Southern Oregon University Breach: An Expensive Lesson

By Charles Parker, II; Cybersecurity Lab Engineer

Attackers have been motivated by money. The focus has been the cash flow for the nefarious operation. One area that receives significant attention as an attack method is social engineering or phishing. With either active or passive attacks, the effects can be substantially expensive and costly in terms of expense and hours spent fixing this issue. A sub-attack along this same idea is spear phishing or a targeted phishing attack. A very profitable version of this involves targeting the finance or accounting office staff members, as this area controls the cash and vendor payments.

In order to initiate the fraud and attack, the attackers have to make contact with the staff members. This contact is generally an email from someone in a senior position (e.g. the CEO or CFO) directs the accounting or finance staff member to wire a specific amount of funds to a bank, which happens to be in a different country and to a different bank and account number. As an alternative, the attackers could fraudulently claim to be a vendor. These attacks have been names the executive wire scam (EWS) and business email compromise (BEC).

Recent Successful Attack
The prior recent attacks have grossed the attacker anywhere from a few hundred dollars to tens of thousands of dollars. An exemplary incident occurred on April 2017 with a significant payday for the attackers. Southern Oregon University published it had been a victim of this attack. The attackers perpetrated a massive attack and fraud against the educational entity. The attackers, pretending to be Andersen Construction, sent an invoice from an email account that appeared correct, wired to an account.

This account was not Andersen Construction’s account. The attackers completed their reconnaissance of the current situation for the University, noting that Andersen Construction had been contracted to construct the University’s McNeal Pavilion and Student Resource Center. Fortunately for the University, a portion of the funds may be recovered.

Training, Training, Training
Although this is not the optimal situation for the University, this does provide a great opportunity for training. This teachable moment is for any business. When the staff receives one of these requests, the staff member should verify the direct request from the C-level or manager. This attack only requires is a simple call or email. The email, however, would need to be a newly created email, and not a reply. Also, if there were to be significant or odd changes, such as a newly created email, and not a reply to the initial email. Also, if there were to be significant or odd changes, such as a new bank, bank account number, or if the new bank is in a different country, the transaction should be verified with the appropriate parties.

The email itself should be reviewed. When there are grammar errors and/or spelling errors, there generally is a problem.

Common-sense should be applied to these circumstances. This and other successful attacks may all be used for training and to improve the business security stance.

Arsene, L. (2017, June 12). Southern Oregon university victim of $1.9 million email fraud. Retrieved from
Cluley, G. (2017, June 13). How a single email stole $1.9 million from Southern Oregon University. Retrieved from
Dellinger, A.J. (2017, June 13). Fraudulent email: Business email compromise attack costs southern Oregon university $2M. Retrieved from

About the Author
Southern Oregon University Breach: An Expensive LessonCharles Parker, II began coding in the 1980s. Presently CP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry.
CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing communication channels.
He has presented at regional InfoSec conferences. Charles Parker, II can be reached online at [email protected] and InfoSecPirate (Twitter).

July 28, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...