Re: Admissions application bot activity

["Wesolowski, Nathan R." <Nathan.Wesolowski () NWTC EDU>]

No problem, happy to help.

We are only waving application fees due to the COVID situation.  Prior to this, scammers would pay with a fraudulent 
eCheck, knowing that it will be some time before the fake account is deactivated.

One more mention for anyone dealing with botnet activity after implementing re-Captcha.  If you are a PeopleSoft school 
and recently upgraded/enhanced your student portal using Inflight, Fluid, etc., make sure that you also take the legacy 
portal pages off-line.  Many times the legacy PeopleSoft navigation is still accessible and indexed by Google, 
providing an unprotected backdoor for programmatic account creation.  I did a quick check for KCTCS and was able to 
find their legacy student portal on Google, which could be contributing to the issue.   Google Query:  
site:students.kctcs.edu intext:"Application for Admission".

This is something that I am also working to address at NWTC.

Nate

Nate Wesolowski
Information Security Analyst

Northeast Wisconsin Technical College
2740 W. Mason Street
Green Bay, WI 54307
O 920.498.6943 | T 800-422-NWTC
nate.wesolowski () nwtc edu<mailto:nate.wesolowski () nwtc edu> | nwtc.edu<https://www.nwtc.edu/>

[cid:image001.jpg@01D690F8.F11A2540]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Smith, Jason
Sent: Tuesday, September 22, 2020 10:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Admissions application bot activity

Great explanation Nate – thanks for this!

I suspect we haven’t experienced this in part because our application process has a fee.

-J


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Wesolowski, Nathan R.
Sent: Tuesday, September 22, 2020 11:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] Re: [SECURITY] Admissions application bot activity

[Warning: This email originated outside our organization's email system. Be wary of links and attachments unless you 
recognize the sender. Never share your username or password.]
At NWTC, we also see fraudulent student identities, but not to the extent that KCTCS mentioned.  At our site scammers 
are typically after the student .EDU email address and Office 365 license.  This is very apparent based on numerous 
foreign websites hosting step-by-step guides for generating fake college identities.  For example, here are some 
Chinese websites –

hxxps://eduak.com/usedu
hxxp://404edublog.tk
hxxps://www.365tol.top/post/648.html

After obtaining an .EDU address, we find that it is typically used to obtain additional subscriptions, like AWS 
Educate, Azure Education, JetBrains, DigitalOcean, Github Student Dev, etc.  To combat this problem, in the near future 
we will no longer provision .EDU email for new applications.  The bulk of our fake identities are new applicants, 
however we also encounter fake course and program enrollment attempts.  While some attacks have been automated (bot 
activity), the vast majority appear to be individuals creating the accounts.

At this time we leverage our SIEM to automatically identify and deactivate fake identities.  Another thing helpful for 
us was blocking registrations from temporary/disposable email services.  If anyone is interested, here is a list that I 
put together containing 30K+ fake email domains - https://ezproxy.nwtc.edu/public/tempEmailDomains.csv.  I also noticed 
some paid services offering up-to-date lists, but we are not using them at this time.

.EDU email addresses are a valuable commodity, easily worth thousands of dollars in discounted goods and services.  You 
can even find them for sale on eBay.  Unfortunately I do not see this problem going away any time soon, but am hopeful 
that our upcoming changes will help.

Nate

Nate Wesolowski
Information Security Analyst

Northeast Wisconsin Technical College
2740 W. Mason Street
Green Bay, WI 54307
O 920.498.6943 | T 800-422-NWTC
nate.wesolowski () nwtc edu<mailto:nate.wesolowski () nwtc edu> | nwtc.edu<https://www.nwtc.edu/>

[cid:image008.jpg@01D690F5.BE945DF0]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Hagan, Sean
Sent: Monday, September 21, 2020 5:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Admissions application bot activity

It may be a combination of factors - we've certainly dealt with the financial aid fraud, but in my experience, the 
large volume of applications (botnet or not) is not attempting finaid fraud - they simply want the .edu email 
addresses, and in my experience never for spam (not to say it doesn't happen, but we don't see new accounts spun up 
just to send out spam).

