Executive Summary
Okta Threat Intelligence has identified extortion campaigns that target university students.
These operations often masquerade as "tutoring” or “proctoring” services, but function as contract cheating operations that feed sophisticated identity-theft and financial-crime rackets.
These extortion campaigns appear to first involve local and online recruiting efforts that seek students as clients.
In order for third parties to complete academic work on behalf of a student, students are asked to facilitate access for the proctoring services to academic systems, in some cases by sharing authentication credentials.
These third parties then press the students for further payment by threatening to expose the student for cheating.
The extortionists have been observed logging in from VPNs, residential, and mobile IP addresses in Kenya.
Okta Threat Intelligence has collaborated with several universities and people to study this activity, including Glen Woolley, Andrew Tolhurst, and Damien Mathieson of the Cyber Security Operations team at the University of Sydney.
This is not merely a matter of academic integrity; it is a threat to student safety and standards, the university’s security perimeter and as one research institute posits, national security.
These extortion schemes target students across numerous universities in the English-speaking world, including the United States, Canada and Australia. Merely providing academic cheating services is illegal in some jurisdictions. For example, Australia criminalized contract cheating and ordered ISPs to block 555 websites offering these services. Regardless of jurisdiction, extorting students under threat of exposure is illegal.
There are broader risks to universities because of how the academic work is completed. Attackers demand full access to student accounts, which could mean the transfer of login credentials and approval of multifactor authentication challenges or other kinds of remote access. This grants threat actors an ongoing foothold within the university's environment.
While Okta Threat Intelligence has not directly observed a pivot from extortion to other abuses of student access in the clusters we are tracking, threat actors could conceivably leverage and monetize their access to achieve objectives such as payroll piracy.
Okta is committed to helping customers, partners, and users understand the critical role identity security plays in these attacks.
From contract cheating to student extortion
In order to finish their academic work quickly with minimal effort, some students choose to engage third parties to complete academic tasks in their behalf.
It is only after one of these third parties submits an assignment on behalf of a student through university apps like Canvas and Blackboard that the extortion component of these campaigns commences.
For instance, a student may pay $75 for one assignment, but after the assignment is submitted, the threat actor demands a further payment of $1,000 under threat of reporting the student. In almost all cases where the victim doesn’t pay, the malicious actor will report the student. The malicious actor records voice and video communications with the student and may send emails to administrators.
Critically, the extortionists have leverage against their victims. Identity and access management logs may indicate that someone else has been using the student’s account. The IP logs could show “impossible travel,” meaning a student account was accessed locally and then some time later from a locale it would have been impossible for the student to now be located.
Figure 1: the academic extortion lifecycle
Lure mechanisms: the “academic support” facade
Threat actors use a multi-channel approach to find victims, often tailoring their language and platform to specific student demographics. The extortionists thrive in high-pressure moments, such as during finals week or mid-terms.
These services are advertised using both digital and physical channels.
Digital channels
The most common lures are digital, designed to look like academic notifications or helpful peer-to-peer recommendations.
Marketing emails: Attackers send emails to students with subjects like "Struggling with your Final?" or "Expert Tutors Available - Guaranteed A+." These often use professional-looking signatures to mimic official academic support messages.
Direct messaging (WeChat, WhatsApp, Telegram): To overcome email controls enforced by many universities that are likely to block, flag or filter out spam, attackers also use popular messenger apps used by international student communities. These messages are often written in the student’s native language.
Websites: Contract cheating services develop professional-looking websites to give themselves an air of legitimacy.
Physical channels
Campus Postings: Accomplices of the attackers place physical flyers around campus.
Coerced referrals: Once a student is already being extorted, the threat actor may demand that the student recruits more classmates. This turns the victim into an accessory, spreading the lure through trusted peer networks.
Figure 2. A screenshot from a video published by the University of New South Wales, warning students about some of the possible consequences of engaging with gray-area proctoring or tutoring services. (Source: University of New South Wales via YouTube)
Campaign Objectives
The primary objective of these campaigns is financial crime, achieved by extorting students based on evidence of authorized access.
The observed activity demonstrates clear intent to put students in a compromising situation in which they are either forced to pay or risk consequences from their academic institution.
Data collected by threat actors
The malicious actors try to collect as much personal information as possible to ensure the success of their extortion plot. These actors collect data such as:
Personally identifiable information (PII): Full name, home address, and phone number.
Institutional identifiers: Student ID number and official university email address.
Academic evidence: The assignment prompts, the student's personal notes, the completed assignment and even the course syllabus.
Proof of presence: Screen recordings or screenshots of the attacker logged into the student’s portal (Canvas, Blackboard, etc.)
