Re: Admissions application bot activity

[Blake Ketcham <blake.ketcham () AIMS EDU>]

Paul,
We’ve seen similar activity here, and, unfortunately, the vendor for our
hosted admissions application solution has not provided any effective
mitigations. It sounds like you’re hosting your solution and have a bit
more flexibility. In our case, it seems the motive is the cloud storage
that comes with a student account. Once they’ve obtained the account, they
upload vast amounts of mostly video content (likely illegally obtained),
and then share it out to external accounts. We are addressing this problem
by improving our identity management processes related to new student
applicants, and building out better detection capabilities in our SIEM that
utilize IP reputation services.

Thanks,


[image: Aims Community College Top Work Places 2018 - The Denver Post]
*Blake Ketcham*
Director, Information Security
Information Technology
Aims Community College
970.235.1198
blake.ketcham () aims edu
5401 W. 20th Street
Greeley, CO, 80634
www.aims.edu
Virtual Tour <https://www.aims.edu/prospective/campus-tour.php#>
<https://www.aims.edu/about/social-media/>


On Mon, Sep 21, 2020 at 3:13 PM Amanda Williams <akwilliams () pittstate edu>
wrote:

> Hi Steven,
>
> Do you know in what respect are these domains “identified”?  Meaning that
> the source IP address used by the “student” resolves to a DNS A (Address)
> Record in these domains?  They used these domains as the last part of an
> e-mail address while registering?  Any additional information would be
> great!
>
> Thank you,
>
> *Amanda Williams*
>
> IT Security Officer
>
> Pittsburg State University
>
> 620.235.4657
>
>
>
> Simple. Safe. Smart. You are receiving this email because you are a
> Pittsburg State University student, employee, or other University community
> member. If you have questions or concerns regarding the validity of this
> email, please contact the individual or department that sent this email,
> ITSecurity () pittstate edu , or Gorilla Geeks at 620-235-4600
> <callto:620-235-4600>.
>
> ------------------------------
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Steven Saine <
> steven.saine () RCCC EDU>
> *Sent:* Monday, September 21, 2020 6:56 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* Re: [SECURITY] Admissions application bot activity
>
>
> Here is some information regarding fake applications that has been shared
> with us previously.  Not sure if it will help or not.  It was noticed fake
> applications were coming from these domains.
>
>
>
> The ‘bad’ domains identified are:
>
> •                     armyspy(dot)ga
>
> •                     rhyta(dot)cf
>
> •                     teleworm(dot)tk
>
> •                     jourrapide(dot)gq
>
> •                     dayrepa(dot)ml
>
>
>
> Common conditions identified from the bad applications are:
>
> •                     They're all allegedly new students, not matching
> with any existing Colleague records.
>
> •                     They all list dates of birth in the year 1999,
> either 20 or 21 years old.
>
> •                     They're all listed as male.
>
> •                     They're all listed as residing in a state other
> than North Carolina.
>
> •                     They're all listed as unemployed (not seeking).
>
> •                     They all list personal enrichment as their
> educational goals.
>
> •                     They all have the race and ethnicity left unlisted.
>
> •                     Most tellingly, each of these fake applications
> lists a residency certification number (RCN) that either belongs to someone
> else entirely or isn't a real RCN, but it's always listed as a ten-digit
> number beginning with "1100" as if it was a real RCN.
>
>
>
>
>
> *Steven B. Saine*
>
> Director of Information Security, Construction Management, and Audit
>
> Rowan-Cabarrus Community College
>
> 1333 Jake Alexander Blvd.
>
> Salisbury, NC 28146
>
> Telephone:     (704) 216-3561
>
> steven.saine () rccc edu
>
> helpdesk () rccc edu
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Czarapata, Paul (KCTCS)
> *Sent:* Friday, September 18, 2020 5:46 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Admissions application bot activity
>
>
>
> Dear colleagues,
>
>
>
> Sorry for the cross-post, but we have a bit of a situation here at KCTCS.
> We have been getting tens of thousands of fake admissions applications over
> the past 6 weeks.  We have re-captcha implemented and they are still
> getting through, but at such a pace there is no way a human can be doing
> it.  The network team is watching the IP addresses and blocking, but then
> they just pop up from somewhere else.  Our student team is working on a pin
> code process, but that's not ready yet.  We don't have an admissions
> application fee either, or that would likely stop them.  I was just curious
> if anyone else had seen this happening and if you have stopped it, what you
> did?
>
>
>
> Thank you in advance - PC
>
>
>
> ______________________________________________________________________
>
> *Paul Czarapata, Ed.D.*
>
> Vice President/Chief Information Officer
>
> Kentucky Community & Technical College System
>
> 300 North Main Street
>
> Versailles, KY 40383
>
> O: 859/256-3248
>
>
>
> Your success equals our success.
>
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Uod4IU_795qPLsXizAHjBh8xMWfiimUn1atV3jLAkKQ&e=>
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__linkedin.com_in_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=ZBPYZL9Im1pAG_qTPIw2PrmGdCsPHmz4wQw-s5ftpTs&e=>
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_KCTCS&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Fiw5kNAmBOhzIHHLeRqkTtTYsSmo5roS9EkJ_SuvczA&e=>
>
> *Training and Learning Center*
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tlc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=1KgQclU5CpTtGwvEZNPSaJk6zl5fRR-I-J5UnTtpufc&e=>
> * | **Technology Solutions Help Desk*
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__ithelpdesk.kctcs.edu_&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=us2w0M5RQ6JAsIa0mXJ43i0hnX8yRYZY_JLB0idqAv8&e=>
>  *| Technology Communications Center
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tcc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=R0XVRVsoYnrc1E2qPVIsLee-qfn7aNRjF13GYsxWofs&e=>*
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=bIAwa5LAU-0OKm-EB5CatP--FBMiI2dP6BsJfPo52fA&e=>
> E-mail correspondence to and from this address may be subject to the North
> Carolina Public Records Law and may be disclosed to third parties by an
> authorized state official. (NCGS.Ch.132)
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=spdyCQlbcMzVK9-MvWb-WQ&r=-kYucs-vtuoNxJe853RClse3h_pVj0vDpCe5zu7ybmg&m=tXOzU7CHhGDNn4CruNtpfCYbikm2EyiTZDANSWy8gp4&s=aspBA2IhB8wGife20Gm_bfrEhT3BiZDzACsONZLuMf8&e=>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=spdyCQlbcMzVK9-MvWb-WQ&r=-kYucs-vtuoNxJe853RClse3h_pVj0vDpCe5zu7ybmg&m=tXOzU7CHhGDNn4CruNtpfCYbikm2EyiTZDANSWy8gp4&s=aspBA2IhB8wGife20Gm_bfrEhT3BiZDzACsONZLuMf8&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community