Our experience, and those of some similar institutions, leads me to believe the primary motivation is free/discounted 
services accessible to .edu emails - be that from Microsoft, Amazon, Google, or others.

We also saw a pretty broad educational software purchase scam involving stolen credit cards/Paypal accounts purchasing 
Microsoft Office (EDU version) for $15.  If you have a Kivuto/OnTheHub instance, you might check your process for 
approving new accounts and look at the purchase history.  And if you're like us, you might have multiple organizational 
accounts with them, some of which no one at your organization may be aware of.

Regarding Paul's original email - we have re-captcha implemented (and have had it for two years) and we still get fake 
apps - certainly not as many as before, but quite a few still.  We believe they are being completed by real people 
using a database of fake people based on certain factors (notably time taken to complete the application, time between 
applications, and names/addresses/email addresses supplied), but we still get a bunch.  We also noted they use US-based 
VPN providers (well, exit nodes), so blocking any non-US netblock is unlikely to be effective.

We have someone who has the perhaps unenviable task of reviewing new admissions applications on a daily basis and they 
(plus our automated blocking and alerting) are pretty adept at identifying fake apps and allowing us to promptly remove 
them.  Oddly (or perhaps not), most of those fake applications happen on holidays or weekends.

Wish I had a more encouraging or helpful response.

Regards,

Sean


________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Chester, Heather <htomley () LUC EDU<mailto:htomley () LUC EDU>>
Sent: Monday, September 21, 2020 7:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Admissions application bot activity


Hi All,

When reading this, I thought, would they be able to apply for some type of Financial Aid?  If they already have an RDS 
#, they may be “approved” to receive funding or what other services could they have access to with an email and valid 
RDS?  Plus, you mentioned some of the RDS #’s may be valid, which would lead to potential compromised accounts.  Would 
the bad actors be able to get to the valid RDS student’s current financial aid award, most likely being dispersed now 
the beginning of the semester?  Just thinking out loud.



When I googled the words “residency certification number”, the first result back was about “the State of North Carolina 
partially subsidizes the cost of North Carolina public college and university tuition”.

And the second returned result was “For a student to receive the benefits of in-state tuition and state financial aid, 
a residency determination is required from RDS”.  What websites do you have public facing information about RDS 
requirements?  Do you have MFA?  Perhaps review the human processes you have in place as well as the level of detail 
you have exposed to the general public, and any other services offered if they gain a successful RDS and email?

https://ncresidency.cfnc.org/residency/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fncresidency.cfnc.org%2fresidency%2f&c=E,1,Jt6116ekyjII6jh3hpVVywyqat-9zV5fHKfz19uIJAeH2vTN8IbIo98CzVdjiAktgUAwAjpo8nEatAxm_UwnJ0Mnq2TF6BSEHIPQvMTy7BWRgPnJ7zXd&typo=1>
  and 
https://ncresidency.cfnc.org/residencyInfo/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fncresidency.cfnc.org%2fresidencyInfo%2f&c=E,1,exQpmw9F_xSJkR0LdGSgjic07wqRzTV5S2x8HTpmOilwIyEDTxPrhJSMtszUGwCrulu7t5jRHVtuXpviTxsJpIkvCtPDr8uGRoBU9Yae0ilLjXeA3VIu&typo=1>



Perhaps, it’s a power by numbers approach to trying to get an email telling them next steps to claiming Financial Aid 
or other services/benefits?  The fact that they are skipping North Carolina is unique and perhaps that state has a more 
through and deliberate way of checking the residency requirements than others?  Use if helpful but thought it was a 
very interesting problem and if successful, will be duplicated against other institutions, so thank you for sharing.



Thank you,

Heather



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Steven Saine
Sent: Monday, September 21, 2020 6:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Admissions application bot activity



Here is some information regarding fake applications that has been shared with us previously.  Not sure if it will help 
or not.  It was noticed fake applications were coming from these domains.



