Israeli researchers have discovered the contact details for everyone working and teaching at the University of Liverpool circulating on a dark web forum where it is being promoted to launch targeted phishing attacks.
According to security firm Cyberint the data – name, address and work email addresses – was posted on the criminal forum by a Portuguese-speaking hacker or group known as ‘@ECHOison’ in early February 2016, where it remains publicly available.
The university was told of the posting some weeks ago by Cyberint, after which Computerworld UK understands the university contacted Merseyside Police.
The university released a statement to Computerworld UK making clear that although the contact details were taken from a database, the fact they are considered public domain meant that this was not equivalent to a data breach.
“We detected an automated cyber-attack on one of our departmental online booking systems, which resulted in publicly available data - surname, email, and business telephone numbers - being released on the internet,” the university said.
“We take the security of all university-related data very seriously and routinely test our systems to ensure that all data is protected effectively. We supported the Regional Organised Crime Unit (TITAN) in their investigations into this issue and reported the case to the Information Commissioner’s Office.”
The university has a point when it says the data is publically available – such contact databases will exist for every university in the UK in a form accessible to students and the public in general. However, being able to grab that in a single database remotely is a helpful way of fuelling industrial phishing and malware attacks without the inconvenience of having to manually cull the same contact data from lots of smaller repositories.
Contact databases are no longer the innocent data sources they would have been in the recent past. Protecting or securing them would be prudent.
The fact hackers see value in an entire contact database is also an important reminder of the extent to which UK universities are now being targeted by people with destructive motives.
In March, a survey of senior IT staff representing a third of the UK’s university sector uncovered widespread concern at their ability to defend themselves from attacks designed to steal research and IP data, and to target students and staff with phishing.
The total volume of research and other data now held by UK institutions has almost certainly reached 1 exabyte, with 20 or more institutions now storing petabytes, according to a detailed 2015 study by UK cloud archiving company Arkivum.
The group or person responsible for this posting appears to specialise in attacking academic websites, having previously targeted institutions including the University of Ottawa as well as releasing contact information for 150 United Nations staff.
“The data is structured in the format of a database and the threat actor has quite an impressive background in offensive activities that include bypassing/taking down DNS servers and a set of tools/expertise in SQLi and DB exploits,” commented Cyberint vice president of marketing, Elad Ben-Meir.
According to Ben-Meir, every University of Liverpool staff member or academic should be aware that they are now at increased risk of being targeted by cybercriminals using fraudulent emails in the coming months.
"Universities are particularly hot targets for cyber criminals as they are repositories for all kinds of valuable technological research," he said. "The kind of cyber breach that has occurred at Liverpool University could be the first step towards a more serious series of breaches suffered by the university in the near future."
In cybersecurity circles, the University of Liverpool is probably most famous as the institution at which NSA whistleblower Edward Snowden gained his Masters degree in Computer Security in 2011.
In the UK, Cyberint is best known for uncovering the large data breach against UK pub chain, JD Wetherspoon, in December 2015.