Risks beyond student extortion
Universities and Colleges are attractive targets for financially-motivated cybercriminal groups. We assess that contract cheating and extortion services have the potential to expose institutions to additional fraudulent activity if the extortionists we observed were to capitalize on the persistent access to systems granted by students.
Payroll piracy: The same credentials used to access student portals may provide access to payroll systems in those circumstances where a student also performs work for the institution. With access to payroll accounts, attackers can change bank routing information before a pay cycle, redirecting a student’s wages to attacker-controlled accounts.
Financial aid fraud: The same credentials used to access student portals may provide access to financial aid portals, providing opportunities to divert loan disbursements or apply for additional fraudulent grants in the student's name.
Phishing and spam: Threat actors may also choose to abuse the high reputation of a trusted .edu email address to bypass spam filters and target faculty, staff, or administration in an attempt to gain access to higher-privileged accounts.
Research and IP Theft: The same credentials used for access to student portals may provide access to proprietary university databases, journals, or sensitive research data in specialized fields like defense and biotechnology.
Student discount harvesting: Threat actors may abuse student identities to resell products and services purchased with a student discount.
Threat Response
What we're doing
Okta is taking the following actions to mitigate this threat:
- Proactively notifying institutions when we detect suspicious activity.
- Providing guidance and assistance to organizations to enhance the security of their Okta environments and assisting them to investigate any suspicious activity related to potentially compromised accounts.
- Maintaining ongoing working groups with higher education institutions.
Detections
In order to reach their objectives, attackers must have persistent access to the student’s account long enough to run their extortion operation.
If the university is using Okta as an Identity Provider, there are several technical indicators that can point to evidence of unauthorized account takeovers.
What follows is a summary of detections available in the Okta platform.
Authenticator reuse: Attackers frequently register the same physical hardware such as a mobile phone to register as an MFA factor for multiple accounts that have been compromised. Analysts may see several student identities associated with the same device identifier in Okta logs, which is a strong sign of multiple account takeovers. Okta has a detection in the Customer Detection Catalog on GitHub for authenticator reuse here.
Session initiated by user, completed by attacker: This behavior involves the attacker logging in using the student's credentials from a remote location. However, the MFA prompt, such as a push notification, is accepted by the student from their normal IP geolocation. This creates a session where the root session ID originates from a suspicious IP while the successful authentication success comes from a trusted IP. Okta has created a detection for this scenario here.
Impossible travel: Student accounts that have been shared with contract cheating services will often show evidence of impossible travel. We routinely observe impossible travel scenarios where a student account logs in from their expected campus location but the event is followed almost immediately by a login from an IP address geolocated to Kenya, India or Pakistan. Often these aberrant IPs will solely login to Canvas, Blackboard or other assignment submission sites. Okta has a detection in the Customer Detection Catalog for impossible travel that is paired with a detection for a new device. Together, those are two key signals of a possible account takeover.
Intentional use of proxy services: Rather than merely being sloppy, we have observed threat actors intentionally use suspicious proxy services and IPs. This is part of their extortion operation: attackers leverage the impossible travel as evidence they can show university administrators. Use of IPs from unexpected locations, especially India and East Africa, can be indicative of an account takeover. Okta has a hunt in the Customer Detection Catalog for sign in attempts from proxies that customers can leverage.
Recommendations for Okta Customers
Utilize authenticator enrollment policy to block device enrollment to specific geo-locations and to block enrollment from proxy services
Block proxy services listed under the Network Indicators section below using dynamic network zones.
Block login or require step-up authentication from high risk or unexpected locations.
Network Indicators
Okta Threat intelligence has observed suspicious patterns of account access originating from Kenyan IPs. These IPs are not contained within one ASN, but frequently are associated with known suspicious proxying services:
RAYOBYTE_PROXY
NEXUS_PROXY
PROXYRACK_PROXY
IPCOLA_PROXY
KOOKEEY_PROXY
PLAINPROXIES_PROXY
LUMINATI_PROXY
9PROXY_PROXY
PROXYAM_PROXY
IPIDEA_PROXY
ABCPROXY_PROXY
NETNUT_PROXY
A note on estimate language
Okta Threat Intelligence teams the following terms to express likelihood or probability as outlined in the US Office of the Director of National Intelligence Community Directive 203 - Analytic Standards.
| Likelihood | Almost no chance | Very unlikely | Unlikely | Roughly even chance | Likely | Very likely | Almost certain(ly) |
|---|---|---|---|---|---|---|---|
| Probability | Remote | Highly improbable | Improbable | Roughly even odds | Probable | Highly Probable | Nearly Certain |
| Percentage | 1-5% | 5-20% | 20-45% | 45-55% | 55-80% | 80-95% | 95-99% |
