Machine Learning Research Study

Soon after the first wave of fraud applications were identified in June 2016, the CCC Technology Center took immediate steps to strengthen the security of the CCCApply system and protect our students' personal identifiable data (read more about all the ways we are addressing fraud in CCCApply). Meanwhile, we contracted with a machine learning data research team to perform data analysis on several thousand fraud applications examples that were collected from the colleges that initially reported the spam.

Research Objectives

The objectives for the research project were simple:

Understand why we are seeing an influx of fraudulent applications across the CCC system
Understand the motivations behind these fraudulent attacks
Identify trends, commonalities and patterns in the data
Identify the tools and techniques being used by spammers
What can CCCApply do to prevent fraud now and in the future?
What can the colleges do to prevent fraud now and in the future?

Additional objectives were added based on the recommendations and outcomes of the research, including commencing a small pilot of four colleges to get feedback and understand their workflow processes, as well as develop a process for collecting data throughout the design and development phase of the project.

Data Analysis

Based on what they learned in the initial review, the research team conducted a multi-part data analysis of all submitted applications (without using any student personal information). In the first review the focus was on one college that provided a large number of bad applications between June 1, 2016 - August 15, 2017. The second review looked at all other colleges who provided examples of bad applications in the same time period; and the third pull looked at all remaining submitted application data. It was important to compare the bad applications to good applications in order to start detecting trends and patterns in the fraudulent "formula". After reviewing all three data pulls, even without including personal identifiable information, we learned a great deal.

The majority of bad applications identified were submitted in under 3 minutes, with the majority of those being submitted in under 2.5 minutes. That information alone told us that robots are likely involved, submitting applications quickly using keyboard strokes.

Of the applications identified as frauds, other patterns were prevalent:

Time to completion: 2.25 minutes (average)
Permanent Address State: NOT California
Current Mailing Address State: NOT California
Gender: Male
Race: White
HS Ed Level: No high school completion
Interest in Financial Aid: NO

However, the most important thing we learned was that it is very hard to identify "patterns". As soon as one pattern was identified, the spammers would mix it up and employ a new pattern. The only pattern we could be sure of is that there is no one pattern; these attackers are very skilled at adapting to change.

Motivations for Fraudulent Activity

One of the burning questions we had going into the research study was, why? What is the motivation behind these attacks? Clearly the cyber criminals behind this fraud campaign are highly organized and unyieldingly dedicated. What are they getting out of this? The answer is financial gain.

Of the 24 colleges that were surveyed by the Tech Center who had reported large numbers of fraud, 23 of them indicated that they give away something for free at the time of application; in most cases they are auto-responding to applicants with .edu email addresses and/or free software licenses such as Office 365 or, in some cases, credentials that would get the student into their student information system. Among the colleges that indicated they were giving away .edu addresses, many of them admitted they were doing so before the student was actually enrolled in classes.

Cyber criminals appear to be targeting the colleges that are giving away something for free at the time of application, such as .edu email addresses, free software licenses, and - in some cases - information that gets the applicant into their student information system.

The CCCTC Information Security office has been investigating these reports and have confirmed the sale of .edu email addresses on various online sites, such as eBay and Craig's List. Among other uses, it appears the spammers are using the .edu email addresses to:

seek discounts on technology hardware and software
apply for financial aid
apply for student loans
prove U.S. and California residency
obtain false identification

Recommendations

By identifying commonalities across all the fraud applications reported by colleges - such as volume, average submission time, patterns in the submitted data, and user profiling - and by comparing that information to non-fraud applications over the same time period, the research team was able to make some recommendations, from short-term technical fixes to long-term development solutions, that we began implementing immediately.

The recommendations included:

Additional security enhancements to the firewall
Implementing blocks on TOR and other known bad actors and ip addresses,
Several stop gap configuration changes to the CCCApply pre-submission process that would temporarily thwart spammers in-progress
Start working with a few colleges that are getting spammed heavily to understand motivations and trends
Develop a post-submissions web service based on a machine learning model that would filter spam before it reaches the colleges

These recommendations were all approved as part of an overall enhanced security strategy for 2018-2019.

Spam Pilot Project

One of the recommendations from the research study was to organize a small pilot of colleges that can work with our support engineers and provide feedback throughout the research and development efforts. The pilot colleges will also collaborate on best practices and other workflow changes that can be shared back with the other colleges.

Development Project

One of the recommendations from the research develop a spam filter web service that would prevent these the bad applications from getting back to the colleges through their download system to prevent bad data from getting to the colleges and continuously re-training the prediction service model.

After the initial review, the data analysts recommended developing a spam filter service using on a continuous learning/training model - based on a custom algorithm that will get smarter each time an application is flagged as "spam". This filter service is being built for CCCApply Standard application, with a back-end user interface that will be accessible in the new CCCApply Administrator (deploying in June).

Both the spam filter service and the admin interface are under-development now - with an expected release date of June 2018. This is a huge project and will require the cooperation and participation of all colleges - not just the colleges being targeted with spam - in order to "train" the algorithm with accurate data - both good, legitimate applications as well as the bad, fraudulent applications.

Spam Filter Web Service

One of the outcomes of the research study was the recommendation to develop a spam filter web service that would prevent these the bad applications from getting back to the colleges through their download system to prevent bad data from getting to the colleges and continuously re-training the prediction service model.

Meanwhile, we continue to work with the machine learning team and several colleges in a pilot project to build and train the algorithm with any bad applications submitted by colleges. The email tomorrow will also specify how colleges can submit their fraud applications to the Tech Center for this purpose (we need them formatted in a specific way and ensure colleges know not to include any student personal identity information.

We are also working with the CCCApply Steering Committee to better understand the motivations of these spammers. What are they after?