...
Soon after the first wave of fraud applications were identified in June 2016, the CCC Technology Center took immediate steps to strengthen the security of the CCCApply system and protect our students' personal identifiable data (read more about all the ways we are addressing fraud in CCCApply). Meanwhile, we contracted with a machine learning data research team to perform data analysis on several thousand fraud applications examples that were collected from the colleges that initially reported the spam. Research ObjectivesThe objectives for the research project were simple:
Additional objectives were added based on the recommendations and outcomes of the research, including commencing a small pilot of four colleges to get feedback and better understand their workflow processes, as well as develop a process for collecting data throughout the design and development phase of the project. |
...
Based on what they learned in the initial review, the research team conducted a multi-part data analysis of all submitted applications (without using any student personal information). In the first review , the focus was on one college that provided a large number of bad applications between June 1, 2016 - August 15, 2017. The second review looked at all other colleges who provided examples of bad applications in the same time period; and the third pull looked at all remaining colleges' submitted application data. It was important to compare the bad applications to good applications in order to start detecting trends and patterns in the fraudulent "formula". After reviewing all three data pulls, even without including personal identifiable information, we learned a great deal.
...
- Time to completion: 2.25 minutes (average)
- Permanent Address State: NOT California
- Current Mailing Address State: NOT California
- Gender: Male
- Race: White
- HS Ed Level: No high school completion
- Interest in Financial Aid: NO
However, the most important thing we learned was that it is very hard to identify "patterns". As soon as one pattern was identified, the spammers would mix it up and employ a new pattern. The only pattern we could be sure of is that there is no one pattern; these attackers are very skilled at adapting to change.
Motivations for Fraudulent Activity
One of the burning questions we had going into the research study was, why? What is the motivation behind these attacks? Clearly the cyber criminals behind this fraud campaign are highly organized and unyieldingly dedicated. What are they getting out of this? The answer is financial gain.
Of the 24 colleges that were surveyed by the Tech Center who had reported large numbers of fraud, 23 of them indicated that they give away something for free at the time of application; in most cases they are auto-responding to applicants with .edu email addresses and/or free software licenses such as Office 365 or, in some cases, credentials that would get the student into their student information system. Among the colleges that indicated they were giving away .edu addresses, many of them admitted they were doing so before the student was actually enrolled in classes.
Warning |
---|
Cyber criminals appear to be targeting the colleges that are giving away something for free at the time of application, such as .edu email addresses, free software licenses, and - in some cases - information that gets the applicant into their student information system. |
- seek discounts on technology hardware and software
- apply for financial aid
- apply for student loans
- prove U.S. and California residency
- obtain false identification
Recommendations
By identifying commonalities across all the fraud applications submitted reported by colleges - such as volume, average submission time, patterns in the submitted data, and user profiling - and then by comparing that information to non-fraud applications over the same time period, the research team was able to make some high-level recommendations, including from short-term technical fixes and to long-term development solutions, that we could start began implementing immediately.
The recommendations included:
- Additional security measures enhancements to the firewall and expanding our
- Implementing blocks on TOR and other known bad actors and ip addresses,
- Several stop gap configuration changes to the CCCApply pre-submission process to that would temporarily stop spammers before they submit Implement a pilot thwart spammers in-progress
- Start working with a few colleges that are getting spammed to help develop best practices and other prevention tactics to share with all colleges Develop a machine learning algorithm heavily to understand motivations and trends
- Develop a post-submissions web service based on a continuous machine learning /re-training model to filter fraud model that would filter spam before it reaches the colleges
...
We are also working with the CCCApply Steering Committee to better understand the motivations of these spammers. What are they after?
Lessons Learned: Motivations for Fraudulent Activity
...
Other Motivating Factors
...