Cyber Criminals Targeting University Payroll Systems

Higher Education faculty and administrators are being targeted with sophisticated spearphishing attacks.

According to a recent advisory issued by Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), Higher Education faculty and administrators are being targeted with sophisticated spearphishing attacks. Cyber criminals harvest credentials and then alter victims’ payroll bank account information to re-route direct deposits to bank accounts controlled by the cyber criminals.

Tactics, techniques and procedures (TTP’s) of the cyber criminals include:

  • Altering direct deposit account information
     
  • Spoofed to appear as if message came from the appropriate department, e.g. HR for “salary increase” lures or IT department if “mailbox exceeded”
     
  • Spoofed login screens that are a close replica of legitimate login screen
     
  • Targeting of faculty and staff
     
  • Using university images within e-mails text
     
  • Spoofed institutional-specific prompts for additional credential information, e.g., PINS, bank account numbers.
     
  • URLs mimicking legitimate (and accessible) portal URLs
     
  • Use of the “salary increase” approach seems to coincide with end of the fiscal year.

The phishing e-mails have contained official institutional images, often via an HTML image link direct to the resource.

Higher Education is a honey pot for the bad guys. We know of dozens more institutions that have been spearphished than are mentioned in the REN-ISAC report.

Greg Wendt, GreyHeller's, Executive Director, Security Solutions

“Higher Education is a honey pot for the bad guys. We know of dozens more institutions that have been spearphished than are mentioned in the REN-ISAC report,” according to Greg Wendt, GreyHeller’s Executive Director of Security Solutions.”

GreyHeller’s Security Suite complies with REN-ISAC’s recommended prevention techniques:

  • Redacting or masking of sensitive data
  • Implementing Two-Factor Authentication at the transaction layer
  • Limiting self-service functions by location – on- or off-campus
  • Detailed and specific logging of the most critical events

“Our recent Security webinar series focused on helping organizations mitigate cybercrime. How to implement Two-Factor Authentication and Logging/Analysis and Incident Response contain information that will thwart the bad guys,” stated Mr. Wendt.

Recordings of the webinars can be found on GreyHeller’s website.  The full REN-ISAC advisory can be found here.

About GreyHeller

San Ramon, California-based GreyHeller serves Oracle® PeopleSoft customers globally across all industries, helping them secure and mobilize their PeopleSoft investment. GreyHeller’s software solutions - PeopleMobile®, ERP Firewall and Single Signon  – are in production at nearly 100 PeopleSoft customers. PeopleMobile® renders PeopleSoft responsive across any mobile device and desktop. ERP Firewall and Single Signon protect PeopleSoft customers from criminal and inadvertent breach. For more information about GreyHeller, please visit www.greyheller.com.


Categories: Security, Computers and Software, IT Security, Colleges and Universities

Tags: 2FA, Firewall, GreyHeller, Security


Additional Links

About GreyHeller, LLC

View Website or Newsroom

GreyHeller enhances your PeopleSoft experience, making it beautiful, mobile and secure.

Kelly Jones
GreyHeller, LLC
GreyHeller, LLC
111 Deerwood Rd. (Suite 200)
San Ramon, CA 94583
United States