On Monday, Nov. 2 the admissions office began their day a little bit differently than they usually do. Monday marked the deadline for high school students to apply for dual enrollment through the college. As the employees signed in for the day, they came to realize that they had over 4,000 new applicants make an account with Dynamic Forms. Pete Belk, director of admissions and recruitment, was in disbelief when he saw that there were this many late applications.
“Monday was the enrollment deadline,” Belk said. “We come in on Monday morning and see that we have thousands of applications and [we’re thinking] did everybody really wait until the last minute [to apply]? Then as we start digging a little bit more, we see that a lot of [these applications] are obviously fraudulent […] we probably had 150 or 200 out of 4000 that were legitimate.”
Belk and his team quickly shut down the application so that they could figure out a solution. This was when Belk sent out the first email to students within student services and faculty of the college addressing the issue. The admissions office and IT worked to try and find out where these applications were coming from and why they had made so many. By the end of the day, Belk thought that they had fixed the issues as he sent out an email on Tuesday stating that the problem had been solved. This solution was short lived as the admissions office received over 1000 more fake applications later that night.
“When we first saw something happening, we worked with Dynamic Forms to add a reCaptcha to the end of the application,” Belk said. “They added one [at the end] and another one to the beginning. Additional features were added to the application and we still ended up getting some fraudulent applications. Obviously, our admissions process was impacted by this, but we did not admit those students; no one got a username, password or access to our systems.”
As the week progressed, Belk concluded that whoever was behind this was using a code or script to be able to create so many applications at once. Whenever the admissions office and Dynamic Forms team would come up with one fix, the programmers would figure out a way around it and continue to submit more applications. Prospective students who wanted to apply were still able to create an account, but instead of getting immediate acceptance, the admissions office had to be extra cautious with who they accepted, which made the acceptance process take a little longer.
“They’ve written something that’s kind of creative in their scripts, they’re able to spoof IP addresses,” Belk said. “Initially, we could see where the IP address of the applications were coming from. There’d be 10, maybe went upwards of 50 [applications] coming from one IP address and then they switch to a different [one]. As the week went on, we started noticing that they were down to two or three [applications] per IP address, but then something happened, and we got back to 10 or more. [At first], they were putting in decent enough looking addresses that we could have thought they were real. Instead of putting Overland Park, KS it might be Overland Park, MO or instead of Johnson County they put Bourbon County. It got to be a little bit of a game for us to figure out how can we sort the list to figure out which ones are legit and which ones we think are fake.”
Belk and the admissions office never fully figured out why this occurred. While some speculated that whoever was responsible did this to gain access to college features, most people believed that they wanted to sell the “.edu” address to outsiders. When students enroll at the college, they automatically receive all the Microsoft Suite services like Word, Excel and PowerPoint. Additionally, other services like Apple Music, Amazon Prime and Spotify have discounts for college students, which could be another reason for someone wanting to get admission to the college.
On Thursday, Belk hoped that everything had been solved and he sent out a lighthearted email, that was a little more comical than the ones sent earlier in the week.
“What else are you going to do you know,” Belk said. “There’s only so much anger [that you can have] so I thought I might as well have fun with them.”
By Friday, the number of fake applicants had decreased to around 750 and Dynamic Forms put some additional security measures in place to ensure that the admissions office would only receive applications from real students. Executive director of information security, Philip Mein knows that it’s common for a fake application to be submitted every so often, but in this case the number of applications they had received was more than they’ve ever had.
“It is common to have a false application submitted into the system that we regularly remove,” Mein said. “What made this past week uncommon was the number being seen, which only meant the false applications being submitted were being done through automation rather than a manual process. The volume that came in constituted a large amount of work on our end to remove the flagged applications. We notified the vendor who then looked at their controls on the application process to protect against a scripted attack.”
Dynamic Forms is a service used by the college and many other institutions across the United States. The company claims to offer a simple way for users to take any paper-based form and translate it onto an online platform. The college has used Dynamic Forms for nearly two years, and this is the first big roadblock that has occurred because of it.
“This is a hosted solution, so the vendor (Dynamic Forms) was notified,” Mein said. “A common solution to protect against these types of automated form submissions is to place stronger reCaptcha challenges in place. These are challenges such as the “I am not a Robot” checkboxes or the “Choose all images of the crosswalk” that you must complete before submitting a form. The vendor uses reCaptcha tools, but they can be tuned and made more stringent which they have been doing since being notified of the activity.”
As of now, the application is back up and running but with a few more protective measures in place to make sure something of this magnitude does not occur again. For Belk and the admissions team, this means back to business as usual.
“Several of my friends thought that with the pandemic we would be enrolling a record number of students and we’d be way behind in processing and keeping up with the demand,” Belk said. “That wasn’t the case. I wouldn’t call it a disappointment, but that was the only thing that didn’t go the way I thought it might go this [semester] with the pandemic. We’re offering virtual tours [for prospective students], meeting with students via Zoom and still doing a lot of outreach. All-in-all things have been going well, not normal, but well.”
By Alieu Jagne