Phishing scam hits NIU student and faculty emails

By Dave Gong

DeKALB | On April 1, Epsilon Corporation, a third-party email marketing company, suffered a large security breach during which email addresses were obtained, possibly including a number of NIU student and faculty email addresses.

According to a release from Jim Fatz, NIU Information Security and Operation director, the attack appears to be the largest in history.

Fatz said the hacker most likely gained access to the database using an injection attack. During an injection attack, a hacker may find and exploit a vulnerability in a database and use that vulnerability to gain access to the database, he said.

Fatz said Epsilon has about 2,500 clients including companies such as Chase bank and Best Buy.

“There could be hundreds of thousands of emails that were compromised,” Fatz said.

The breach represents the threat of “spear phishing”, which is an attempt by a hacker to gain personal information from a user by sending out emails impersonating a legitimate company with which the user has had a prior relationship with. This differs from regular “phishing”, where the hacker will send out emails to hundreds of people at a time, with limited results.

Fatz said because the emails were stolen from a database with information on users with legitimate accounts, scammers can tailor their emails to try to trick the user into providing personal information.

Phishing is not an easy thing for the university to identify and block as the emails have no virus signatures, he said. However, there are steps the university can take to try to prevent phishing.

“If we know we are being targeted, we will block the source at the edge of our network,” Fatz said. “We have done this periodically in the past.”

Fatz said he has not noticed any specific targeting of the university in this instance.

Students and faculty can protect themselves by never providing their personal information when solicited.

“There’s no way in the world any legitimate company will initiate contact and ask you for your password,” Fatz said. “Nobody should ever provide their password unless they initiate the contact themselves.”

According to the release, students or faculty who fall victim to password or information breaches should call the ITS Helpdesk at 815-753-8100.