Archives for June 2016

Message from admin-support / WARNING!!!

June 27, 2016 by lxm30

This phish attempts to pretend that your account is marked for deletion and will be going away if you do not take action. The message seems to be urgent and threatens action if the user does not click on the link.

Going through the messsage section by section, there are several issues that give it away as a phish.

The “From” address looks like it is sent from “PSU” or “PSU Admin” but if you examine the email address, it is a “ziggo.nlis” adress and has nothing to do with Penn State.
Official correspondence would reference Penn State, not “PSU”.
There is no greeting.
The text is in all capital letters.
You are given a link to “verify-now.” Penn State does not ask users to verify their accounts with a link.

Message from admin-support

Subject: “Message from admin-support” or “WARNING!!!”
Date: June 25, 2016 9:17 AM
From: “PSU” <jolanjanssen@ziggo.nl>

YOUR ACCOUNT IS MARKED AND WILL BE DEACTIVATED IF NOT VERIFIED NOW.

Verify-now (http://www.gloomky.com/wp-admin/css/PSU/ <- The link given has nothing to do with Penn State – it’s a gloomky.com address designed to harvest passwords.

SUPPORT TEAM

Dear

June 17, 2016 by Paul Carlisle Kletchka

This phish provides plenty of tip-offs to its true nature, but someone glancing at it might be taken in. The “from” address is an actual Penn State address, but it belongs to an individual user whose account was compromised and used to send the messages – messages about your account won’t come from a person, they will come from the IT Service Desk or your department. The “to” address is a Penn State address that doesn’t actually exist, so it definitely isn’t the address of anyone who received it. The greeting on the message couldn’t be any more generic, and the poor grammar used here is a big clue that the message is bogus. The link, despite its lack of clarity, points to a forged WebAccess page which is similar to the real thing, but has a strange “submit” button and is clearly hosted on the Sitey service.

Phish from June 17, 2016 at 1:26 p.m.

From: “Penn State” <xxxxxx@psu.edu>
To: bensay@psu.edu
Sent: Friday, June 17, 2016 1:26:29 PM
Subject: Dear

User,

Due to database update done about four hours ago.
we will like to know if your current password will still be able to give you access to your E-mail account.

CLICK HERE DATABASE SYSTEM (<- points to a forged WebAccess page on Sitey) to verify your E-mail account.

We are sorry for the inconvenience.

Thank you for your support!
Sincerely,

The PSU Team
The Official Email Prov™
Please keep this email – it contains all of your important links:
==========================================================================

Sign-in Attempt

June 15, 2016 by Paul Carlisle Kletchka

This phishing message really tried to look like it was from Penn State, but didn’t do a great job of it. The “from” address spoofed a Penn State address, but was actually a compromised California State University, Fresno address. There was no “to” address, meaning that anyone who received this got it via a blind courtesy copy (BCC). The phishers tried to use an image, but the URL for it didn’t work properly. The spelling and grammar in the message isn’t the worst we’ve seen, but it’s bad enough to be a tip-off that something isn’t right. And the link in the message goes to a forged Cal State Fresno website that is clearly hosted on Weebly.

Phish from June 16, 2016 at 6:58 p.m.

From: “service@psu.edu” <xxxx@csufresno.edu>
Sent: Wednesday, June 15, 2016 6:58:00 PM
Subject: Sign-in Attempt

On Tuesday, June 14, 2016 5:38 PM GMT+2, we noticed several unsuccessful sign in attempt to your Email account from an unrecognised device in Mexico.

If this was you, it’s okay you’re all set!

If this wasn’t you and believe someone may have tried to access your account, please review your information to protect your Email account here (<- goes to a forged Cal State Fresno website hosted on Weebly) and update your account recovery information.

Penn State campus email technology service.

Replies sent to this email cannot be answered.

WARNING: Closing & Deleting Your Account in Progress!

June 4, 2016 by Paul Carlisle Kletchka

This phish gives the appearance of coming from Penn State by using the name “PennState Admin” in its from address and the body of the message, but those are the only references to Penn State you’ll see. The actual from address is a compromised account from another country. The link in the message is not a Penn State Web address, and it points to a generic login page. Additionally, this message has no to address, a generic greeting, claims that you asked to have your account shut down, and threatens the loss of “all features associated with your account.” All of these problematic traits are big indicators of this being a phish.

Phish from June 4, 2016 at 7:03 a.m.

From: “PennState Admin” <ace.rajshahidiv@lged.gov.bd>
Sent: Saturday, June 4, 2016 7:03:12 AM
Subject: WARNING: Closing & Deleting Your Account in Progress!

Dear User,

PennState Admin received your request to shutdown your account

We will process your request within 24 hours.

All features associated with your account will be lost.

To retain your account, kindly Cancel Request to continue using our
services.

RECTIFY THIS PROBLEM & CANCEL http://cncldatvtnnow.voici.org/ (<- Link goes to a generic login page that has nothing to do with Penn State)