Page Comparison

In addition to the steps we've taken

Soon after the first wave of fraud applications were identified in June 2016, the CCC Technology Center took immediate steps to strengthen the security of

our

the CCCApply system

, including additional firewall protections, blocking TOR and other known bad actors, and implementing pre-submission configuration changes that would prevent probable fraud applications from being submitted if they meet certain criteria, after the first wave of fraud was reported in late 2016, CCCApply

and protect our students' personal identifiable data (read more about all the ways we are addressing fraud in CCCApply). Meanwhile, we contracted with a machine learning data research team to

conduct an extensive research

perform data analysis on

the

several thousand fraud applications

we

examples that were collected from the colleges that initially reported the spam.

Table of Contents

Image Added

Research Objectives

Infiniti commenced a multi-phase research project with the following objectives:

...

The objectives for the research project were simple:

Understand why we are seeing an influx of fraudulent applications across the CCC system
Understand the motivations behind these fraudulent attacks
Identify trends, commonalities and patterns in the

...

data
Identify the tools and techniques being used by spammers

...

Info
One of the outcomes of the machine learning research study was to build a spam filter web service with user interface to prevent bad data from getting to the colleges and continuously re-training the prediction service model.

Research Outcomes
After the initial review, the data analysts recommended developing a spam filter service using on a continuous learning/training model - based on a custom algorithm that will get smarter each time an application is flagged as "spam". This filter service is being built for CCCApply Standard application, with a back-end user interface that will be accessible in the new CCCApply Administrator (deploying in June). Both the spam filter service and the admin interface are under-development now - with an expected release date of June 2018. This is a huge project and will require the cooperation and participation of all colleges - not just the colleges being targeted with spam - in order to "train" the algorithm with accurate data - both good, legitimate applications as well as the bad, fraudulent applications.

A comprehensive communication plan is mapped out, beginning with the announcement about the Spam Filter as part of the new CCCApply Administrator release- going out the week of March 19. Training webinars and user guides are being developed to accompany the new system.

Meanwhile, we continue to work with the machine learning team and several colleges in a pilot project to build and train the algorithm with any bad applications submitted by colleges. The email tomorrow will also specify how colleges can submit their fraud applications to the Tech Center for this purpose (we need them formatted in a specific way and ensure colleges know not to include any student personal identity information.

We are also working with the CCCApply Steering Committee to better understand the motivations of these spammers. What are they after?

Research Outcomes

Data Trends Identified in Fraud Applications

By recognizing the characteristics of spam applications, such as volume, average submission time, patterns in the submitted data, and user profiling - and comparing that information to non-fraud applications, we are able to take steps to prevent this threat through enhanced security, short-term stop gap fixes as needed, and the development of a spam filter web service. These aren't the only solutions, but as we continue to better understand the motivations behind these attacks, these can be used as part of an overall enhanced security strategy.

Early Research

...

What can CCCApply do to prevent fraud now and in the future?
What can the colleges do to prevent fraud now and in the future?

Additional objectives were added based on the recommendations and outcomes of the research, including commencing a small pilot of four colleges to get feedback and understand their workflow processes, as well as develop a process for collecting data throughout the design and development phase of the project.

Data Analysis

Based on what they learned in the initial review, the research team conducted a multi-part data analysis of all submitted applications (without using any student personal information): . In the first data pull focused review the focus was on one college that provided a large number of bad applications between June 1, 2016 - August 15, 2017; the second data pull . The second review looked at all other colleges who have provided examples of bad applications in the same time frameperiod; and the third pull looked at all the remaining colleges and submitted application data. We need It was important to compare the bad applications to good applications in order to start detecting trends and patterns in the fraudulent "formula". After reviewing all three data pulls (again, no even without including personal information was used in this analyses) identifiable information, we learned quite a bit already:a great deal.

The majority of bad applications identified were submitted in under 3 minutes, with the majority of those being submitted in under 2.5 minutes. This That information alone tells told us that robots are likely involved, submitting applications quickly using keyboard strokes; .

Of the applications identified as frauds, other patterns were prevalent:

Time to completion: 2.25 minutes (average)
Permanent Address State: NOT California
Current Mailing Address State: NOT California
Gender: Male
Race: White
HS Ed Level: No high school completion
Interest in Financial Aid: NO

Research Outcomes: What We've Learned

Trends & Motivation for Fraudulent Activity

We've identified several motivating factors and are working with our security office to publish some best practices to help colleges prevent bad applications from being submitted in the first place.

