Educause Security Discussion mailing list archives
Re: Admissions application bot activity
From: Blake Ketcham <blake.ketcham () AIMS EDU>
Date: Mon, 21 Sep 2020 16:28:50 -0600
Paul, We’ve seen similar activity here, and, unfortunately, the vendor for our hosted admissions application solution has not provided any effective mitigations. It sounds like you’re hosting your solution and have a bit more flexibility. In our case, it seems the motive is the cloud storage that comes with a student account. Once they’ve obtained the account, they upload vast amounts of mostly video content (likely illegally obtained), and then share it out to external accounts. We are addressing this problem by improving our identity management processes related to new student applicants, and building out better detection capabilities in our SIEM that utilize IP reputation services. Thanks, [image: Aims Community College Top Work Places 2018 - The Denver Post] *Blake Ketcham* Director, Information Security Information Technology Aims Community College 970.235.1198 blake.ketcham () aims edu 5401 W. 20th Street Greeley, CO, 80634 www.aims.edu Virtual Tour <https://www.aims.edu/prospective/campus-tour.php#> <https://www.aims.edu/about/social-media/> On Mon, Sep 21, 2020 at 3:13 PM Amanda Williams <akwilliams () pittstate edu> wrote:
Hi Steven, Do you know in what respect are these domains “identified”? Meaning that the source IP address used by the “student” resolves to a DNS A (Address) Record in these domains? They used these domains as the last part of an e-mail address while registering? Any additional information would be great! Thank you, *Amanda Williams* IT Security Officer Pittsburg State University 620.235.4657 Simple. Safe. Smart. You are receiving this email because you are a Pittsburg State University student, employee, or other University community member. If you have questions or concerns regarding the validity of this email, please contact the individual or department that sent this email, ITSecurity () pittstate edu , or Gorilla Geeks at 620-235-4600 <callto:620-235-4600>. ------------------------------ *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Steven Saine < steven.saine () RCCC EDU> *Sent:* Monday, September 21, 2020 6:56 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Re: [SECURITY] Admissions application bot activity Here is some information regarding fake applications that has been shared with us previously. Not sure if it will help or not. It was noticed fake applications were coming from these domains. The ‘bad’ domains identified are: • armyspy(dot)ga • rhyta(dot)cf • teleworm(dot)tk • jourrapide(dot)gq • dayrepa(dot)ml Common conditions identified from the bad applications are: • They're all allegedly new students, not matching with any existing Colleague records. • They all list dates of birth in the year 1999, either 20 or 21 years old. • They're all listed as male. • They're all listed as residing in a state other than North Carolina. • They're all listed as unemployed (not seeking). • They all list personal enrichment as their educational goals. • They all have the race and ethnicity left unlisted. • Most tellingly, each of these fake applications lists a residency certification number (RCN) that either belongs to someone else entirely or isn't a real RCN, but it's always listed as a ten-digit number beginning with "1100" as if it was a real RCN. *Steven B. Saine* Director of Information Security, Construction Management, and Audit Rowan-Cabarrus Community College 1333 Jake Alexander Blvd. Salisbury, NC 28146 Telephone: (704) 216-3561 steven.saine () rccc edu helpdesk () rccc edu *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Czarapata, Paul (KCTCS) *Sent:* Friday, September 18, 2020 5:46 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Admissions application bot activity Dear colleagues, Sorry for the cross-post, but we have a bit of a situation here at KCTCS. We have been getting tens of thousands of fake admissions applications over the past 6 weeks. We have re-captcha implemented and they are still getting through, but at such a pace there is no way a human can be doing it. The network team is watching the IP addresses and blocking, but then they just pop up from somewhere else. Our student team is working on a pin code process, but that's not ready yet. We don't have an admissions application fee either, or that would likely stop them. I was just curious if anyone else had seen this happening and if you have stopped it, what you did? Thank you in advance - PC ______________________________________________________________________ *Paul Czarapata, Ed.D.* Vice President/Chief Information Officer Kentucky Community & Technical College System 300 North Main Street Versailles, KY 40383 O: 859/256-3248 Your success equals our success. <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Uod4IU_795qPLsXizAHjBh8xMWfiimUn1atV3jLAkKQ&e=> <https://urldefense.proofpoint.com/v2/url?u=https-3A__linkedin.com_in_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=ZBPYZL9Im1pAG_qTPIw2PrmGdCsPHmz4wQw-s5ftpTs&e=> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_KCTCS&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Fiw5kNAmBOhzIHHLeRqkTtTYsSmo5roS9EkJ_SuvczA&e=> *Training and Learning Center* <https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tlc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=1KgQclU5CpTtGwvEZNPSaJk6zl5fRR-I-J5UnTtpufc&e=> * | **Technology Solutions Help Desk* <https://urldefense.proofpoint.com/v2/url?u=http-3A__ithelpdesk.kctcs.edu_&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=us2w0M5RQ6JAsIa0mXJ43i0hnX8yRYZY_JLB0idqAv8&e=> *| Technology Communications Center <https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tcc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=R0XVRVsoYnrc1E2qPVIsLee-qfn7aNRjF13GYsxWofs&e=>* ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=bIAwa5LAU-0OKm-EB5CatP--FBMiI2dP6BsJfPo52fA&e=> E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. (NCGS.Ch.132) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=spdyCQlbcMzVK9-MvWb-WQ&r=-kYucs-vtuoNxJe853RClse3h_pVj0vDpCe5zu7ybmg&m=tXOzU7CHhGDNn4CruNtpfCYbikm2EyiTZDANSWy8gp4&s=aspBA2IhB8wGife20Gm_bfrEhT3BiZDzACsONZLuMf8&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=spdyCQlbcMzVK9-MvWb-WQ&r=-kYucs-vtuoNxJe853RClse3h_pVj0vDpCe5zu7ybmg&m=tXOzU7CHhGDNn4CruNtpfCYbikm2EyiTZDANSWy8gp4&s=aspBA2IhB8wGife20Gm_bfrEhT3BiZDzACsONZLuMf8&e=>
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Admissions application bot activity Czarapata, Paul (KCTCS) (Sep 18)
- Re: Admissions application bot activity Mac McGaughy (Sep 18)
- Re: Admissions application bot activity Steven Saine (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Smith, Jason (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Jones, Mark B (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Steven Saine (Sep 21)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Smith, Jason (Sep 21)
- Re: Admissions application bot activity Chester, Heather (Sep 21)
- Re: Admissions application bot activity Hagan, Sean (Sep 21)
- Message not available
- Re: Admissions application bot activity Wesolowski, Nathan R. (Sep 22)
- Re: Admissions application bot activity Blake Ketcham (Sep 21)
- Re: Admissions application bot activity Steven Saine (Sep 22)
- Re: Admissions application bot activity Amanda Williams (Sep 22)
- <Possible follow-ups>
- Re: Admissions application bot activity Wesolowski, Nathan R. (Sep 22)
- Re: [EXTERNAL] Re: [SECURITY] Admissions application bot activity Smith, Jason (Sep 22)
- Re: Admissions application bot activity Wesolowski, Nathan R. (Sep 22)