Phishers Impersonate Universities to Collect Student Fees

Phishers are constantly devising strategies to develop new and distinct ideas to improve their chances of duping end users. In February 2011, phishers crafted something new. The phishing sites targeted top universities in the USA and the UK.

In the first example shown, the phishing site spoofed a university based in the UK.  The site requested users’ login credentials to process online payments of college fees or university invoices. The login credentials requested were the username, password, and the user’s National Insurance Number. Also required was payment preference: by check or direct credit. After logging in, users were asked to enter their credit card information. In the UK, the National Insurance Number is key identification information for residents. Thus, the motive of the phishing attack was identity theft and, by asking for credit card information, financial gain.

The second example shows another phishing site spoofing a UK-based university. The phishers pretended to be from the finance directorate of the university and asked for the same set of user information as the last example. It seems that the intent of impersonating the finance directorate was to instill a sense of urgency into the users to encourage them to log into the site. At the top of the phishing site was the address and contact details of the university, probably to convince users that the site was the legitimate one (which of course is not!). It is obvious from the content of the Web page that it was developed unprofessionally, since the word “accurately” is misspelled “aaccurately”. The URL of this phishing site and that of the previous example used an IP domain (for example, domains like, hosted on servers based in Texas, USA.

The third example is a phishing site that spoofed a university based in the USA. Here, as in the previous case, the phishing site prompted the user for login credentials. Upon entering the credentials, users were redirected to the university’s legitimate Web site. It’s interesting to note that the domain name used in the phishing site belonged to a security services company in South Africa that offered armed and unarmed security and clearly had nothing to do with an educational institution.

There are at least 30,000 students studying at each of these universities. The legitimate Web sites of the universities serves students, faculty, and other employees. This means that the login credentials requested in the phishing sites targeted not just students, but a number of other people associated with the university. Evidently, phishers were eyeing a mammoth target with these phishing sites.

Internet users are advised to follow best practices to avoid phishing attacks:
•    Do not click on suspicious links in email messages.   
•    Avoid providing any personal information when answering an email.
•    Never enter personal information in a pop-up screen.
•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Thanks to the co-author of this blog, Avdhoot Patil.