...

However, the most important thing we learned was that it is very hard to identify "patterns". As soon as one pattern was identified, the spammers would mix it up and employ a new pattern. The only pattern we could be sure of is that there is no one pattern; these attackers are very skilled at adapting to change.

Motivations for Fraudulent Activity

One of the burning questions we had going into the research study was, why? What is the motivation behind these attacks? Clearly the cyber criminals behind this fraud campaign are highly organized and unyieldingly dedicated. What are they getting out of this? The answer is financial gain.

Of the 24 colleges that were surveyed by the Tech Center who had reported large numbers of fraud, 23 of them indicated that they give away something for free at the time of application; in most cases they are auto-responding to applicants with .edu email addresses and/or free software licenses such as Office 365 or, in some cases, credentials that would get the student into their student information system. Among the colleges that indicated they were giving away .edu addresses, many of them admitted they were doing so before the student was actually enrolled in classes.

Warning
Cyber criminals appear to be targeting the colleges that are giving away something for free at the time of application

...

, such as .edu email addresses,

...

free software

...

licenses, and - in some cases - information that gets the applicant into their student information system.

The CCCTC Information Security office has been investigating these reports and have confirmed the sale of .edu email addresses on various online sites, such as eBay and Craig's List. Among other uses, it appears the spammers are using the .edu email addresses to:

Some colleges are giving applicants free software licenses (Office 365). These licenses are being sold to end-users.

In some instances, confirmation emails being sent to applicants are confirming their residency status (based on self-reported data). These are then being used to create fake identities.

Student ids and other "identification codes" are allowing these fraud applicants to access the colleges' SIS (again, this is happening prior to registration).
From a security standpoint, allowing students to access a college's student information system prior to registration or matriculation process is a high risk that our Chief Security Officer, Jeff Holden, is also investigating to see what can be done from a systemwide perspective.

seek special discounts on technology hardware and software
selling the addresses on eBay and CraigsList (we've found them there)
using the emails and other auto-responses that acknowledge their "California" address / residency to create fake identities

apply for financial aid

To confirm our suspicions, we surveyed the colleges that have reported fraudulent applications and each one of the colleges confirmed that they have been giving new applicants a .edu address automatically upon application submission.

Other Motivating Factors

apply for financial aid
apply for student loans
prove U.S. and California residency
obtain false identification

Recommendations

By identifying commonalities across all the fraud applications reported by colleges - such as volume, average submission time, patterns in the submitted data, and user profiling - and by comparing that information to non-fraud applications over the same time period, the research team was able to make some recommendations, from short-term technical fixes to long-term development solutions, that we began implementing immediately.

The recommendations included:

Additional security enhancements to the firewall
Implementing blocks on TOR and other known bad actors and ip addresses,
Several stop gap configuration changes to the CCCApply pre-submission process that would temporarily thwart spammers in-progress
Start working with a few colleges that are getting spammed heavily to understand motivations and trends
Develop a post-submissions web service based on a machine learning model that would filter spam before it reaches the colleges

These recommendations were all approved as part of an overall enhanced security strategy for 2018-2019.

Info

Spam Pilot Project

One of the recommendations from the research study was to organize a small pilot of colleges that can work with our support engineers and provide feedback throughout the research and development efforts. The pilot colleges will also collaborate on best practices and other workflow changes that can be shared back with the other colleges.

Development Project

One of the recommendations from the research develop a spam filter web service that would prevent these the bad applications from getting back to the colleges through their download system to prevent bad data from getting to the colleges and continuously re-training the prediction service model.

After the initial review, the data analysts recommended developing a spam filter service using on a continuous learning/training model - based on a custom algorithm that will get smarter each time an application is flagged as "spam". This filter service is being built for CCCApply Standard application, with a back-end user interface that will be accessible in the new CCCApply Administrator (deploying in June).

Both the spam filter service and the admin interface are under-development now - with an expected release date of June 2018. This is a huge project and will require the cooperation and participation of all colleges - not just the colleges being targeted with spam - in order to "train" the algorithm with accurate data - both good, legitimate applications as well as the bad, fraudulent applications.