This is an article from University World News, an online publication that covers global higher education. It is presented here under an agreement with The Chronicle.
Unearthing a huge university-related scam in China, an IT security company in the United States has found that Chinese online retailers are selling email addresses from top universities around the world, providing buyers with access to university libraries, journal subscriptions, student discounts and a host of other benefits including access to software developer programmes.
“Recently we found email accounts from top universities across the world being sold on Taobao, the largest consumer-to-consumer e-commerce platform in China,” said Claud Xiao and Rob Downs of Palo Alto Networks, an internet security company based in Santa Clara California.
“Advertised uses for these accounts included registering for special accounts under software developer programmes, receiving student discounts or coupons from retailers and obtaining access to academic databases,” said Xiao and Downs in a company blogpost this month.
Stolen email accounts for sale with a valid password were discovered from some 42 universities in China and overseas. Email accounts for China’s most prestigious universities – including Peking, Tsinghua, Fudan and Nanjing – had been stolen, as had accounts from Hong Kong University.
Stolen accounts from overseas universities included the University of Melbourne in Australia, Toronto University in Canada, Denmark’s Aarhus University, the University of Bologna in Italy, Karolinska Institute in Sweden, ETH Zurich in Switzerland, Nanyang Technological University and the National University of Singapore, Imperial College London and almost two dozen US universities including Harvard, Yale, Stanford, MIT, Columbia, Duke and Cornell.
The most expensive email accounts were listed for sale at CNY2,400 or just over US$390, but others could be had for as little as US$0.16. “The sellers guaranteed that all email accounts were valid, accessible and active,” said Xiao and Downs.
Services
Accounts for major universities such as MIT and Stanford were mainly used to access library services and resources, “including research help, study spaces, print and electronic books and journals and more”, the authors said.
This was borne out by the fact that the majority of the overseas universities were top science institutions.
On contacting some sellers through Taobao’s instant messaging system, “a well-stocked seller told us that every account he sold belonged to an active student at the respective university”, Xiao and Downs said.
“He claimed that once the account was sold, only the one buyer and the legitimate user would have access. He recommended not changing the account password to avoid detection by the legitimate user.
“Another seller offered to provide real identity information for a stolen account so the buyer could change the corresponding password and security questions. This type of account access was the most expensive and least flexible in terms of customisation,” including of usernames and institutions.
Other sellers were also able to offer customisable email accounts from a specific domain or institution, for example a buyer can request a custom username for a particular institution.
“As with most criminal enterprises, not all sellers on Taobao use their real identity, presenting a challenge in tracking down the individuals behind this activity,” Xiao and Downs said.
Although sellers on Taobao must produce a valid Chinese citizen ID number, “identity theft is a global concern and the Chinese citizen ID is no exception, allowing for potential sellers to simply purchase a usable identity online”.
In late August, Palo Alto Networks reported the findings to Taobao, part of the giant Alibaba trading group in China.
According to Xiao and Downs, Taobao’s response was that they were addressing the issue and had already removed a number of the suspect items, with others requiring further investigation.
However, the malicious seller activity may also reveal a larger scale problem within university systems, the authors note. “Through the types of accounts advertised on Taobao, an attacker can steal a student or staff account, assume their identity, and gain unauthorised access to standard university resources.”
“More sophisticated and nefarious uses include using such accounts for engineering or phishing attacks or using them to gain access to university financial or research databases to steal information.”
A number of institutions that have been affected have already implemented ‘two-factor authentication’ for their high value resources. Nonetheless, the authors believe a residual risk still exists for universities, and have been advising institutions on how to make email accounts more secure.
We’re sorry. Something went wrong.
We are unable to fully display the content of this page.
The most likely cause of this is a content blocker on your computer or network. Please make sure your computer, VPN, or network allows javascript and allows content to be delivered from c950.chronicle.com and chronicle.blueconic.net.
Once javascript and access to those URLs are allowed, please refresh this page. You may then be asked to log in, create an account if you don't already have one, or subscribe.
If you continue to experience issues, contact us at 202-466-1032 or help@chronicle.com