Background

DomainGuard has identified a scam operation consisting of fake university websites pretending to be accredited U.S. postsecondary institutions. The scammers create realistic-looking websites and attempt to trick individuals into paying a registration fee for the university. These universities are NOT accredited U.S. postsecondary institutions, despite their websites claiming so, and are registered with a .education or .university domain suffix as opposed to the traditional, safer .edu. We’ll describe why .edu is safer in the blog post.

Below you’ll find an investigation into one of the 18 fake Universities identified and general cyber-security guidance on the matter.

Investigation: University of Wayne State, Pennsylvania

At first, what you see in the image above looks like any other university website, a list of schools, programs, accreditation information, and even a portal to log in for active students and alums. What more could you ask for? However, when digging deeper, DomainGuard identified that this is a fake university being used to conduct scams, and even worse, this was just one of 18 identified sites. DomainGuard suspects there are far more than a list of the ones we’ll provide at the bottom of this post.

Fake Address

One standard method to verify an institution, especially one that claims to have a physical campus, is cross-referencing the provided address with common maps providers such as Google, Apple, and OpenStreet maps.

Below you’ll see we entered the provided address into Google Maps, and the location points to a legitimate high school in Pennsylvania, Radnor High School, NOT “Wayne State University”. The scammers pick addresses of real campuses as an attempt to camouflage as part of that institution.

No Accreditation

The fake university claims to have legitimate accreditation status with multiple accrediting bodies. Unfortunately, none of these accrediting bodies are real and likely websites managed by scammers.

DomainGuard also looked up “Wayne State University” using the U.S. Department of Education’s accredited post-secondary institution lookup tool. No results for this university.

Russian Based Website

If the evidence above wasn’t overwhelming enough, this should be the nail in the coffin. Using a URL scanning tool popular in the cyber-security industry, URLScan, we can retrieve information about the website without navigating to it directly. In the results, you will see this website’s primary IP address is located in Moscow Oblast, Russia. It seems suspicious for a “Pennsylvania” based university to be operated by a hosting provider in Russia.

Why?

Why would individuals go through a significant undertaking to create fake websites for universities that do not exist?

Financial Motive

DomainGuard believes the primary motive is financial. There are many different flavors of this type of scam. We’ve seen fake banks, fake pet breeders, fake online retail stores, and much more. The tricky part for the scammers is not creating the website but getting users onto their fake websites so that they can conduct their scams. Recently, scammers have been using paid advertisements as part of their scams to get users onto their sites.

Command and Control

By using a .university and .education top-level domain, DomainGuard believes these websites are creating a false sense of authenticity and would be good candidates to be used in a breach or data exfiltration scenario where a compromised computer communicates with one of these entities. They are good candidates because they appear to be non-malicious at first glance, and you have no way of knowing without digging into each of the websites.

Additionally, many cyber-security products safely categorize these top-level domains as education. Even if an analyst were to glance at one of these websites, they would only know it was a fake entity if they took the time to analyze the website and relevant technical information.

At the time of this writing, all the sites listed below are indexed in Google and come up as the top result if you are to type in the name of the fake university.

Cyber-Security Industry Guidance

Top Level Domains

We eluded earlier in this blog post that .edu domains are safer, and there’s a very valid reason why. .edu domains must be registered with Educause and have certain eligibility requirements they must meet. If you were to attempt to register a .edu TLD, you would be asked to provide evidence of being an institutionally accredited post-secondary institution recognized by the U.S. Department of Education.

On the other hand, anyone can register a .education or a .university domain as these are unrestricted TLDs, and there is no verification process to ensure the domains are education affiliated, which is why the domains we’ve identified are conducting scams using these TLDs.

Because the .university and .education TLDs are so closely related to .edu, we fear this could create confusion and add to a false sense of authenticity as users are viewing sites using these TLDs. The same false sense of authenticity these scammers are using in their fake university scam.

As an exercise, we registered the domainguard.education domain and have configured the domain to redirect to this blog post, proving anyone can register a domain with the .education TLD, even if they have no affiliation or relation to anything to do with education.

domainguard.education redirects to this blogpost.

HTTPS Does NOT Guarantee Security

As cyber-security professionals, we have to be mindful of the verbiage we use when describing security controls, especially towards users. For example, below, we’ve screenshotted a post that gives users a helpful security tip: sites with the green lock using HTTPS are more secure than sites without HTTPS.

Where this creates problems is users aren’t given full context. Most phishing and fraudulent activity identified by DomainGuard is conducted by websites using HTTPS. However, HTTPS does not guarantee that a site is “secure”, and at DomainGuard, we feel posts like the one below may even create a false sense of security for users.

While HTTPS is good in that the data between you and the website is encrypted, it does not mean that the website you are submitting your data to is a legitimate entity, and it’s important to emphasize that phishing and fraud occur on websites utilizing HTTPS. In summary, the data you are submitting over HTTPS may be encrypted between you and the website, but you may be submitting data to a malicious entity.

Technical Evidence

Please DO NOT navigate to the sites below as they are likely being operated by threat actors. The information provided below is included to raise awareness around this type of scam and provide threat intelligence to cyber-security researchers. The domains are intentionally escaped using brackets.

Fake Universities:

abrahaminternational[.]university
californiacenter[.]education
californiamount[.]university
ciu[.]education
crosbyuniversity[.]education
cuno[.]university
cuom[.]education
dhu[.]education
fbu[.]education
hartfordmetropolitan[.]university
hust[.]education
mcu[.]university
mlk[.]university
ouc[.]education
premieruniversity[.]education
uswp[.]education
uwsp[.]education
wlcu[.]education

Fake Accrediting Bodies \ U.S. Educational Institutions:

us-hed[.]education
usheb[.]org
mhecgov[.]education
usdepartmentedu[.]org
unitedstatesheb[.]org