Cyber Incident Victim: University of Oregon
Date:
Aug 2018
Location:
United States of America
Summary
A phishing scam targeted University of Oregon email accounts, with fraudulent messages appearing to originate from other students and displaying "unable to display this message" prompts. Clicking embedded images compromised accounts, enabling attackers to send identical phishing emails to victims' recent contacts while harvesting login credentials. The university's information services department urged affected individuals to reset passwords and security questions after reporting incidents. This attack followed a separate coordinated Iranian phishing campaign that previously compromised 62 faculty accounts seeking access to academic journals, part of broader efforts targeting hundreds of universities globally. The institution's cybersecurity team remained actively engaged in assessing the scope of the newer student-focused compromise at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late August 2018, the University of Oregon experienced a phishing campaign targeting student email accounts. The fraudulent emails appeared to originate from other UO students and contained messages stating "unable to display this message," prompting recipients to click on embedded images to view content. Users who interacted with these images reported subsequent unauthorized activity, where their compromised accounts automatically sent identical phishing messages to recent contacts. University Information Services identified these emails as credential harvesting attempts and advised the campus community via official communication to avoid clicking suspicious links. Students who had already submitted their login credentials through the phishing interface were instructed to immediately notify [email protected], reset their passwords, and update their security challenge questions. Chief Information Security Officer Leo Howell confirmed his department was actively investigating but could not yet quantify the number of compromised accounts, describing the response effort as "all hands on deck."
This incident occurred within a broader pattern of email-based threats targeting the university community. Earlier in August 2018, a separate coordinated Iranian phishing operation had compromised credentials for 62 UO faculty members, part of a global campaign targeting over 300 universities to steal academic research and journal access. While the late August student-focused campaign differed in tactics and apparent objectives—prioritizing credential theft over direct financial extortion or intellectual property theft—it demonstrated ongoing vulnerabilities to social engineering attacks. The university's response emphasized containment through credential resets and security question updates rather than system-wide authentication changes. Information Services maintained public advisories about diverse phishing formats, including reference to unrelated extortion attempts where attackers threatened to release embarrassing videos unless victims paid $400 in Bitcoin. The operational impact remained unquantified as investigators continued assessing the attack's scope during its active phase.