DomainGuard has identified a scam operation consisting of fake university websites pretending to be accredited U.S. postsecondary institutions. The scammers create realistic-looking websites and attempt to trick individuals into paying a registration fee for the university.
These universities are NOT accredited U.S. postsecondary institutions, despite their websites claiming so, and are registered with a
.university domain suffix as opposed to the traditional, safer
.edu. We’ll describe why
.edu is safer in the blog post.
Below you’ll find an investigation into one of the 18 fake Universities identified and general cyber-security guidance on the matter.
Investigation: University of Wayne State, Pennsylvania
At first, what you see in the image above looks like any other university website, a list of schools, programs, accreditation information, and even a portal to log in for active students and alums. What more could you ask for? However, when digging deeper, DomainGuard identified that this is a fake university being used to conduct scams, and even worse, this was just one of 18 identified sites. DomainGuard suspects there are far more than a list of the ones we’ll provide at the bottom of this post.
One standard method to verify an institution, especially one that claims to have a physical campus, is cross-referencing the provided address with common maps providers such as Google, Apple, and OpenStreet maps.
Below you’ll see we entered the provided address into Google Maps, and the location points to a legitimate high school in Pennsylvania, Radnor High School, NOT “Wayne State University”. The scammers pick addresses of real campuses as an attempt to camouflage as part of that institution.
The fake university claims to have legitimate accreditation status with multiple accrediting bodies. Unfortunately, none of these accrediting bodies are real and likely websites managed by scammers.
DomainGuard also looked up “Wayne State University” using the U.S. Department of Education’s accredited post-secondary institution lookup tool. No results for this university.
Russian Based Website
If the evidence above wasn’t overwhelming enough, this should be the nail in the coffin. Using a URL scanning tool popular in the cyber-security industry, URLScan, we can retrieve information about the website without
navigating to it directly. In the results, you will see this website’s primary IP address is located in
Moscow Oblast, Russia. It seems suspicious for a “Pennsylvania” based university to be operated by a hosting provider in Russia.
Why would individuals go through a significant undertaking to create fake websites for universities that do not exist?
DomainGuard believes the primary motive is financial. There are many different flavors of this type of scam. We’ve seen fake banks, fake pet breeders, fake online retail stores, and much more. The tricky part for the scammers is not creating the website but getting users onto their fake websites so that they can conduct their scams. Recently, scammers have been using paid advertisements as part of their scams to get users onto their sites.
Command and Control
By using a
.education top-level domain, DomainGuard believes these websites are creating a false sense of authenticity and would be good candidates to be used in a breach or data exfiltration scenario where a compromised computer communicates with one of these entities.
They are good candidates because they appear to be non-malicious at first glance, and you have no way of knowing without digging into each of the websites.
Additionally, many cyber-security products safely categorize these top-level domains as education. Even if an analyst were to glance at one of these websites, they would only know it was a fake entity if they took the time to analyze the website and relevant technical information.
At the time of this writing, all the sites listed below are indexed in Google and come up as the top result if you are to type in the name of the fake university.
Cyber-Security Industry Guidance
Top Level Domains
We eluded earlier in this blog post that
.edu domains are safer, and there’s a very valid reason why.
.edu domains must be registered
with Educause and have certain eligibility requirements they must meet. If you were to attempt to register a
.edu TLD, you would be asked to provide
evidence of being an institutionally accredited post-secondary institution recognized by the U.S. Department of Education.
On the other hand, anyone can register a
.education or a
.university domain as these are unrestricted TLDs, and there is no verification process to ensure the domains are education affiliated, which is why the domains we’ve identified are conducting scams using these TLDs.
.education TLDs are so closely related to
.edu, we fear this could create confusion and add to a false sense of authenticity as users
are viewing sites using these TLDs. The same false sense of authenticity these scammers are using in their fake university scam.
As an exercise, we registered the
domainguard.education domain and have configured the domain to redirect to this blog post, proving anyone can register a domain with the
.education TLD, even if they have no affiliation or relation to anything to do with education.
domainguard.education redirects to this blogpost.
HTTPS Does NOT Guarantee Security
As cyber-security professionals, we have to be mindful of the verbiage we use when describing security controls, especially towards users. For example, below, we’ve screenshotted a post that gives users a helpful security tip: sites with the green lock using HTTPS are more secure than sites without HTTPS.
Where this creates problems is users aren’t given full context. Most phishing and fraudulent activity identified by DomainGuard is conducted by websites using HTTPS. However, HTTPS does not guarantee that a site is “secure”, and at DomainGuard, we feel posts like the one below may even create a false sense of security for users.
While HTTPS is good in that the data between you and the website is encrypted, it does not mean that the website you are submitting your data to is a legitimate entity, and it’s important to emphasize that phishing and fraud occur on websites utilizing HTTPS. In summary, the data you are submitting over HTTPS may be encrypted between you and the website, but you may be submitting data to a malicious entity.
Please DO NOT navigate to the sites below as they are likely being operated by threat actors. The information provided below is included to raise awareness around this type of scam and provide threat intelligence to cyber-security researchers. The domains are intentionally escaped using brackets.
Fake Accrediting Bodies \ U.S. Educational Institutions:
Need more assistance?
If you found the information above difficult to consume or need additional assistance, please reach us by email at [email protected] or by filling out the contact form below.