly, it can break things and interrupt business operations,” she told TechNewsWorld.
“Some organizations hire third parties to help with implementation, but this requires financial resources that need to be approved,” she added.
She cautioned that DMARC will not protect against all types of email domain spoofing.
“If you receive an email that appears to be from Bob at Google, but the email actually originated from Yahoo mail, DMARC would detect this,” she explained. “However, if a threat actor registered a domain that closely resembles Google’s domain, such as Googl3, DMARC would not detect that.”
Unused domains can also be a way to evade DMARC. “Domains that are registered, but unused, are also at risk of email domain spoofing,” Lurey explained. “Even when organizations have DMARC implemented on their primary domain, failing to enable DMARC on unused domains makes them potential targets for spoofing.”
Universities’ Unique Challenges
Universities can have their own set of difficulties when it comes to implementing DMARC.
“A lot of times universities don’t have a centralized IT department,” Red Sift Senior Director of Global Channels Brian Westnedge told TechNewsWorld. “Each college has its own IT department operating in silos. That can make it a challenge to implement DMARC across the organization because everyone is doing something a little different with email.”
Witt added that the constantly changing student population at universities, combined with a culture of openness and information-sharing, can conflict with the rules and controls often needed to effectively protect the users and systems from attack and compromise.
Furthermore, he continued, many academic institutions have an associated health system, so they need to adhere to controls associated with a regulated industry.
Funding can also be an issue at universities, noted John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company. “The biggest challenges to universities is low funding of security teams — if they have one — and low funding of IT teams in general,” he told TechNewsWorld.
“Universities don’t pay particularly well, so part of it is a knowledge gap,” he said.
“There is also a culture in many universities against implementing any policies that could impede research,” he added. “When I worked at a university 15 years ago, there were knock-down drag-out fights against mandatory antivirus on workstations.”
Mark Arnold, vice president for advisory services at Lares, an information security consulting firm in Denver, noted domain spoofing is a significant threat to organizations and the technique of choice of threat actors to impersonate businesses and employees.
“Organizational threat models should account for this prevalent threat,” he told TechNewsWorld. “Implementing DMARC allows organizations to filter and validate messages and help thwart phishing campaigns and other business email compromises.”
Business email compromise (BEC) is probably the most expensive problem in all of cybersecurity, maintained Witt. According to the FBI, $43 billion was lost to BEC thieves between June 2016 and December 2021.
“Most people don’t realize how extraordinarily easy it is to spoof an email,” Witt said. “Anyone can send a BEC email to an intended target, and it has a high probability of getting through, especially if the impersonated organization isn’t authenticating their email.”
“These messages often don’t include malicious links or attachments, sidestepping traditional security solutions that analyze messages for these traits,” he continued. “Instead, the emails are simply sent with text designed to con the victim into acting.”
“Domain spoofing, and its cousin typosquatting, are the lowest hanging fruit for cybercriminals,” Bambenek added. “If you can get people to click on your emails because it looks like it is coming from their own university, you get a higher click-through rate and by extension, more fraud losses, stolen credentials and successful cybercrime.”
“In recent years,” he said, “attackers have been stealing students’ financial aid refunds. There is big money to be made by criminals here.”