Stop Phishing Scams

The Latest Phishes Sent to Penn Staters

Please Read – Email Upgrade

by

Phishing message from November 17, 2016 at 4:55 a.m.

From: “System Adminstrator” <admin@psu.edu>
To: (many Penn State accounts were listed in this field)
Sent: Thursday, November 17, 2016 4:55:07 AM
Subject: Please Read – Email Upgrade

Please this message is important, we are expanding and upgrading all Web E-Mailbox immediately. Please CLICK HERE (<– Links to a webydo.com site that is a generic login form) and fill the form completely so we can upgrade and validate your Web E-Mailbox.

Please if you cannot access the link, send an email to staffhelpdesk@psu.edu or staffhelpdesk@outlook.com for immediate validation process. This message is from System Administrator.

Copyright © 2016 College of Education, Penn State

Important message

by

This phish provides several clues revealing it as a scam message:

  • The “From” address is not actually a Penn State address
  • The “To” address is the same as the “From” address, meaning that recipients were on a Bcc list
  • The greeting is a generic “Dear User”
  • The link appears to be a Penn State link when you look at it, but it actually goes to an address in the joshuafitzgerald.com domain, which has nothing to do with Penn State

Phish from August 2, 2016 at 4:22 p.m.

From: “psu.edu” <xxxxxx@ccri.edu>
Date: Tuesday, August 2, 2016 at 4:22 PM
To: Recipients <xxxxxx@ccri.edu>
Subject: Important message

Dear User,

You have received a new message from Pennsylvania State University Admin System sent to you via Blackboard Learning System.

http://www.psu.edu/blackboard//messagecenter%0118157 <– Links to a fake Blackboard login page in the joshuafitzgerald.com domain

Greetings,

Pennsylvania State University

WARNING: Closing & Deleting Your Account in Progress!

by

This phish gives the appearance of coming from Penn State by using the name “PennState Admin” in its from address and the body of the message, but those are the only references to Penn State you’ll see. The actual from address is a compromised account from another country. The link in the message is not a Penn State Web address, and it points to a generic login page. Additionally, this message has no to address, a generic greeting, claims that you asked to have your account shut down, and threatens the loss of “all features associated with your account.” All of these problematic traits are big indicators of this being a phish.

Phish from June 4, 2016 at 7:03 a.m.

From: “PennState Admin” <ace.rajshahidiv@lged.gov.bd>
Sent: Saturday, June 4, 2016 7:03:12 AM
Subject: WARNING: Closing & Deleting Your Account in Progress!

Dear User,

PennState Admin received your request to shutdown your account

We will process your request within 24 hours.

All features associated with your account will be lost.

To retain your account, kindly Cancel Request to continue using our
services.

RECTIFY THIS PROBLEM & CANCEL http://cncldatvtnnow.voici.org/ (<- Link goes to a generic login page that has nothing to do with Penn State)

All Rights Reserved.

Unrecognized New sign-in

by

This phish attempts to look like a friendly notice warning you that your account was accessed from Nigeria and needs your attention. Going through the messsage section by section, there are several issues that give it away as a phish.

  • The “From” address is a pollywood.org address and has nothing to do with Penn State.
  • The “To” address is the same as the “From” address, which means anyone who received the message was blind copied (Bcc’d) – something that would not happen with a legitimate warning about your account.
  • The time of the supposed access from Nigeria was left in local Lagos time, so it looks as though the account was accessed in the future, compared to the time the message was sent.
  • You are given a link to “retrieve your account.” We’re not sure what that means, but it’s not how you would be asked to secure your account and/or change your password.
  • The link given has nothing to do with Penn State – it’s a shibuya-denki.com address.
  • The site to which the link goes is a generic login page with no mention of Penn State. The only reason it exists is to harvest passwords.
  • There is a copyright date of 2014 given in the signature of the message. There’s no reason to copyright an account warning notice, and even if there were, it’s now 2016.

Subject: Unrecognized New sign-in
Date: Tue, 24 May 2016 09:37:46
From: Pennsylvania State University <golfnrun@pollywood.org>
To: Recipients <golfnrun@pollywood.org>

This is an automated message to notify you that a valid password was used
to login your psu.edu mail account from an unrecognized device, Today
Tuesday, May 24th, 2016 at 1:58 PM , in Lagos, Nigeria
(IP=37.77.52.17) as a result of that your account has been temporarily
suspended.

If you did this, you can safely disregard this email. If you didn’t do
this, kindly follow our review link below to retrieve your account
http://shibuya-denki.com/http:/www/ (<- This is a generic phishing site that harvests passwords)

Sincerely,
The Pennsylvania State University ©2014. All rights reserved.
[—001:000564:57449—]
Please do not reply to this message. Mail sent to this address cannot be
answered.