Versions Compared

Old Version 9

changes.mady.by.user Patricia Donohue

Saved on

compared with

New Version 10

changes.mady.by.user Patricia Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Soon after the first wave of fraud applications were identified in June 2016, the CCC Technology Center took immediate steps to strengthen the security of the CCCApply system and protect our students' personal identifiable data (read more about all the ways we are addressing fraud in CCCApply). Meanwhile, we contracted with a machine learning data research team to perform data analysis on several thousand fraud applications examples that were collected from the colleges that initially reported the spam.

Research Objectives

The objectives for the research project were simple:

  • Understand why we are seeing an influx of fraudulent applications across the CCC system
  • Understand the motivations behind these fraudulent attacks
  • Identify trends, commonalities and patterns in the data
  • Identify the tools and techniques being used by spammers
  • What can CCCApply do to prevent fraud now and in the future?
  • What can the colleges do to prevent fraud now and in the future?


Additional objectives were added based on the recommendations and outcomes of the research, including commencing a small pilot of four colleges to get feedback and better understand their workflow processes, as well as develop a process for collecting data throughout the design and development phase of the project. 

...

Based on what they learned in the initial review, the research team conducted a multi-part data analysis of all submitted applications (without using any student personal information). In the first review , the focus was on one college that provided a large number of bad applications between June 1, 2016 - August 15, 2017.  The second review looked at all other colleges who provided examples of bad applications in the same time period; and the third pull looked at all remaining colleges' submitted application data. It was important to compare the bad applications to good applications in order to start detecting trends and patterns in the fraudulent "formula".  After reviewing all three data pulls, even without including personal identifiable information, we learned a great deal.

...

  • Time to completion:  2.25 minutes (average)
  • Permanent Address State: NOT California
  • Current Mailing Address State:  NOT California
  • Gender: Male
  • Race: White
  • HS Ed Level:  No high school completion
  • Interest in Financial Aid:  NO

However, the most important thing we learned was that it is very hard to identify "patterns". As soon as one pattern was identified, the spammers would mix it up and employ a new pattern. The only pattern we could be sure of is that there is no one pattern; these attackers are very skilled at adapting to change.  

Motivations for Fraudulent Activity

One of the burning questions we had going into the research study was, why? What is the motivation behind these attacks?  Clearly the cyber criminals behind this fraud campaign are highly organized and unyieldingly dedicated. What are they getting out of this? The answer is financial gain. 

Of the 24 colleges that were surveyed by the Tech Center who had reported large numbers of fraud, 23 of them indicated that they give away something for free at the time of application; in most cases they are auto-responding to applicants with .edu email addresses and/or free software licenses such as Office 365 or, in some cases, credentials that would get the student into their student information system. Among the colleges that indicated they were giving away .edu addresses, many of them admitted they were doing so before the student was actually enrolled in classes. 

Warning

Cyber criminals appear to be targeting the colleges that are giving away something for free at the time of application, such as .edu email addresses, free software licenses, and - in some cases - information that gets the applicant into their student information system.

The CCCTC Information Security office has been investigating these reports and have confirmed the sale of .edu email addresses on various online sites, such as eBay and Craig's List.  Among other uses, it appears the spammers are using the .edu email addresses to:  
  • seek discounts on technology hardware and software 
  • apply for financial aid
  • apply for student loans
  • prove U.S. and California residency
  • obtain false identification

Recommendations

By identifying commonalities across all the fraud applications submitted reported by colleges - such as volume, average submission time, patterns in the submitted data, and user profiling - and then by comparing that information to non-fraud applications over the same time period, the research team was able to make some high-level recommendations, including from short-term technical fixes and to long-term development solutions, that we could start began implementing immediately.

The recommendations included:

  • Additional security measures enhancements to the firewall and expanding our
  • Implementing blocks on TOR and other known bad actors and ip addresses,
  • Several stop gap configuration changes to the CCCApply pre-submission process to that would temporarily stop spammers before they submit Implement a pilot thwart spammers in-progress 
  • Start working with a few colleges that are getting spammed to help develop best practices and other prevention tactics to share with all colleges Develop a machine learning algorithm heavily to understand motivations and trends
  • Develop a post-submissions web service based on a continuous machine learning /re-training model to filter fraud model that would filter spam before it reaches the colleges

...

We are also working with the CCCApply Steering Committee to better understand the motivations of these spammers. What are they after? 

Lessons Learned: Motivations for Fraudulent Activity

We've identified several motivating factors and are working with our security office to publish some best practices to help colleges prevent bad applications from being submitted in the first place. 
We've found that the majority of spammers are seeking financial gain and are targeting colleges that are giving away something for free at the time of application - specifically, .edu email addresses, as well as free software licenses -before the applicant has been officially admitted to the college (registered, or other vetting process). 
Among other things, in appears these spammers are using the .edu email addresses to:  

...

To confirm our suspicions, we surveyed the colleges that have reported fraudulent applications and each one of the colleges confirmed that they have been giving new applicants a .edu address automatically upon application submission. 

Other Motivating Factors

...