Stop Phishing Scams

The Latest Phishes Sent to Penn Staters

Important message

by

This phish provides several clues revealing it as a scam message:

  • The “From” address is not actually a Penn State address
  • The “To” address is the same as the “From” address, meaning that recipients were on a Bcc list
  • The greeting is a generic “Dear User”
  • The link appears to be a Penn State link when you look at it, but it actually goes to an address in the joshuafitzgerald.com domain, which has nothing to do with Penn State

Phish from August 2, 2016 at 4:22 p.m.

From: “psu.edu” <xxxxxx@ccri.edu>
Date: Tuesday, August 2, 2016 at 4:22 PM
To: Recipients <xxxxxx@ccri.edu>
Subject: Important message

Dear User,

You have received a new message from Pennsylvania State University Admin System sent to you via Blackboard Learning System.

http://www.psu.edu/blackboard//messagecenter%0118157 <– Links to a fake Blackboard login page in the joshuafitzgerald.com domain

Greetings,

Pennsylvania State University

You have 1 document sent to you via Dropbox Shared Folder

by

This phish does a good job of appearing to come from Dropbox, even though it does not. However, you can tell it’s a phish from several details:

  • The generic “Recipients” in the To field
  • The lack of any mention of a specific person’s name in the greeting or information about the sharing properties of the supposed file
  • Penn State has no official affiliation with Dropbox, so you would never use your Access Account to log in to their service (Penn State uses Box, instead)
  • The address linked in the message is not a Dropbox URL, it is in the ankarabeyazesyaservisi.net domain and leads to a fake Dropbox login page

Phishing Message from 4:07 p.m. on July 25, 2016

From: “Dropbox” <no-reply@dropboxmail.com>
To: “Recipients” <no-reply@dropbox.com>
Sent: Monday, July 25, 2016 4:07:58 PM
Subject: You have 1 document sent to you via Dropbox Shared Folder

You have 1 document sent to you via Dropbox Shared Folder

View folder below and sign in with your Penn State Access ID (***@psu.edu) and password to view the shared document

View Folder <– Link goes to a fake Dropbox login page

NOTE: You are accessing a highly secured shared documents.

Enjoy,
– The Dropbox Team

Dropbox keeps your files safe, synced, and easy to share. To view the document, open folder and sign in with your email to continue to Dropbox.

© 2016 Dropbox

 

Dear

by

This phish provides plenty of tip-offs to its true nature, but someone glancing at it might be taken in. The “from” address is an actual Penn State address, but it belongs to an individual user whose account was compromised and used to send the messages – messages about your account won’t come from a person, they will come from the IT Service Desk or your department. The “to” address is a Penn State address that doesn’t actually exist, so it definitely isn’t the address of anyone who received it. The greeting on the message couldn’t be any more generic, and the poor grammar used here is a big clue that the message is bogus. The link, despite its lack of clarity, points to a forged WebAccess page which is similar to the real thing, but has a strange “submit” button and is clearly hosted on the Sitey service.

Phish from June 17, 2016 at 1:26 p.m.

From: “Penn State” <xxxxxx@psu.edu>
To: bensay@psu.edu
Sent: Friday, June 17, 2016 1:26:29 PM
Subject: Dear

User,

Due to database update done about four hours ago.
we will like to know if your current password will still be able to give you access to your E-mail account.

CLICK HERE DATABASE SYSTEM (<- points to a forged WebAccess page on Sitey) to verify your E-mail account.

We are sorry for the inconvenience.

Thank you for your support!
Sincerely,

The PSU Team
The Official Email Prov™
Please keep this email – it contains all of your important links:
==========================================================================

Sign-in Attempt

by

This phishing message really tried to look like it was from Penn State, but didn’t do a great job of it. The “from” address spoofed a Penn State address, but was actually a compromised California State University, Fresno address. There was no “to” address, meaning that anyone who received this got it via a blind courtesy copy (BCC). The phishers tried to use an image, but the URL for it didn’t work properly. The spelling and grammar in the message isn’t the worst we’ve seen, but it’s bad enough to be a tip-off that something isn’t right. And the link in the message goes to a forged Cal State Fresno website that is clearly hosted on Weebly.

Phish from June 16, 2016 at 6:58 p.m.

From: “service@psu.edu” <xxxx@csufresno.edu>
Sent: Wednesday, June 15, 2016 6:58:00 PM
Subject: Sign-in Attempt

On Tuesday, June 14, 2016 5:38 PM GMT+2, we noticed several unsuccessful sign in attempt to your Email account from an unrecognised device in Mexico.

If this was you, it’s okay you’re all set!

If this wasn’t you and believe someone may have tried to access your account, please review your information to protect your Email account here (<- goes to a forged Cal State Fresno website hosted on Weebly) and update your account recovery information.

Penn State campus email technology service.

Replies sent to this email cannot be answered.

Unrecognized New sign-in

by

This phish attempts to look like a friendly notice warning you that your account was accessed from Nigeria and needs your attention. Going through the messsage section by section, there are several issues that give it away as a phish.

  • The “From” address is a pollywood.org address and has nothing to do with Penn State.
  • The “To” address is the same as the “From” address, which means anyone who received the message was blind copied (Bcc’d) – something that would not happen with a legitimate warning about your account.
  • The time of the supposed access from Nigeria was left in local Lagos time, so it looks as though the account was accessed in the future, compared to the time the message was sent.
  • You are given a link to “retrieve your account.” We’re not sure what that means, but it’s not how you would be asked to secure your account and/or change your password.
  • The link given has nothing to do with Penn State – it’s a shibuya-denki.com address.
  • The site to which the link goes is a generic login page with no mention of Penn State. The only reason it exists is to harvest passwords.
  • There is a copyright date of 2014 given in the signature of the message. There’s no reason to copyright an account warning notice, and even if there were, it’s now 2016.

Subject: Unrecognized New sign-in
Date: Tue, 24 May 2016 09:37:46
From: Pennsylvania State University <golfnrun@pollywood.org>
To: Recipients <golfnrun@pollywood.org>

This is an automated message to notify you that a valid password was used
to login your psu.edu mail account from an unrecognized device, Today
Tuesday, May 24th, 2016 at 1:58 PM , in Lagos, Nigeria
(IP=37.77.52.17) as a result of that your account has been temporarily
suspended.

If you did this, you can safely disregard this email. If you didn’t do
this, kindly follow our review link below to retrieve your account
http://shibuya-denki.com/http:/www/ (<- This is a generic phishing site that harvests passwords)

Sincerely,
The Pennsylvania State University ©2014. All rights reserved.
[—001:000564:57449—]
Please do not reply to this message. Mail sent to this address cannot be
answered.