Stop Phishing Scams

The Latest Phishes Sent to Penn Staters

Sign-in Attempt

by

This phishing message really tried to look like it was from Penn State, but didn’t do a great job of it. The “from” address spoofed a Penn State address, but was actually a compromised California State University, Fresno address. There was no “to” address, meaning that anyone who received this got it via a blind courtesy copy (BCC). The phishers tried to use an image, but the URL for it didn’t work properly. The spelling and grammar in the message isn’t the worst we’ve seen, but it’s bad enough to be a tip-off that something isn’t right. And the link in the message goes to a forged Cal State Fresno website that is clearly hosted on Weebly.

Phish from June 16, 2016 at 6:58 p.m.

From: “service@psu.edu” <xxxx@csufresno.edu>
Sent: Wednesday, June 15, 2016 6:58:00 PM
Subject: Sign-in Attempt

On Tuesday, June 14, 2016 5:38 PM GMT+2, we noticed several unsuccessful sign in attempt to your Email account from an unrecognised device in Mexico.

If this was you, it’s okay you’re all set!

If this wasn’t you and believe someone may have tried to access your account, please review your information to protect your Email account here (<- goes to a forged Cal State Fresno website hosted on Weebly) and update your account recovery information.

Penn State campus email technology service.

Replies sent to this email cannot be answered.

WARNING: Closing & Deleting Your Account in Progress!

by

This phish gives the appearance of coming from Penn State by using the name “PennState Admin” in its from address and the body of the message, but those are the only references to Penn State you’ll see. The actual from address is a compromised account from another country. The link in the message is not a Penn State Web address, and it points to a generic login page. Additionally, this message has no to address, a generic greeting, claims that you asked to have your account shut down, and threatens the loss of “all features associated with your account.” All of these problematic traits are big indicators of this being a phish.

Phish from June 4, 2016 at 7:03 a.m.

From: “PennState Admin” <ace.rajshahidiv@lged.gov.bd>
Sent: Saturday, June 4, 2016 7:03:12 AM
Subject: WARNING: Closing & Deleting Your Account in Progress!

Dear User,

PennState Admin received your request to shutdown your account

We will process your request within 24 hours.

All features associated with your account will be lost.

To retain your account, kindly Cancel Request to continue using our
services.

RECTIFY THIS PROBLEM & CANCEL http://cncldatvtnnow.voici.org/ (<- Link goes to a generic login page that has nothing to do with Penn State)

All Rights Reserved.

Unrecognized New sign-in

by

This phish attempts to look like a friendly notice warning you that your account was accessed from Nigeria and needs your attention. Going through the messsage section by section, there are several issues that give it away as a phish.

  • The “From” address is a pollywood.org address and has nothing to do with Penn State.
  • The “To” address is the same as the “From” address, which means anyone who received the message was blind copied (Bcc’d) – something that would not happen with a legitimate warning about your account.
  • The time of the supposed access from Nigeria was left in local Lagos time, so it looks as though the account was accessed in the future, compared to the time the message was sent.
  • You are given a link to “retrieve your account.” We’re not sure what that means, but it’s not how you would be asked to secure your account and/or change your password.
  • The link given has nothing to do with Penn State – it’s a shibuya-denki.com address.
  • The site to which the link goes is a generic login page with no mention of Penn State. The only reason it exists is to harvest passwords.
  • There is a copyright date of 2014 given in the signature of the message. There’s no reason to copyright an account warning notice, and even if there were, it’s now 2016.

Subject: Unrecognized New sign-in
Date: Tue, 24 May 2016 09:37:46
From: Pennsylvania State University <golfnrun@pollywood.org>
To: Recipients <golfnrun@pollywood.org>

This is an automated message to notify you that a valid password was used
to login your psu.edu mail account from an unrecognized device, Today
Tuesday, May 24th, 2016 at 1:58 PM , in Lagos, Nigeria
(IP=37.77.52.17) as a result of that your account has been temporarily
suspended.

If you did this, you can safely disregard this email. If you didn’t do
this, kindly follow our review link below to retrieve your account
http://shibuya-denki.com/http:/www/ (<- This is a generic phishing site that harvests passwords)

Sincerely,
The Pennsylvania State University ©2014. All rights reserved.
[—001:000564:57449—]
Please do not reply to this message. Mail sent to this address cannot be
answered.