Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

Are they after .edu email addresses?

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Smith, Jason
Sent: Monday, September 21, 2020 8:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Admissions application bot
activity

 

**** EXTERNAL EMAIL ****

Is the goal of these attacks a kind of 'denial-of-service' by overwhelming
your admissions process?  Or are they hoping you'll actually accept one of
these folks and then a real person will attend under the fake name?  Or.?

 

 

Jason E. Smith, MS PMP CPHIMS CSM

Director of IT, Bon Secours Memorial College

8550 Magellan Parkway #1100, Richmond, VA 23227



 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Steven Saine
Sent: Monday, September 21, 2020 7:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [EXTERNAL] Re: [SECURITY] Admissions application bot activity

 

[Warning: This email originated outside our organization's email system. Be
wary of links and attachments unless you recognize the sender. Never share
your username or password.]

Here is some information regarding fake applications that has been shared
with us previously.  Not sure if it will help or not.  It was noticed fake
applications were coming from these domains.

 

The 'bad' domains identified are:

.                     armyspy(dot)ga

.                     rhyta(dot)cf

.                     teleworm(dot)tk

.                     jourrapide(dot)gq

.                     dayrepa(dot)ml

 

Common conditions identified from the bad applications are:

.                     They're all allegedly new students, not matching with
any existing Colleague records.

.                     They all list dates of birth in the year 1999, either
20 or 21 years old.

.                     They're all listed as male.

.                     They're all listed as residing in a state other than
North Carolina.

.                     They're all listed as unemployed (not seeking).

.                     They all list personal enrichment as their educational
goals.

.                     They all have the race and ethnicity left unlisted.

.                     Most tellingly, each of these fake applications lists
a residency certification number (RCN) that either belongs to someone else
entirely or isn't a real RCN, but it's always listed as a ten-digit number
beginning with "1100" as if it was a real RCN.

 

 

Steven B. Saine

Director of Information Security, Construction Management, and Audit

Rowan-Cabarrus Community College

1333 Jake Alexander Blvd.

Salisbury, NC 28146

Telephone:     (704) 216-3561

 <mailto:steven.saine () rccc edu> steven.saine () rccc edu

 <mailto:helpdesk () rccc edu> helpdesk () rccc edu

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Czarapata, Paul (KCTCS)
Sent: Friday, September 18, 2020 5:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Admissions application bot activity

 

Dear colleagues,

 

Sorry for the cross-post, but we have a bit of a situation here at KCTCS.
We have been getting tens of thousands of fake admissions applications over
the past 6 weeks.  We have re-captcha implemented and they are still getting
through, but at such a pace there is no way a human can be doing it.  The
network team is watching the IP addresses and blocking, but then they just
pop up from somewhere else.  Our student team is working on a pin code
process, but that's not ready yet.  We don't have an admissions application
fee either, or that would likely stop them.  I was just curious if anyone
else had seen this happening and if you have stopped it, what you did? 

 

Thank you in advance - PC

 

______________________________________________________________________

Paul Czarapata, Ed.D.

Vice President/Chief Information Officer

Kentucky Community & Technical College System

300 North Main Street

Versailles, KY 40383

O: 859/256-3248

 

Your success equals our success.
 
<https://systemoffice.kctcs.edu/the_system_office/services_and_departments/m
arketing_and_digital_communications/brandguide/media/signature-logos/kctcs.j
pg> 

 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pczarapata
&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhb
gCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Uod4IU_795qPLsXizAHjBh8
xMWfiimUn1atV3jLAkKQ&e=>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__linkedin.com_in_pczara
pata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiD
SPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=ZBPYZL9Im1pAG_qTPIw
2PrmGdCsPHmz4wQw-s5ftpTs&e=>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_KCTCS
&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhb
gCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Fiw5kNAmBOhzIHHLeRqkTtT
YsSmo5roS9EkJ_SuvczA&e=> 

 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tlc&d=DwMFAw&;
c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1r
PsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=1KgQclU5CpTtGwvEZNPSaJk6zl5fRR-I-
J5UnTtpufc&e=> Training and Learning Center |
<https://urldefense.proofpoint.com/v2/url?u=http-3A__ithelpdesk.kctcs.edu_&d
=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgC
o8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=us2w0M5RQ6JAsIa0mXJ43i0hn
X8yRYZY_JLB0idqAv8&e=> Technology Solutions Help Desk | Technology
Communications Center
<https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tcc&d=DwMFAw&;
c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1r
PsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=R0XVRVsoYnrc1E2qPVIsLee-qfn7aNRjF
13GYsxWofs&e=> 

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_commu
nity&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiD
SPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=bIAwa5LAU-0OKm-EB5C
atP--FBMiI2dP6BsJfPo52fA&e=>  

E-mail correspondence to and from this address may be subject to the North
Carolina Public Records Law and may be disclosed to third parties by an
authorized state official. (NCGS.Ch.132) 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_commu
nity&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A
_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=C4pKXVEo5Dy26rSFRupmDwZGfh7qY662RQ6J22hpGFw&
s=m6Bi00S0UqHUOsRN-PGRNPI9h7Z3qBD52-Mg0ziwl5s&e=>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_commu
nity&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A
_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=C4pKXVEo5Dy26rSFRupmDwZGfh7qY662RQ6J22hpGFw&
s=m6Bi00S0UqHUOsRN-PGRNPI9h7Z3qBD52-Mg0ziwl5s&e=>  


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: