Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Another ABSA scam

  1. #1
    Diamond Member AndyD's Avatar
    Join Date
    Jan 2010
    Location
    Cape Town
    Posts
    4,403
    Thanks
    513
    Thanked 854 Times in 687 Posts

    Another ABSA scam

    Strange that about 90% of all the scam banking emails I capture are hitting Absa.

    Most of them are obvious as hell with the usual mispellings, attrocious grammar and originating from a gmail addy. Apart from the spelling and grammar being passable, I thought this one deserved a special mention primarily because the address it came from was drew.barry@absa.co.za. This means, somewhat worryingly, that it originated from the genuine Absa domain which means either it's an inside job or they have security holes in their systems you could drive a truck through. Either way the originating email address might make it plausible enough for some of their less net-savvy customers to get nailed.

    Dear Valued Customer,

    Access to your online banking account has been suspended.
    This is due to many failed Login Attempts from unrecognized IP.

    To re-gain access, you have to confirm your online banking details.
    To Continue, Please follow the link below providing the
    required information's correctly.

    Click here to gain Access



    Customer Service Security Team, Thank you for your co-operation.



    Absa Bank 2012
    The 'click here' hyperlink is http://iaido.co.kr/data/data/doc/html/main.php(211.247.239.15)
    I'm going to strongly recommend you don't follow the URL (which leads to a Korean web site), unless you know what you're doing and take the usual precautions.

    Edit, sorry about the codeboxes,not sure how to prevent the board parsing links.
    Last edited by AndyD; 01-Apr-12 at 02:51 PM.
    _______________________________________________
    I am special and so is Vanash.
    _______________________________________________

  2. Thanks given for this post:

    Vanash Naick (15-Apr-13)

  3. #2
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    20,980
    Thanks
    3,055
    Thanked 2,463 Times in 2,068 Posts
    Blog Entries
    12
    Quote Originally Posted by AndyD View Post
    Edit, sorry about the codeboxes,not sure how to prevent the board parsing links.
    Wrap the part you don't want parsed in [NOPARSE] tags
    The trouble with opportunity is it normally comes dressed up as work.

  4. Thanks given for this post:

    AndyD (01-Apr-12)

  5. #3
    Silver Member
    Join Date
    Jan 2012
    Location
    Johannesburg
    Posts
    305
    Thanks
    112
    Thanked 53 Times in 40 Posts
    I receive those emails every day, I did forward them to ABSA, to this day I haven't had a reply from them
    ---There is no traffic at the extra mile---

  6. #4
    Diamond Member AndyD's Avatar
    Join Date
    Jan 2010
    Location
    Cape Town
    Posts
    4,403
    Thanks
    513
    Thanked 854 Times in 687 Posts
    Yep, so do I and I don't have / have never had an Absa account but most of them don't come from mail addresses on Absa's own domain whereas this particular one did.
    _______________________________________________
    I am special and so is Vanash.
    _______________________________________________

  7. #5
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    20,980
    Thanks
    3,055
    Thanked 2,463 Times in 2,068 Posts
    Blog Entries
    12
    ABSA used to have a free email service offering, but I don't think it was on the absa domain.

    I take it you examined the email header information to check if it wasn't merely a forged header, Andy?
    The trouble with opportunity is it normally comes dressed up as work.

  8. #6
    Diamond Member AndyD's Avatar
    Join Date
    Jan 2010
    Location
    Cape Town
    Posts
    4,403
    Thanks
    513
    Thanked 854 Times in 687 Posts
    Yep I did run through the ip trail in the header info, if it's been manipulated it's a better forgery than most. There's no originating IP which suggests it could have come from a Gmail type system or it's been manipulated to remove it. I did DNS lookups on all of the SMTP servers in the received header info and they all checked out except one which the arin register didn't throw any light either. I posted on another forum for clarification on it and the jury is still out but I have a feeling it's obfuscation by proxy.

    The return path/reply to are to ABSA but could have been manipulated. This would tally from the social engineering aspect of the recipient not being required or encouraged to reply to the email, instead the whole focus is to get you to follow the website link.

    To be honest it could be a well manipulated header, maybe someone using an open mail relay. If I get any more concrete info I'll let you know.
    _______________________________________________
    I am special and so is Vanash.
    _______________________________________________

  9. Thanks given for this post:

    Blurock (11-Feb-13)

