Another ABSA scam

**Dave A** · 01-Apr-12, 01:09 PM

Originally posted by AndyD

Edit, sorry about the codeboxes,not sure how to prevent the board parsing links.

Wrap the part you don't want parsed in [NOPARSE] tags

**Nickolai Naydenov** · 01-Apr-12, 02:51 PM

I receive those emails every day, I did forward them to ABSA, to this day I haven't had a reply from them

**AndyD** · 01-Apr-12, 02:55 PM

Yep, so do I and I don't have / have never had an Absa account but most of them don't come from mail addresses on Absa's own domain whereas this particular one did.

**Dave A** · 02-Apr-12, 09:08 AM

ABSA used to have a free email service offering, but I don't think it was on the absa domain.

I take it you examined the email header information to check if it wasn't merely a forged header, Andy?

**AndyD** · 02-Apr-12, 11:31 PM

Yep I did run through the ip trail in the header info, if it's been manipulated it's a better forgery than most. There's no originating IP which suggests it could have come from a Gmail type system or it's been manipulated to remove it. I did DNS lookups on all of the SMTP servers in the received header info and they all checked out except one which the arin register didn't throw any light either. I posted on another forum for clarification on it and the jury is still out but I have a feeling it's obfuscation by proxy.

The return path/reply to are to ABSA but could have been manipulated. This would tally from the social engineering aspect of the recipient not being required or encouraged to reply to the email, instead the whole focus is to get you to follow the website link.

To be honest it could be a well manipulated header, maybe someone using an open mail relay. If I get any more concrete info I'll let you know.

**Dave A** · 04-Apr-12, 04:57 PM

This one was sent via AOL - similar situation to what Andy reported, except phishing as from an FNB email addy.

Code:

Return-path: <bobboshirl@aol.com>
Envelope-to: [<me]
Delivery-date: Wed, 04 Apr 2012 07:52:56 +0200
Received: from oms-db04.r1000.mx.aol.com ([205.188.58.4])
	by oran.eh-servers.net with esmtp (Exim 4.69)
	(envelope-from <bobboshirl@aol.com>)
	id 1SFJ9L-0004Dn-J5
	for [me]; Wed, 04 Apr 2012 07:52:55 +0200
Received: from mtaomg-db05.r1000.mx.aol.com (mtaomg-db05.r1000.mx.aol.com [172.29.51.203])
	by oms-db04.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 33CA71C00008A;
	Wed,  4 Apr 2012 01:52:51 -0400 (EDT)
Received: from core-die001a.r1000.mail.aol.com (core-die001.r1000.mail.aol.com [172.29.231.65])
	by mtaomg-db05.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id D490BE000082;
	Wed,  4 Apr 2012 01:52:48 -0400 (EDT)
X-MB-Message-Source: WebUI
Subject: FNB :-) R1896.47 paid from cheq a/c..136461
X-MB-Message-Type: User
MIME-Version: 1.0
[COLOR="#FF0000"]From: "inContact@fnb.co.za" <bobboshirl@aol.com>[/COLOR]
Content-Type: multipart/mixed; 
 boundary="<hr />---MB_8CEE03E4CBB8F96_9E4_2B733_webmail-d001.sysops.aol.com"
X-Mailer: AOL Webmail 35911-STANDARD
Received: from 41.23.35.126 by webmail-d001.sysops.aol.com (205.188.181.92) with HTTP (WebMailUI); Wed, 04 Apr 2012 01:52:48 -0400
Message-Id: <8CEE03E4CB92E35-9E4-BC01@webmail-d001.sysops.aol.com>
X-Originating-IP: [41.23.35.126]
Date: Wed, 4 Apr 2012 01:52:48 -0400 (EDT)
x-aol-global-disposition: S
X-SPAM-FLAG: YES
X-AOL-VSS-INFO: 5400.1158/79760
X-AOL-VSS-CODE: clean
X-AOL-SCOLL-SCORE: 1:2:251064160:93952408  
X-AOL-SCOLL-URL_COUNT: 1  
X-AOL-REROUTE: YES 
x-aol-sid: 3039ac1d33cb4f7be1b05b86
X-Spam-Status: No, score=4.6
X-Spam-Score: 46
X-Spam-Bar: ++++
X-Ham-Report: Spam detection software, running on the system "oran.eh-servers.net", has
	identified this incoming email as possible spam.  The original message
	has been attached to this so you can view it (if it isn't spam) or label
	similar future email.  If you have any questions, see
	the administrator of that system for details.
	Content preview:  A payment has been made to your account. please find attached
	your FNB account statement in your email. FNB provides additional security
	on our secure website server for internet and Cellphone banking directly
	from your email, this bringsunity and combined strength to our commitment
	to provide exceptional banking in South Africa. [...] 
	Content analysis details:   (4.6 points, 5.0 required)
	pts rule name              description
	---- ---- ---- ---- ----  ----  ---- ----
	1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
	https://senderscore.org/blacklistlookup/
	[205.188.58.4 listed in bl.score.senderscore.com]
	-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
	trust
	[205.188.58.4 listed in list.dnswl.org]
	3.0 AXB_X_AOL_SEZ_S        AOL said this is S
	0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
	(bobboshirl[at]aol.com)
	0.8 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
	-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
	domain
	1.0 MISSING_HEADERS        Missing To: header
	0.0 T_HTML_ATTACH          BODY: HTML attachment to bypass scanning?
	0.4 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image area
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	0.0 HTML_MESSAGE           BODY: HTML included in message
X-Spam-Flag: NO
X-Brightmail-Tracker: AAAAAhp1PMsadjHc
X-Brightmail-Tracker: AAAAAA==

Note the From: line.

I'm not familiar with the AOL interface, but they're probably using the FNB email account as the "account name" in AOL to create the illusion.

**Diamondza** · 11-Feb-13, 09:31 PM

Nothing To Do. I Think Absa Is Not Well For Internet Banking.

**Blurock** · 15-Apr-13, 10:36 AM

I do not have any Absa accounts, so this is obviously another scam. Comes with Absa logo, the lot.

I bet that if you report this to the police or to Absa, they will do nothing but say "let the buyer beware"

.

Absa Logo <http://absa.co.za/deployedfiles/Assets/Richmedia/Absacoza%20Theme/pics/masthead/absa_logo.gif>

Congratulations,

For using your Absa Debit and Cheque Card in the month of August you have earn 10% back on all your spending.

Please click here <http://avantgardenias.com/_vti_info> to view your Cash Rewards balance and get discount vouchers and coupons here.

Absa Rewards is a revolutionary loyalty programme that rewards you whenever you use your Absa Debit, Cheque or Credit Card - up to 1% back - no matter where you shop. What's more, earn up to 10%

________________________________

Receive, review, pay and organize all your bills online.

Alert: (215934610)
Document Reference: (87906628)

**Hermes14** · 16-Apr-13, 07:18 AM

Absa does have a fraud hotline you can report it to 0860 557 557.
http://www.absa.co.za/Absacoza/Secur...-fraud-warning.
Email addresses that contain "Absa" like the one AndyD has posted is something their internal security can follow up on.

**Mitos** · 16-Apr-13, 01:01 PM

The Absa domain for public mailing is - www.absamail.co.za

**CLIVE-TRIANGLE** · 17-Apr-13, 11:07 AM

The first and only clue needed, from any bank, is this part "10% back on all your spending".... in your dreams..

Another ABSA scam

Another ABSA scam

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment