Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States.
These campaigns, observed since August 2024, have exploited the academic calendar and institutional trust to deceive students, faculty, and staff.
The attacks have been linked to a broader campaign dating back to at least October 2022, with thousands of users targeted monthly.
The phishing attacks are strategically timed to coincide with key academic events such as the start of the school year and financial aid deadlines.
By leveraging these high-pressure periods, attackers have successfully tricked victims into revealing sensitive credentials and financial information.
The campaigns employ various tactics, including hosting malicious Google Forms on compromised university domains and cloning university login portals to carry out payment redirection attacks.
Key Campaigns Identified
One major campaign involved phishing emails directing recipients to fraudulent Google Forms designed to mimic legitimate university communications.
These forms often included official logos and color schemes to increase their credibility.
Victims were prompted to provide login credentials or financial details under the guise of resolving account issues or updating financial aid information.
Although these malicious forms have been removed, attackers have frequently repurposed compromised environments for new phishing attempts.
Another campaign focused on cloning university login pages and re-hosting them on attacker-controlled infrastructure.
These cloned sites used advanced techniques like JavaScript-based redirects targeting mobile users, further complicating detection efforts.
In some cases, attackers exploited these fake portals to execute payment redirection attacks, diverting funds such as financial aid disbursements or payroll into their own accounts.
A third campaign targeted faculty and staff with phishing emails promising raises or bonuses in exchange for login credentials.
Once the attackers gained access to these accounts, they used them to distribute phishing forms to students under the pretense of job applications, seeking additional personal and financial information.
Broader Implications
The consequences of these attacks extend beyond immediate financial losses.
Educational institutions face reputational damage and operational disruptions as they work to recover stolen funds and implement enhanced security measures.
To combat these threats, Google recommends a multi-layered security approach:
- Implement Multi-Factor Authentication (MFA): Requiring MFA for all accounts significantly reduces the risk of unauthorized access.
- Employee Training: Regular training sessions can help staff recognize phishing attempts and suspicious requests involving financial transactions.
- Advanced Email Security: Deploying tools that detect domain anomalies and malicious patterns can block phishing emails before they reach users.
- Payment Verification Protocols: Strict procedures for verifying changes in payment details can prevent unauthorized redirections.
- Incident Response Plans: Institutions should develop robust plans to contain breaches and collaborate with law enforcement for recovery efforts.
Google’s Workspace Trust and Safety team continues to monitor these campaigns and urges educational institutions to remain vigilant.
By fostering awareness and adopting proactive security measures, organizations can mitigate the risks posed by increasingly sophisticated phishing attacks targeting the education sector.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
