‘Easy’ email hack spams thousands of Ryerson engineering students

One of the emails sent on Monday night.

One of the emails sent on Monday night.

A Ryerson email list has been disabled after a bogus email account infiltrated students’ inboxes with a slew of spam messages Monday night.

An unknown person or group used a website called deadfake.com to create a fake, anonymous email address that sent out spam emails to an engineering email listserv run by Ryerson’s Computing and Communications Services (CCS).

“The fake emails arrived at our mailing list server and were enough to fool the mailing list server into redistributing them to all the engineering students,” said Brian Lesser, CCS director.

Lesser said spam has entered Ryerson’s servers in the past, but never to this scale.

“It’s the scale of persistence of this person or people that makes it so noteworthy,” he said.

It wasn’t hard for the spam to permeate Ryerson’s system, he added.

“Once you realize there’s a service and you have the intention, then it is relatively easy,” he said.

“All they needed was to know the name of the mailing list — the email address — and the email address of someone who is allowed to send mail to it.”

Fourth-year engineering student Jeric Estiaga said he thought the first fake email he received was legitimate. He said it wasn’t until he received a second email where the hacker or hackers described how “even a no brainer could find a hack around (Ryerson’s) system” that he realized it was spam.

“Everyone found out and started using it, sending whatever they wanted to send,” he said. “Some people sent pictures of Nicholas Cage. It was kind of random.”

Lesser said spam in general is a difficult problem to fully combat, but he would like to see more safeguards in place in Ryerson’s system so this could have been avoided.

“The site they used probably is on some blacklist somewhere,” he said. “I’m not sure why our blacklisting didn’t catch it.”

Toronto police Const. Wendy Drummond said there is nothing nefarious about creating an email address; it’s how the email is used.

“It’s what you do with that email address,” she said. “If you then obtain information fraudulently through trying to get information from that person’s account to cause them to have a virus, that kind of thing, now there’s some type of criminal attempt.”

Lesser said CCS is reviewing what happened, but nobody’s email account was compromised in the process.

“This is basically spam,” he said. “We’re working on a broader, better fix for the mailing list system so that it’s harder to fake email,” he said.

This story was first published in The Ryersonian, a weekly newspaper produced by the Ryerson School of Journalism, on October 2, 2013.

Comments are closed.

Read previous post:
Giving up gluten

Megan Stulberg may never eat another bagel again. But it’s not by choice. Eating her favourite breakfast staple now would...