The ‘bad’ domains identified are:

•                     armyspy(dot)ga

•                     rhyta(dot)cf

•                     teleworm(dot)tk

•                     jourrapide(dot)gq

•                     dayrepa(dot)ml



Common conditions identified from the bad applications are:

•                     They're all allegedly new students, not matching with any existing Colleague records.

•                     They all list dates of birth in the year 1999, either 20 or 21 years old.

•                     They're all listed as male.

•                     They're all listed as residing in a state other than North Carolina.

•                     They're all listed as unemployed (not seeking).

•                     They all list personal enrichment as their educational goals.

•                     They all have the race and ethnicity left unlisted.

•                     Most tellingly, each of these fake applications lists a residency certification number (RCN) that 
either belongs to someone else entirely or isn't a real RCN, but it's always listed as a ten-digit number beginning 
with "1100" as if it was a real RCN.





Steven B. Saine

Director of Information Security, Construction Management, and Audit

Rowan-Cabarrus Community College

1333 Jake Alexander Blvd.

Salisbury, NC 28146

Telephone:     (704) 216-3561

steven.saine () rccc edu<mailto:steven.saine () rccc edu>

helpdesk () rccc edu<mailto:helpdesk () rccc edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Czarapata, Paul (KCTCS)
Sent: Friday, September 18, 2020 5:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Admissions application bot activity



Dear colleagues,



Sorry for the cross-post, but we have a bit of a situation here at KCTCS.  We have been getting tens of thousands of 
fake admissions applications over the past 6 weeks.  We have re-captcha implemented and they are still getting through, 
but at such a pace there is no way a human can be doing it.  The network team is watching the IP addresses and 
blocking, but then they just pop up from somewhere else.  Our student team is working on a pin code process, but that's 
not ready yet.  We don't have an admissions application fee either, or that would likely stop them.  I was just curious 
if anyone else had seen this happening and if you have stopped it, what you did?



Thank you in advance - PC



______________________________________________________________________

Paul Czarapata, Ed.D.

Vice President/Chief Information Officer

Kentucky Community & Technical College System

300 North Main Street

Versailles, KY 40383

O: 859/256-3248



Your success equals our success.
[Image removed by sender.]

[cid:image010.png@01D690F5.BE945DF0]<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__twitter.com_pczarapata%26d%3dDwMFAw%26c%3dyW7i6Vsv6ZXp9FaTXPPdsQ%26r%3dEvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8%26m%3dR1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo%26s%3dUod4IU_795qPLsXizAHjBh8xMWfiimUn1atV3jLAkKQ%26e%3d&c=E,1,gqDbQ0qkeMZdybbSpVfnWYxTiqE0fajXJ8myFyeDXFJc0Q2OZk-lEbaDGc0lmK7OqKfr69pQZRdvGPPDv4wC2DHBES6EGJ0kwNW50qucPVg1JZTCUlKbpuU,&typo=1>
 [cid:image011.png@01D690F5.BE945DF0] 
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__linkedin.com_in_pczarapata%26d%3dDwMFAw%26c%3dyW7i6Vsv6ZXp9FaTXPPdsQ%26r%3dEvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8%26m%3dR1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo%26s%3dZBPYZL9Im1pAG_qTPIw2PrmGdCsPHmz4wQw-s5ftpTs%26e%3d&c=E,1,B0JfNJTWuuthaq2QpaWrOali0EVEOGm9PrMIWrLByA7u_wFMjihQR4qdUFShAaGj5tNT6XbsOHCiCKHR9_x0BvRNOfDX_kcuG3bc0PFrXBv8tQ,,&typo=1>
  [cid:image012.png@01D690F5.BE945DF0] 
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__www.facebook.com_KCTCS%26d%3dDwMFAw%26c%3dyW7i6Vsv6ZXp9FaTXPPdsQ%26r%3dEvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8%26m%3dR1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo%26s%3dFiw5kNAmBOhzIHHLeRqkTtTYsSmo5roS9EkJ_SuvczA%26e%3d&c=E,1,-Igdh4d13b3WEaXXfFebINnISIF5kXcys_mcxP69OdAmNig6EhGh9i7vnDOymVhem3tI21DWEEqGSD3Ex-yK4WnTdzMaSyWrkzGNW4P4FeJ50LnudOn_OvqvbjVQ&typo=1>

