Security

Beware of the Zombie College Scam Haunting Higher Education

In the wake of dozens of college closures in recent years, some universities have risen from the dead online, and they’re hungry for your data.

Adam Stone

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

Some 12,000 colleges closed between 2004 and 2020, with at least 72 more folding since then. But what’s scarier than a school that has died? An undead college, of course — and it’s a lot more than a silly Halloween prank.

Zombie colleges are very real and potentially very dangerous, symptomatic of a larger trend that still-living schools need to take seriously: impersonation in the service of cybercrime.

Click the banner to learn how a zero-trust approach could hold zombie identities at bay.

Inside the Zombie College Scam

In the zombie college scam, bad actors go trick-or-treating in search of personal information, financial details and, ultimately, profit. Their costumes take the form of websites that look just like those of schools that have gone to meet their maker.

“The fake sites are set up in the DNS system in a way that is so close, when you end up doing a Google search, these pop up to the top,” says Rob Lee, chief of research and head of faculty at SANS Institute. “They’re banking on the complete similarity to the original sites.”

Prospective students who go astray could be fooled into disclosing personal data, including financial details.

“If you think about the amount of personal information that you give to a potential college when you’re applying for admission or applying for financial aid, it’s pretty extensive,” says Kari Kammel, director of the Center for Anti-Counterfeiting and Product Protection at Michigan State University.

While that’s plenty spooky, it may not be enough put a scare into IT teams looking to safeguard institutions that are still up and running. It should, though, because this kind of hocus-pocus is being used in other ways to target living, breathing institutions.

Scammers in Disguise Deliver Freaky Frights

At its heart, the zombie scam is an impersonation scheme, and that kind of manipulation takes place all the time in higher education, with bad actors bobbing for apples among current students, faculty and staff.

At the University of Pennsylvania, for example, students received a fraudulent email that appeared to come from the board of trustees. The malicious missive described the university as “beholden to the richest, scummiest people out there.”

You could say: ‘Build me a website for this university, and here’s the faculty, and here are all their profiles.’ And that legitimate AI tool will build a pretty good website for you.”

Kayne McGladrey Senior Member, Institute of Electrical and Electronics Engineers

At Loyola Marymount University, the IT department has warned students to beware of fake job offers, through which online vampires attempt to suck up personal information.

In fact, the university has implemented a feature in its email system that aims to notify students of emails that come from outside the school community. “This change is being made to make it easier for anyone identify potential job and internship scam email,” school officials noted.

And at Kansas State University, a recent phishing exploit involved an email purportedly from a department head, asking a staff member to download a file related to a pay adjustment. The worker brushed away the cobwebs and checked with the alleged sender — who didn’t send the email. The whole thing was a hoax.

These days, too, it doesn’t take supernatural skill to run these cons, just a bit of artificial intelligence.

AI Adds a Spooky Twist to Zombie College Scams

In the case of zombie colleges, AI can bring defunct schools back to life cheaply and easily.

With off-the-shelf AI tools, “you could say: ‘Build me a website for this university, and here’s the faculty, and here are all their profiles.’ And that legitimate AI tool will build a pretty good website for you,” says IEEE Senior Member and longtime security professional Kayne McGladrey.

To create the zombie site, the bad actors don’t just copy the school colors and other visuals.

“They go out online and find different ways that the university communicated with the students, in what form. A lot of this stuff may be publicly available,” Lee says. “And then, you literally train your AI to replicate that language, the sound.”

Want to send an email that sounds like it came from the dean? AI can help. At Texas A&M University, for example, “Gig ‘Em” is the Aggies’ universal sign of approval. “How would someone in Eastern Europe even know that?” Lee asks. They might not, but AI trained on the school’s content surely would.

Kammel has on her desk a pair of counterfeit Michigan State shoes, with Michigan spelled wrong. That kind of thing used to make phishing emails easier to spot. With generative AI, an impersonation “is much harder to detect, and when it’s harder to detect, it’s harder to stop,” she says. “It’s making it easier to replicate an email without all the typos and the errors.”

SPOOKY: Are your AI chatbots giving away more information than they should?

Fear Not! A Guide for Sending Zombie Colleges Back Underground

Alright, fear a little, but then buck up: There is much that IT can do in this situation. When it comes to impersonation emails, it’s user training, first and foremost.

Teach the students, faculty and staff how to spot and report suspect communications. With scammers potentially generating emails from sites with URLs that are almost but not quite the same as yours, “you need people to become a little bit more suspicious,” Lee says.

Institutions also can lean on the tools they already have in place. With domain-based email controls, for example, “emails that are being sent from or to those domains are very hard to impersonate,” McGladrey says.

IT teams can also call for help, reporting suspicious activity to law enforcement and others. The federal Cybersecurity and Infrastructure Security Agency “is absolutely trying to do community outreach, to help educational institutions scale their cybersecurity capabilities appropriately,” he says.

Finally — and without wishing to be macabre — we need to address another grim scenario.

Suppose your school already has one foot in the grave. It’s folding or merging, or it may be doing one of those soon. There’s powerful incentive for IT to put a strong lock on the cemetery gates to ensure that school doesn’t reemerge in zombie form.

NOT JUST ZOMBIES: What are ghost students, and how scary can they be?

For a security professional, if your school goes kaput and its digital profile then gets hijacked, “that tends to look bad on your resume,” McGladrey says. No one wants to be haunted by that.

So before shutting off the lights for good, find all the domains associated with your institution. “If you’re not going to be hosting your own DNS servers, transfer those to a new domain registrar or to a new owner,” he says. “Plan to redirect to a real website, or make sure that you’ve got a website up that says: ‘Hey, we’re out of business. We are no longer a functioning educational institution.’”

Implement strong DNS security to prevent impersonations, along with domain-based email controls.

“If email security is set up in a perpetual manner, it becomes very difficult to impersonate that organization,” McGladrey says. “And make sure that all the social media profiles that were associated with the educational institution have robust controls associated with them, along with a notice of closure.”

With so many schools closing, we lament that some of our readers will no doubt find themselves in this ghoulish circumstance. Still, it’s just good manners to close the crypt door tightly behind you.

gremlin/Getty Images