  10. #7
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    20,980
    Thanks
    3,055
    Thanked 2,463 Times in 2,068 Posts
    Blog Entries
    12
    This one was sent via AOL - similar situation to what Andy reported, except phishing as from an FNB email addy.
    Code:
    Return-path: <bobboshirl@aol.com>
    Envelope-to: [<me]
    Delivery-date: Wed, 04 Apr 2012 07:52:56 +0200
    Received: from oms-db04.r1000.mx.aol.com ([205.188.58.4])
    	by oran.eh-servers.net with esmtp (Exim 4.69)
    	(envelope-from <bobboshirl@aol.com>)
    	id 1SFJ9L-0004Dn-J5
    	for [me]; Wed, 04 Apr 2012 07:52:55 +0200
    Received: from mtaomg-db05.r1000.mx.aol.com (mtaomg-db05.r1000.mx.aol.com [172.29.51.203])
    	by oms-db04.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 33CA71C00008A;
    	Wed,  4 Apr 2012 01:52:51 -0400 (EDT)
    Received: from core-die001a.r1000.mail.aol.com (core-die001.r1000.mail.aol.com [172.29.231.65])
    	by mtaomg-db05.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id D490BE000082;
    	Wed,  4 Apr 2012 01:52:48 -0400 (EDT)
    X-MB-Message-Source: WebUI
    Subject: FNB :-) R1896.47 paid from cheq a/c..136461
    X-MB-Message-Type: User
    MIME-Version: 1.0
    From: "inContact@fnb.co.za" <bobboshirl@aol.com>
    Content-Type: multipart/mixed; 
     boundary="<hr />---MB_8CEE03E4CBB8F96_9E4_2B733_webmail-d001.sysops.aol.com"
    X-Mailer: AOL Webmail 35911-STANDARD
    Received: from 41.23.35.126 by webmail-d001.sysops.aol.com (205.188.181.92) with HTTP (WebMailUI); Wed, 04 Apr 2012 01:52:48 -0400
    Message-Id: <8CEE03E4CB92E35-9E4-BC01@webmail-d001.sysops.aol.com>
    X-Originating-IP: [41.23.35.126]
    Date: Wed, 4 Apr 2012 01:52:48 -0400 (EDT)
    x-aol-global-disposition: S
    X-SPAM-FLAG: YES
    X-AOL-VSS-INFO: 5400.1158/79760
    X-AOL-VSS-CODE: clean
    X-AOL-SCOLL-SCORE: 1:2:251064160:93952408  
    X-AOL-SCOLL-URL_COUNT: 1  
    X-AOL-REROUTE: YES 
    x-aol-sid: 3039ac1d33cb4f7be1b05b86
    X-Spam-Status: No, score=4.6
    X-Spam-Score: 46
    X-Spam-Bar: ++++
    X-Ham-Report: Spam detection software, running on the system "oran.eh-servers.net", has
    	identified this incoming email as possible spam.  The original message
    	has been attached to this so you can view it (if it isn't spam) or label
    	similar future email.  If you have any questions, see
    	the administrator of that system for details.
    	Content preview:  A payment has been made to your account. please find attached
    	your FNB account statement in your email. FNB provides additional security
    	on our secure website server for internet and Cellphone banking directly
    	from your email, this bringsunity and combined strength to our commitment
    	to provide exceptional banking in South Africa. [...] 
    	Content analysis details:   (4.6 points, 5.0 required)
    	pts rule name              description
    	---- ---- ---- ---- ----  ----  ---- ----
    	1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
    	https://senderscore.org/blacklistlookup/
    	[205.188.58.4 listed in bl.score.senderscore.com]
    	-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
    	trust
    	[205.188.58.4 listed in list.dnswl.org]
    	3.0 AXB_X_AOL_SEZ_S        AOL said this is S
    	0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
    	(bobboshirl[at]aol.com)
    	0.8 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
    	-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
    	domain
    	1.0 MISSING_HEADERS        Missing To: header
    	0.0 T_HTML_ATTACH          BODY: HTML attachment to bypass scanning?
    	0.4 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image area
    	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
    	[score: 0.0000]
    	0.0 HTML_MESSAGE           BODY: HTML included in message
    X-Spam-Flag: NO
    X-Brightmail-Tracker: AAAAAhp1PMsadjHc
    X-Brightmail-Tracker: AAAAAA==
    Note the From: line.

    I'm not familiar with the AOL interface, but they're probably using the FNB email account as the "account name" in AOL to create the illusion.
    The trouble with opportunity is it normally comes dressed up as work.

  11. #8
    New Member
    Join Date
    Feb 2013
    Location
    Johannesburg
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Nothing To Do. I Think Absa Is Not Well For Internet Banking.

  12. #9
    Diamond Member Blurock's Avatar
    Join Date
    May 2010
    Location
    Durban
    Posts
    3,439
    Thanks
    660
    Thanked 765 Times in 630 Posts
    Blog Entries
    1
    I do not have any Absa accounts, so this is obviously another scam. Comes with Absa logo, the lot.

    I bet that if you report this to the police or to Absa, they will do nothing but say "let the buyer beware".

    Absa Logo <http://absa.co.za/deployedfiles/Assets/Richmedia/Absacoza%20Theme/pics/masthead/absa_logo.gif>


    Congratulations,

    For using your Absa Debit and Cheque Card in the month of August you have earn 10% back on all your spending.

    Please click here <http://avantgardenias.com/_vti_info> to view your Cash Rewards balance and get discount vouchers and coupons here.

    Absa Rewards is a revolutionary loyalty programme that rewards you whenever you use your Absa Debit, Cheque or Credit Card - up to 1% back - no matter where you shop. What's more, earn up to 10%


    ________________________________


    Receive, review, pay and organize all your bills online.

    Alert: (215934610)
    Document Reference: (87906628)
    Excellence is not a skill; its an attitude...

  13. #10
    Bronze Member Hermes14's Avatar
    Join Date
    Mar 2013
    Location
    Fourways
    Posts
    150
    Thanks
    3
    Thanked 31 Times in 26 Posts
    Absa does have a fraud hotline you can report it to 0860 557 557.
    http://www.absa.co.za/Absacoza/Secur...-fraud-warning.
    Email addresses that contain "Absa" like the one AndyD has posted is something their internal security can follow up on.

Page 1 of 2 12 LastLast

Similar Threads

  1. ABSA Bank Security Update Center phishing scam
    By Dave A in forum Scam Alert Forum
    Replies: 7
    Last Post: 30-Sep-11, 04:07 PM
  2. Absa up to tricks again?
    By Sparks in forum The Whistleblower Forum
    Replies: 8
    Last Post: 07-Jul-11, 11:02 PM
  3. Absa security scam
    By duncan drennan in forum Scam Alert Forum
    Replies: 11
    Last Post: 28-Mar-10, 10:11 PM
  4. Absa iPayroll
    By duncan drennan in forum General Business Forum
    Replies: 4
    Last Post: 23-Jun-08, 11:10 PM

Did you like this article? Share it with your favourite social network.

Did you like this article? Share it with your favourite social network.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •