A Missouri State Democratic Party email seeking interns helped jumpstart a phishing attempt after the email accidentally ended up in the inboxes of most faculty, staff and student inboxes at the University of Missouri.
The debacle dubbed the “#FallInternshipSpam”, was triggered when an email sent early Monday morning by the Democratic Party under the subject line “Fall Internships” was accidentally emailed to a listserve containing nearly university email addresses initially believed to be a single address.
"One of the coordinated staffers was reaching out to folks from a publicly available student directory they found online and they didn't realize one address was a listserve," Party spokeswoman Brooke Goren told the Columbia Tribune. "It wasn't anything intentional, they were just trying to get more students involved."
Basi said the email list wasn't provided to the Democrats but noted it was publicly available for $150 per campus and has been sold previously. Once the mass email went out, a threat actor hacked a student's email account and was able to use the addresses from the Democrat's email in a phishing attempt.
Officials believe the scammer stripped the initial information from the original email and swapped it for the phishing email when they realized they could send the newly created malicious email to the entire campus.
The situation was further complicated when students responded to the phishing email and inadvertently messaged the entire campus in reply-all email chains. The incident resulted in the university having to halt email deliveries for 90 minutes Tuesday morning. MU spokesman Christian Basi said the MU Information Technology Department set its servers to accept messages but not deliver them to inboxes in order to control the email traffic.
The University's IT team was able to sort out the issue before much harm was done after temporarily suspending services. Criminal opportunists at other universities are also viewing the start of the fall semester as a chance to phish incoming staff and students.
An attacker targeted University of Oregon email accounts in messages that appeared to have been sent from other students with a message that couldn't be displayed unless users click the image.
Threat actors also sent phishing emails looking to nab banking credentials from Rollins College students and separately, threat actors looking to infect University of Arkansas students with malware sent messages claiming users need to open a malicious document for more information about their “salary increase”.