Training and Learning 
Center<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__kctcs.edu_tlc%26d%3dDwMFAw%26c%3dyW7i6Vsv6ZXp9FaTXPPdsQ%26r%3dEvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8%26m%3dR1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo%26s%3d1KgQclU5CpTtGwvEZNPSaJk6zl5fRR-I-J5UnTtpufc%26e%3d&c=E,1,nSdvRmOAbunbkLb6xbwr4e_BmQ4xB-zgX2ONGfVCOESX0B9zgS4NyVcNr3v1mznWa-lwXXGeVHP_HHuLlxg-IlsxPnF41m7ipCWcsKVP-vnU4g8,&typo=1>
 | Technology Solutions Help 
Desk<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__ithelpdesk.kctcs.edu_%26d%3dDwMFAw%26c%3dyW7i6Vsv6ZXp9FaTXPPdsQ%26r%3dEvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8%26m%3dR1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo%26s%3dus2w0M5RQ6JAsIa0mXJ43i0hnX8yRYZY_JLB0idqAv8%26e%3d&c=E,1,1H2HW0jkoGX5V1ZbWc1eOvKzol4BfAn1PTq-skHrfJqKSpHbBPENLK3ZamYPQrqqdbJlJlafA_GbDiVbIYzwC7Ch98MC0KEa37N3GW_eQH5tKhetKdtelg,,&typo=1>
 | Technology Communications 
Center<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__kctcs.edu_tcc%26d%3dDwMFAw%26c%3dyW7i6Vsv6ZXp9FaTXPPdsQ%26r%3dEvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8%26m%3dR1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo%26s%3dR0XVRVsoYnrc1E2qPVIsLee-qfn7aNRjF13GYsxWofs%26e%3d&c=E,1,55S3ksRW-_o-Bjss7SggqRT5fSO8O6JcCWy9qTumkwrDyWmeCFQaJHZeSrGb9FinrLrxhinfDZywSaCdIPCeKsoUWQ3J9zfU5iNvVny3WDQL4d7fAiqFTQ,,&typo=1>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__www.educause.edu_community%26d%3dDwMFAw%26c%3dyW7i6Vsv6ZXp9FaTXPPdsQ%26r%3dEvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8%26m%3dR1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo%26s%3dbIAwa5LAU-0OKm-EB5CatP--FBMiI2dP6BsJfPo52fA%26e%3d&c=E,1,Ge8MLpCdusMmiHw83AD4oxpYnqgopHUoDSuAemRJ3FK_oCLQyuCFFb68ZUZBmBGumyR7FGG5LAqE-eoXDLO2l_UydXHp7WYBI7A5EPLsno5bUIAl3Xe1gUqAZIiA&typo=1>

E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be 
disclosed to third parties by an authorized state official. (NCGS.Ch.132)

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,9jWLBxKTYvmKmFrtmmN6SOLn6-Rj8zh4uHOH9uRlT1iCqNf1UpQK9pkV4jCi5Aenyguq7PmaWHYJnGA4E1prlcR9RfjPVxBtkTjjoC7p&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,pAJfugVGrjUQr2OoPf4IW9K6QJr5BZVkqbsFd-x0TGPReIi7QPWGaTfyeTyVc2dzmRRIFu-SJRvdNVH1XjvR6GWebKG58mgi1nIu-kcSnlkgKvJPY6PsYHw,&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the 
sender and delete this e-mail from your system.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the 
sender and delete this e-mail from your system.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community