Stop Phishing Scams

The Latest Phishes Sent to Penn Staters

Archives for May 2016

Unrecognized New sign-in

by

This phish attempts to look like a friendly notice warning you that your account was accessed from Nigeria and needs your attention. Going through the messsage section by section, there are several issues that give it away as a phish.

  • The “From” address is a pollywood.org address and has nothing to do with Penn State.
  • The “To” address is the same as the “From” address, which means anyone who received the message was blind copied (Bcc’d) – something that would not happen with a legitimate warning about your account.
  • The time of the supposed access from Nigeria was left in local Lagos time, so it looks as though the account was accessed in the future, compared to the time the message was sent.
  • You are given a link to “retrieve your account.” We’re not sure what that means, but it’s not how you would be asked to secure your account and/or change your password.
  • The link given has nothing to do with Penn State – it’s a shibuya-denki.com address.
  • The site to which the link goes is a generic login page with no mention of Penn State. The only reason it exists is to harvest passwords.
  • There is a copyright date of 2014 given in the signature of the message. There’s no reason to copyright an account warning notice, and even if there were, it’s now 2016.

Subject: Unrecognized New sign-in
Date: Tue, 24 May 2016 09:37:46
From: Pennsylvania State University <golfnrun@pollywood.org>
To: Recipients <golfnrun@pollywood.org>

This is an automated message to notify you that a valid password was used
to login your psu.edu mail account from an unrecognized device, Today
Tuesday, May 24th, 2016 at 1:58 PM , in Lagos, Nigeria
(IP=37.77.52.17) as a result of that your account has been temporarily
suspended.

If you did this, you can safely disregard this email. If you didn’t do
this, kindly follow our review link below to retrieve your account
http://shibuya-denki.com/http:/www/ (<- This is a generic phishing site that harvests passwords)

Sincerely,
The Pennsylvania State University ©2014. All rights reserved.
[—001:000564:57449—]
Please do not reply to this message. Mail sent to this address cannot be
answered.

Important Notice From Admin…

by

This phishing message pretty much does everything wrong. The “From” address ends in @psu.secure, which is not a Penn State domain, the “To” address is the same as the “From,” the greeting is generic, the message itself is downright confusing and rife with simple grammatical mistakes, and the signature uses “PSUYI” which doesn’t correspond with the University’s identity at all. The one this these spammers did well was to link to a forged WebAccess login page, but that page is in the drbauknecht.de domain, which is a clear indicator that it isn’t legitimate.

Phish from 5/22/2016 at 10:46 a.m.

From: “Penn State University” <noreply@psu.secure>
To: “footman” <noreply@psu.secure>
Sent: Sunday, May 22, 2016 10:46:02 AM
Subject: Important Notice From Admin…
Dear Student,

     Have you heard of the new development about the school routes and changes of Lecturals and Professors..

CHANGED_LECTURAL AND PROFESSOR (<- Links to a forged WebAccess login page in the drbauknecht.de domain)

PSUYI MANAGEMENT.

Mailbox Quota Cleanup

by

This phish makes no mention of Penn State in the body of its message, but the link goes to a forged Penn State WebAccess login page. Nearly everything else about the message clearly identifies it as a phish: A “From” address entirely unrelated to Penn State, no “To” address, no personal greeting, poor grammar, a hidden link address, a threat that services will be disabled, and the generic signature of “Education Administrator.”

Phish from 5/18/2016 at 11:14 a.m.

From: “Education Admin” <eduadmin@educenter.com>
Sent: Wednesday, May 18, 2016 11:14:00 AM
Subject: Mailbox Quota Cleanup

This is to notify All educational board users (.edu) on Mailbox Quota Cleanup, If you are a staff or faculty member log on to your staff and faculty ACCESS-PAGE to clean up mailbox. Staff and Faculty Members mailbox quota size increase in progress.

Click on ACCESS PAGE (<- links to a forged WebAccess login page) to complete.

Mailbox Sending/Receiving authentication
will be disabled…

Education Administrator

Important Notice From Admin: CODE#

by

This phish actually addressed users by their Penn State email address, but in a very confusing way. “Secure abc123@psu.edu” is not a conventional greeting. The from address looks Penn State-related, but uses psu.secure, which is not used by the University. This message also tells people to upgrade their server, which is not something the average person would ever need to do. The link provided goes to a forged Penn State WebAccess login page used for collecting user IDs and passwords for the scammers to use later. And finally, the message threatens that inaction will result in a required visit to an office – another common tactic that scammers use to try and trick people into falling for their trap.

Phish from 5/16/2016 at 4:16 p.m.

From: “Penn State University” <noreply@psu.secure>
To: “Xxxxx Xxxxxx” <xxxx@psu.edu>
Sent: Monday, May 16, 2016 4:16:45 PM
Subject: Important Notice From Admin: CODE#

Secure xxxx@psu.edu

Please Upgrade your server now to avoid fraud spam fake emails through our service:-

Upgrade_SSL (<- Link goes to a forged WebAccess login page)

P.s:-No action taken in the next 48hours,your mail will be disable, Hence you will need to come to our office for clearification.

Penn State Managment.

IT Admin Desk

by

This phish used a compromised Penn State Access Account to be sent, and put another Penn State address in the “To” field. It claims that Penn State is moving its email to a new system – TODAY. If and when Penn State makes a major change to its email system, there will be announcements made months in advance of the change to alert everyone of the plan and the cut-over date. The link in this message goes to a jimdo.com site with the Penn State academic seal on a form used to collect user IDs and passwords. The message also includes a threat of one’s account being made “inactive” if not updated – another sure sign of a phishing message.

Phishing message from 5/16/2016 at 10:09 a.m.

From: “XXXXX XXXXX” <xxxxxxx@psu.edu>
To: xxxx@psu.edu
Sent: Monday, May 16, 2016 10:09:00 AM
Subject: IT Admin Desk

Today Monday 16th May, 2016. we are upgrading our email system to Microsoft Outlook Webaccess 2016. This service creates more space and easy access to email. Please update your account by clicking on the link below and fill information for activation.

Click for Activation (<- Links to a bogus form on a jimdo.com site)

Inability to complete the information will render your account inactive.
Thank you.
IT Admin Desk