Industry Trends

Threat Landscape Trends in Education

By Anthony Giandomenico | November 21, 2019

Education continues to be one of the industries most targeted by cybercriminals, primarily due to the data that schools store in their data centers. This information ranges from the PII of students and faculty, to stored payment information related to fees and tuitions, to original research being conducted by faculty and graduate students.

This blog combines critical intelligence related to the education sector with general threat and attack trends gathered from our global threat intelligence database. We will examine two of the major threat vectors targeting educational institutions – viruses and malware, and then take a quick look at the security implications of one of the top applications used at many educational institutions. It can be useful for systems administrators looking for ways to refine their security strategies for this school year.


For 2018, the top two industries targeted by threats were the environmental and educational sectors. The environmental industry consists of organizations that address issues related to water, air, soil, and complex ecosystems (such as wetlands or marine biospheres), as well as problems such as pollution, waste, erosion, and noise. And, of course, the educational sector includes all academic institutions, public and private, ranging from elementary and secondary schools to universities, and even academic research facilities.

The most frequent threat families targeting education during 2018 were riskware and adware. These are usually programs disguised as legitimate applications, but instead end up doing things like displaying more popup ads when browsing the Internet.

While this may not seem like much more than a nuisance to some, it is actually a severe issue because malicious actors regularly inject malware into these ads. While some of these ads require the user to click on a link to download malware or land on an infected website, advertisement popups can also drop malware onto an end-user device through a technique called malvertising.

The most common exploit detected was CVE-2017-11882, a now nearly two-decades old memory corruption issue in Microsoft Office (including Office 360) that was detected in 2017 and patched by Microsoft in November of that year. It is often exploited through phishing campaigns that include email with a malicious attachment. Once a user opens the attached document attackers are able to execute remote code on a vulnerable machine.

The flaw resides within the Microsoft Equation Editor, which is used to insert and edit complex equations such as Object Linking and Embedding (OLE) items in Microsoft Word documents. Microsoft has included this tool by default with every version of the Office suite since Office 2000. Microsoft's Patch Tuesday updates addressed this vulnerability in November of 2018. However, publicly released proof-of-concept exploits continue to have success using this CVE for their initial attack vector because many organizations have still not patched vulnerable systems.


Overall, education ranks third in terms of detected malware attacks, after telco/carrier and technology verticals. While there are millions of malware families in the wild, the ones primarily targeting education can be broken down into three categories: IoT, cryptojacking, and targeted attacks.

IoT - In 2018, educational institutions saw hits on a number of routers and closed-circuit cameras. FortiGuard Labs documented this increased trend of criminals targeting IoT devices in the Fortinet Threat Landscape Report for Q4 of 2018.

Cryptojacking – The education sector was also a primary target for cryptojacking in 2018. Cryptojacking attacks hijack the unused cycles of a compromised (usually IoT) device to mine for cryptocurrencies. As with adware, many may see cryptojacking as a benign activity since it only steals unused CPU resources to mine for cryptocurrencies. However, many variants also include other malicious functions, such as turning off anti-malware controls or opening ports on the firewall to evade detection, allowing other malicious software to be more easily dropped. As a result, the detection of crypto-jacking malware should be seen as a precursor to other threats, such as ransomware being loaded onto your cyber assets.

Targeted attacks – We also detected attack campaigns aimed at university professors to steal data and intellectual property. Since 2013, threat actors have managed to break into the accounts of thousands of professors at hundreds of universities across the world. These targeted attacks required an enormous amount of upfront reconnaissance by cybercriminals to understand each professor. This included ensuring that phishing emails had the right content to render interest, and creating links to malicious websites that successfully imitated the login page of another professor who purportedly expressed interest in the targeted professor’s research. However, once visited, these customized sites would steal login credentials that were then used to break into the targeted professor’s devices.

Critical Application Traffic Analysis

According to FortiGuard Labs data, Facebook is the most-used application at schools. While this may seem like trivial information, this information can have a profound impact on security if used correctly by cybercriminals.

Because people tend to use the same username and password for their social sites as they do for their work systems, network access, and VPN connections, this creates a potentially significant attack vector for gaining access to the educational networks that teachers, faculty, and students use daily.

In addition to stolen data, personal information posted on social media sites is regularly farmed by criminals to create highly personalized phishing attacks. Personalization increases the likelihood of someone opening a file or clicking on a link that then becomes the entry point for a successful system breach. It's worth noting that we have also documented a trend where criminals send these phishing emails during lunch, knowing that faculty and students are more likely to be viewing the email on their phone at that time. This detail is important because they also know that it's a bit harder to determine whether or not an email is a phishing attack when looking at it on a tiny screen, thereby increasing the chances of someone falling for the scam.

With that information in hand, IT teams should ensure that users never use their social media password for access into their work environment. System administrators can accomplish this through user awareness training, or by requiring two-factor authentication to help minimize this risk.

Key Takeaway: Leverage Threat Intelligence to Protect Students and Faculty

Leveraging threat intelligence collected about the education sector is a valuable tool for IT teams charged with protecting educational systems and related data. This information should also be combined with live threat intelligence streams, in-depth data analysis, and practical tips from a variety of sources to help reduce the likelihood that your institution will be part of the growing trend of cybercriminals successfully targeting educational institutions.

Learn more about Fortinet's cost-effective, simple security solutions for educational institutions.

Read more about the latest cybersecurity threat trends and the rapidly evolving threat landscape in our latest Quarterly Threat Landscape Report.