Re: [EXTERNAL] Re: [SECURITY] Fake Student Applications/Registrations

[James Valente <jvalente () SALEMSTATE EDU>]

We ran into this late last year up until a few months ago.  The “fix” itself was simple but the business decision 
around getting that in place was a nightmare.  Someone had decided that anyone wishing to take a non-credit course 
should be able to just register immediately without any input from our side. This, per policy, also gave them a 
university email address (because they didn’t want non-campus addresses used for billing).

As a result we had someone scripting thousands of account for creation. They were all use for either the free AWS 
and/or free Azure credits that are given with an .edu email address.

Ultimately we turned off the form since the vast majority of account creations were not legitimate and our initial 
solution was flagging anything suspicious and having the registrar manually approve, which they quickly found 
overwhelming.

James Valente
Associate Director of Information Security
978.542.2739 // GPG Key ID: 0xBF201E0A813AEDD1
SALEM STATE UNIVERSITY
352 Lafayette Street
Salem, MA 01970
salemstate.edu

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Tomassetti, Tina
Sent: Monday, July 27, 2020 13:06
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL] Re: [SECURITY] Fake Student Applications/Registrations

CAUTION: This email originated from outside of Salem State University. Do not click links or open attachments unless 
you recognize the sender and know the content is safe.
I remembered this happening here too so I got some info from our Asst. Dir of  Administrative Information Systems:

Yes.  We shut down all of the instant admission channels such as Banner Self Service Non Matriculated applications and 
those now are done via Wufoo.  We also added a Re-Captcha to the Wufoo form, and advised the Registrar's Office on what 
to watch for on those forms that would indicate an invalid application.  If they recognize those patterns they follow 
through asking more information from the 'applicant' with a time limit for response.  This has weeded them out over 
time.  We also inactivated all of the invalid ones in Banner/Gmail, etc. that came in before we caught it.


Scot Beekman

Assistant Director of Administrative Information Systems
Information Technology Services
Phone: +1 (607) 778-5255
Email: beekmansa () sunybroome ed<mailto:beekmansa () sunybroome edu>

Tina M. Tomassetti
Assistant Director of Networking and Telecommunications
Information Technology Services
SUNY Broome Community College
PO Box 1017  MS# 63
Binghamton, NY 13902
PH: 607-778-5011
FX: 607-778-5119
tomassettitm () sunybroome edu<mailto:tomassetti () sunybroome edu>


On Fri, Jul 24, 2020 at 4:19 PM Wesolowski, Nathan R. <Nathan.Wesolowski () nwtc edu<mailto:Nathan.Wesolowski () nwtc 
edu>> wrote:
Hello everyone, this is my first time posting here.

Since last weekend we have observed an unusually high number of new student applications/registrations containing fake 
information.  After investigating, I discovered that our College was recently featured on a Chinese blog.  The blog’s 
“educational welfare” category lists dozens of other colleges and universities, along with step-by-step details for 
obtaining free accounts/email addresses  - 
hxxps://404edublog.cf/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2F404edublog.cf%2F&data=02%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb3876fe35da4449792fe08d8324f6489%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C0%7C637314663857465499&sdata=2uLbMhDQ5Vfu4IFG54Dt9eGxyIunDVPubkjPu3ZBf7g%3D&reserved=0>.

It is obvious that these scammers are after a .EDU email address.  With the ongoing COVID situation, we have waved or 
postponed certain fees in an attempt to reduce any registration barriers.  I believe that this is contributing to our 
problem.  While we have tools in place to help us identify and remove fake identities, I am curious to know what others 
have done about this problem.

Thanks,
Nate

Nate Wesolowski
Information Security Analyst

Northeast Wisconsin Technical College
2740 W. Mason Street
Green Bay, WI 54307
O 920.498.6943 | T 800-422-NWTC
nate.wesolowski () nwtc edu<mailto:nate.wesolowski () nwtc edu> | 
nwtc.edu<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nwtc.edu%2F&data=02%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb3876fe35da4449792fe08d8324f6489%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C0%7C637314663857465499&sdata=eMY58zJJLgDL2brTNrLHHyIzZ3GRMx5%2FDd8z%2Bcjk8QM%3D&reserved=0>

[cid:image001.jpg@01D664CD.DA8BDA00]



CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the 
sender and delete this e-mail from your system.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb3876fe35da4449792fe08d8324f6489%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C0%7C637314663857465499&sdata=UJ3LUndblTfGJv4NQQbiuDgnn8J9EGZRyMlxfb6m86A%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb3876fe35da4449792fe08d8324f6489%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C0%7C637314663857475492&sdata=UohuPVVLJnl5%2BJbuvu5%2FmPZg8zq%2BopyBsIEJ8uIr598%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community