Educause Security Discussion mailing list archives
Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity
From: Steven Saine <steven.saine () RCCC EDU>
Date: Mon, 21 Sep 2020 13:35:16 +0000
It's hard to say exactly what their goals are. Probably like most spam phishing, to disrupt and cause issues. In some auto-application processes, an .edu account could be created. Steven B. Saine Director of Information Security, Construction Management, and Audit Rowan-Cabarrus Community College 1333 Jake Alexander Blvd. Salisbury, NC 28146 Telephone: (704) 216-3561 steven.saine () rccc edu<mailto:steven.saine () rccc edu> helpdesk () rccc edu<mailto:helpdesk () rccc edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jones, Mark B Sent: Monday, September 21, 2020 9:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Admissions application bot activity Are they after .edu email addresses? From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Smith, Jason Sent: Monday, September 21, 2020 8:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Admissions application bot activity **** EXTERNAL EMAIL **** Is the goal of these attacks a kind of 'denial-of-service' by overwhelming your admissions process? Or are they hoping you'll actually accept one of these folks and then a real person will attend under the fake name? Or...? Jason E. Smith, MS PMP CPHIMS CSM Director of IT, Bon Secours Memorial College 8550 Magellan Parkway #1100, Richmond, VA 23227 [cid:image001.png@01D68FFA.826AED90] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Steven Saine Sent: Monday, September 21, 2020 7:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [EXTERNAL] Re: [SECURITY] Admissions application bot activity [Warning: This email originated outside our organization's email system. Be wary of links and attachments unless you recognize the sender. Never share your username or password.] Here is some information regarding fake applications that has been shared with us previously. Not sure if it will help or not. It was noticed fake applications were coming from these domains. The 'bad' domains identified are: * armyspy(dot)ga * rhyta(dot)cf * teleworm(dot)tk * jourrapide(dot)gq * dayrepa(dot)ml Common conditions identified from the bad applications are: * They're all allegedly new students, not matching with any existing Colleague records. * They all list dates of birth in the year 1999, either 20 or 21 years old. * They're all listed as male. * They're all listed as residing in a state other than North Carolina. * They're all listed as unemployed (not seeking). * They all list personal enrichment as their educational goals. * They all have the race and ethnicity left unlisted. * Most tellingly, each of these fake applications lists a residency certification number (RCN) that either belongs to someone else entirely or isn't a real RCN, but it's always listed as a ten-digit number beginning with "1100" as if it was a real RCN. Steven B. Saine Director of Information Security, Construction Management, and Audit Rowan-Cabarrus Community College 1333 Jake Alexander Blvd. Salisbury, NC 28146 Telephone: (704) 216-3561 steven.saine () rccc edu<mailto:steven.saine () rccc edu> helpdesk () rccc edu<mailto:helpdesk () rccc edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Czarapata, Paul (KCTCS) Sent: Friday, September 18, 2020 5:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Admissions application bot activity Dear colleagues, Sorry for the cross-post, but we have a bit of a situation here at KCTCS. We have been getting tens of thousands of fake admissions applications over the past 6 weeks. We have re-captcha implemented and they are still getting through, but at such a pace there is no way a human can be doing it. The network team is watching the IP addresses and blocking, but then they just pop up from somewhere else. Our student team is working on a pin code process, but that's not ready yet. We don't have an admissions application fee either, or that would likely stop them. I was just curious if anyone else had seen this happening and if you have stopped it, what you did? Thank you in advance - PC ______________________________________________________________________ Paul Czarapata, Ed.D. Vice President/Chief Information Officer Kentucky Community & Technical College System 300 North Main Street Versailles, KY 40383 O: 859/256-3248 Your success equals our success. [https://systemoffice.kctcs.edu/the_system_office/services_and_departments/marketing_and_digital_communications/brandguide/media/signature-logos/kctcs.jpg] [cid:image002.png@01D68FFA.826AED90]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Uod4IU_795qPLsXizAHjBh8xMWfiimUn1atV3jLAkKQ&e=> [cid:image003.png@01D68FFA.826AED90] <https://urldefense.proofpoint.com/v2/url?u=https-3A__linkedin.com_in_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=ZBPYZL9Im1pAG_qTPIw2PrmGdCsPHmz4wQw-s5ftpTs&e=> [cid:image004.png@01D68FFA.826AED90] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_KCTCS&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Fiw5kNAmBOhzIHHLeRqkTtTYsSmo5roS9EkJ_SuvczA&e=> Training and Learning Center<https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tlc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=1KgQclU5CpTtGwvEZNPSaJk6zl5fRR-I-J5UnTtpufc&e=> | Technology Solutions Help Desk<https://urldefense.proofpoint.com/v2/url?u=http-3A__ithelpdesk.kctcs.edu_&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=us2w0M5RQ6JAsIa0mXJ43i0hnX8yRYZY_JLB0idqAv8&e=> | Technology Communications Center<https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tcc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=R0XVRVsoYnrc1E2qPVIsLee-qfn7aNRjF13GYsxWofs&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=bIAwa5LAU-0OKm-EB5CatP--FBMiI2dP6BsJfPo52fA&e=> E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. (NCGS.Ch.132) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=C4pKXVEo5Dy26rSFRupmDwZGfh7qY662RQ6J22hpGFw&s=m6Bi00S0UqHUOsRN-PGRNPI9h7Z3qBD52-Mg0ziwl5s&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=C4pKXVEo5Dy26rSFRupmDwZGfh7qY662RQ6J22hpGFw&s=m6Bi00S0UqHUOsRN-PGRNPI9h7Z3qBD52-Mg0ziwl5s&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. (NCGS.Ch.132) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Admissions application bot activity Czarapata, Paul (KCTCS) (Sep 18)
- Re: Admissions application bot activity Mac McGaughy (Sep 18)
- Re: Admissions application bot activity Steven Saine (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Smith, Jason (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Jones, Mark B (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Steven Saine (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Smith, Jason (Sep 21)
- Re: Admissions application bot activity Chester, Heather (Sep 21)
- Re: Admissions application bot activity Hagan, Sean (Sep 21)
- Message not available
- Re: Admissions application bot activity Wesolowski, Nathan R. (Sep 22)
- Re: Admissions application bot activity Blake Ketcham (Sep 21)
- Re: Admissions application bot activity Steven Saine (Sep 22)
- Re: Admissions application bot activity Amanda Williams (Sep 22)
- <Possible follow-ups>
- Re: Admissions application bot activity Wesolowski, Nathan R. (Sep 22)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Smith, Jason (Sep 22)
- Re: Admissions application bot activity Wesolowski, Nathan R. (Sep 22)