More than 40,000 University of Maryland email addresses have been identified for sale on dark web sites, designed for cybercriminals to use without law enforcement being able to track them.
Data collected by the Digital Citizens Alliance suggests cybercriminals are buying, selling, stealing and faking .edu email addresses from institutions of higher education faster than ever before. Cybercriminals can use student emails to more effectively “phish” for information by disguising a malicious email as genuine in order to gain the recipient’s trust, said David Maimon, a professor in the criminology and criminal justice department at this university.
A .edu address also makes it hard for spam filters to detect harmful emails, he said.
“If I get an email from a university account … I will click on it, and that’s the assumption the bad guys are working with,” Maimon said.
The Digital Citizens Alliance report also said some students were not tricked into giving others access to their .edu emails, but sold them online for a fee in exchange for giving the recipient of their email access to student discounts to common services, from Apple to Amazon.
Universities are common targets for cybercriminals because of the large amount of information they store in their systems, including student and faculty names, birth dates, social security numbers and health records, Maimon added.
More than 300,000 student and faculty records — including names, birthdates, university ID numbers and social security numbers — were compromised at this university in a data breach in February 2014.
[Read more: Former contractor: Data breach was preventable]
Once hackers get access to that data they can sell it on the dark web for use in identity theft. Stolen email addresses and hacked passwords can also be used to obtain more personal information, Maimon said.
While two-step verification and password updates can help safeguard information from hackers, Maimon said the best way to avoid phishing attempts is to exercise caution. Do not click on links from suspicious email accounts, he said, and verify any dubious messages that require you to give your information separately.
“You would expect that [the younger] generation will be more tech-savvy,” Maimon said. “They’re not.”
The university’s Division of Information Technology has many safeguards against various threats to student and faculty information, said Jonathan Katz, director of the Maryland Cybersecurity Center and a computer science professor. Since the 2014 data breach, there have been no large- or small-scale data breaches, he said.
Katz said the university’s division of information technology monitors student emails for suspiciously large amounts of activity, which would indicate the account is being used to send spam.
“They are running a top-notch operation, they have all the relevant tools … and people working around the clock to prevent the bad guys from getting access to our information,” Maimon said of the Division of Information Technology. “They comply with all the policies and regulations they need to.”
The cybersecurity center has been developing more secure programming languages and put “honeypots” — computers designed to attract and block hackers — into place, Katz said.
Michael Reininger, president of the university cybersecurity club, said university students need to be especially vigilant in the case of phishing attempts.
“It’s easy to be susceptible to an email that says, ‘We’re interested in hiring you for a summer job, all you have to do is send us your information over this link,'” he said.
The sophomore computer science major also said sites such as LinkedIn, which students may have signed up for with their .edu emails, might have been breached. This exposes information to hackers, especially if users protect their profiles with the same passwords.
Switching the university’s official student email provider to Gmail in 2011, Reininger said, has provided students with more security. The Gmail client informs users of emails sent through unsafe channels with a red padlock, and also offers two-step verification, which Reininger says is one of the easiest and most effective ways of protecting personal information.