Stop Phishing Scams

The Latest Phishes Sent to Penn Staters

Important message

by

This phish provides several clues revealing it as a scam message:

  • The “From” address is not actually a Penn State address
  • The “To” address is the same as the “From” address, meaning that recipients were on a Bcc list
  • The greeting is a generic “Dear User”
  • The link appears to be a Penn State link when you look at it, but it actually goes to an address in the joshuafitzgerald.com domain, which has nothing to do with Penn State

Phish from August 2, 2016 at 4:22 p.m.

From: “psu.edu” <xxxxxx@ccri.edu>
Date: Tuesday, August 2, 2016 at 4:22 PM
To: Recipients <xxxxxx@ccri.edu>
Subject: Important message

Dear User,

You have received a new message from Pennsylvania State University Admin System sent to you via Blackboard Learning System.

http://www.psu.edu/blackboard//messagecenter%0118157 <– Links to a fake Blackboard login page in the joshuafitzgerald.com domain

Greetings,

Pennsylvania State University

: IT SERVICE HELP DESK !

by

This phish provides many clues that give it away as a scam message.

  • The “From:” address has nothing to do with Penn State
  • There is no “To:” address – any message regarding your account should be addressed specifically to you
  • The greeting is a very generic “ATTENTION!!!”
  • The wording of the message is somewhat confusing
  • The link in the message points to a sitey.me address, which has nothing to do with Penn State
  • The page one is taken to is a labeled with “2016 MICROSOFT WEB-MAIL UPGREADE” – Penn State’s WebMail is not a Microsoft product, and upgrade is misspelled on the page

Phish from July 27, 2016 at 12:26 p.m.

From: “Lee, Alex” <xxxxxxx@herts.ac.uk>
Sent: Wednesday, July 27, 2016 12:26:49 PM
Subject: : IT SERVICE HELP DESK !

ATTENTION!!!

Take note of this important update that our new web mail has been improved with a new messaging system from My Access which also include faster usage on email, shared calendar,web-documents and the new 2016 anti-spam version.

Please use the link below to complete your update for our new My Access improved web mail.

CLICK on Outlook Web Access<– Links to a sitey.me fake Microsoft webmail page to update immediately.

IT SERVICE TEAM

Pennsylvania State University : Webmail Account Security Alert.

by

This phish appears to come from the Penn State Webmail team, but the “From:” address is actually a Comcast account. There is no “To:” address on the message, which indicates that everyone who received it was in the “Bcc:” field. The greeting is a very generic “Dear PSU User” rather than being personalized. If there were truly a problem with your account, you would be addressed specifically in the message. The link in the message leads to an address in the jonkerbouw.nl domain, which is definitely not a Penn State address. And this message also threatens that your account will be suspended if you don’t take immediate action – that is another clear giveaway that this is a phish.

Phish from July 26, 2016 at 2:30 p.m.

From: Penn State Webmail [mailto:xxxxxxxxxxxx@comcast.net]
Sent: Tuesday, July 26, 2016 2:30 PM
Subject: Pennsylvania State University : Webmail Account Security Alert.

Dear PSU User,

Your Penn State Webmail E-mail Account is due for upgrade.

Kindly upgrade immediately to avoid E-mail Account suspension or shut down.

Click Here To Upgrade Now <– links to a fake WebAccess page in the jonkerbouw.nl domain

Note-: Please kindly upgrade your Penn State Webmail E-mail Account immediately, failure to do so will lead to account suspension.

Regards,
|Customer Service Webmail…
© 2016 Pennsylvania State University

Message from admin-support / WARNING!!!

by

This phish attempts to pretend that your account is marked for deletion and will be going away if you do not take action. The message seems to be urgent and threatens action if the user does not click on the link.

Going through the messsage section by section, there are several issues that give it away as a phish.

  • The “From” address looks like it is sent from “PSU” or “PSU Admin” but if you examine the email address, it is a “ziggo.nlis” adress and has nothing to do with Penn State.
  • Official correspondence would reference Penn State, not “PSU”.
  • There is no greeting.
  • The text is in all capital letters.
  • You are given a link to “verify-now.” Penn State does not ask users to verify their accounts with a link.

Message from admin-support

Subject: “Message from admin-support” or “WARNING!!!”
Date: June 25, 2016 9:17 AM
From: “PSU” <jolanjanssen@ziggo.nl>

YOUR ACCOUNT IS MARKED AND WILL BE DEACTIVATED IF NOT VERIFIED NOW.

Verify-now (http://www.gloomky.com/wp-admin/css/PSU/ <- The link given has nothing to do with Penn State – it’s a gloomky.com address designed to harvest passwords.

SUPPORT TEAM

Dear

by

This phish provides plenty of tip-offs to its true nature, but someone glancing at it might be taken in. The “from” address is an actual Penn State address, but it belongs to an individual user whose account was compromised and used to send the messages – messages about your account won’t come from a person, they will come from the IT Service Desk or your department. The “to” address is a Penn State address that doesn’t actually exist, so it definitely isn’t the address of anyone who received it. The greeting on the message couldn’t be any more generic, and the poor grammar used here is a big clue that the message is bogus. The link, despite its lack of clarity, points to a forged WebAccess page which is similar to the real thing, but has a strange “submit” button and is clearly hosted on the Sitey service.

Phish from June 17, 2016 at 1:26 p.m.

From: “Penn State” <xxxxxx@psu.edu>
To: bensay@psu.edu
Sent: Friday, June 17, 2016 1:26:29 PM
Subject: Dear

User,

Due to database update done about four hours ago.
we will like to know if your current password will still be able to give you access to your E-mail account.

CLICK HERE DATABASE SYSTEM (<- points to a forged WebAccess page on Sitey) to verify your E-mail account.

We are sorry for the inconvenience.

Thank you for your support!
Sincerely,

The PSU Team
The Official Email Prov™
Please keep this email – it contains all of your important links:
==========================================================================