University of Iowa among top phishing targets, Kaspersky Lab says

The Pentacrest, including the Old Capitol, Jessup Hall, Macbride Hall, MacLean Hall, and Schaeffer Hall, in an aerial ph
The Pentacrest, including the Old Capitol, Jessup Hall, Macbride Hall, MacLean Hall, and Schaeffer Hall, in an aerial photograph in Iowa City on Thursday, July 14, 2016. (Stephen Mally/The Gazette)

A widely used global cybersecurity firm — scrutinized last year for its ties to Russia — unveiled this week that universities are prime prey for fraudsters, and the University of Iowa is a favorite target.

University-specific phishing scams — like those aimed at UI students, staff and faculty — often involve fraudulent webpages designed to impersonate official school sites. Once users land on false pages, they’re duped into sharing personal information like account credentials, IP addresses or location data.

In the last year, Moscow-based Kaspersky Lab observed 49 attempted phishing attacks on the University of Iowa — about 5.1 percent of the total attacks Kaspersky observed, making the UI the third most targeted school on the company’s radar.

The latest UI-specific phishing iteration — a faux HawkID login page — remains active, according to Nadezhda Demidova, a Russia-based security researcher for Kaspersky Lab.

“Kaspersky Lab products prevent our clients from being redirected to this page and other similar phishing pages,” Demidova told The Gazette by email.

Kaspersky Lab — which for 20-plus years has employed “security solutions and services to protect businesses, critical infrastructure, governments and consumers,” according to its website — has more than 270,000 corporate clients and protects more than 400 million users globally.

But, in the wake of reports Russia interfered with the 2016 election, President Donald Trump last December signed a law banning government use of Kaspersky Lab software amid concerns over its Russia ties and potential Kremlin influence. Kaspersky Lab has denied government connections and offered source code information for independent inspection.

U.S. officials called that insufficient, and Kaspersky sued. A court upheld the government ban in May, and Kaspersky appealed.

“Kaspersky Lab remains hopeful that in the end the court will find the law unconstitutional after full consideration of the case on the merits,” according to a Kaspersky statement to The Gazette.

In that statement, Kaspersky officials stressed the software never was banned from U.S. consumer or business use — giving it a trove of blocked phishing scams to analyze. And Kaspersky this week reported researchers since September 2017 have detected 961 attacks on 131 universities in 16 countries.

Of the 131 targeted schools, 83 were in the United States and 21 in Britain. Australia and Canada each had seven, and well-known universities in countries like Finland, India, Hong Kong, New Zealand and Switzerland had at least one phishing attack, according to Kaspersky.

The firm listed hardest-hit higher education targets as the University of Washington, with about 12 percent of the attacks; Cornell University, with about 7 percent; and the University of Iowa, with about 5 percent.

“The statistics and examples in this report are based on phishing attack attempts that were blocked by Kaspersky Lab products, rather than successful phishing attacks,” Kaspersky Lab communications specialist Meghan Rimol told The Gazette. “To Kaspersky Lab’s knowledge, the University of Iowa has not faced a data breach as a result of these attack attempts.”

UI doesn’t use Kaspersky software, per the year-old law barring government agencies from doing so. UI spokeswoman Anne Bassett added UI never has used Kaspersky “as a primary software vendor on campus,” although some units might have bought some software at some point previously, she said.

The university hasn’t been in contact with Kaspersky about its recent research and findings highlighting attacks against the UI. And UI Chief Information Security Officer Shari Lewison told The Gazette she’s unfamiliar with Kaspersky’s research methods.

But, Lewison said, email spam is a challenge, and since September 2017 the university has seen six phishing attacks similar to those described in the Kaspersky report. For context, according to Lewison, the UI receives about 1.2 million emails a day and 60 percent of those are identified as potentially malicious and kept from entering the system.

“Due to the constantly changing threats, we continuously assess how we protect our students, faculty and staff from becoming victims of phishing attacks,” she said.

According to Kaspersky, phishing attacks on universities can vary, but most are fraudulent websites created to mimic real ones — collecting private information from students, researchers, lecturers and faculty that scammers can use for identity theft or other targeted attacks.

Demidova said, when successful, phishing can come with a financial cost. The UI’s Lewison said Iowa doesn’t have figures or estimates about the expense of the attacks it identified over the last year.

“There is certainly a time investment in our efforts to prevent these attacks … and to mitigate them when they occur,” Lewison said.

Kaspersky’s data did not reveal phishing attacks on Iowa State University, the University of Northern Iowa or any of Iowa’s private colleges and universities, according to Demidova, who said that doesn’t mean they haven’t been targeted.

“Typically, phishing fraudsters choose the largest and the most popular educational institutions to be their victims,” she told The Gazette.

One institution might be targeted more than another for several reasons, according to Demidova, including the type of research it conducts or data fraudsters acquire — like student lists.

“One of the most important factors is the level of security on the university website,” according to Demidova. “If the website has proper security solutions in place and requires two-factor authentication, it can prevent a fraudster from accessing the system.”

Iowa’s public universities have updated information technology security in recent years, and State Auditor Mary Mosiman several years ago presented as imperative that universities encrypt employee handheld devices.

UI has bolstered its technical protections with mandatory training for some employees, regular phishing warnings and maintenance of an active list of phishing examples. It’s also pushed user reporting and is working on new “email hygiene” initiatives like implementing a two-factor authentication for email, tagging mail from outside UI as “external” and exploring an authentication system to help protect against phishing.

l Comments: (319) 339-3158;

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.