ABSA: Dodgy email?

[.geek]

I just received the following:

Subject: Important Message From Absa Customer Services Team
From: Absa Internet Banking <customer.services@absa.co.za>

Content-Type: text/html

Content-Transfer-Encoding: 8bit




<table border="1" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111"



width="550" id="AutoNumber2">

<tr>

<td width="100%" dir="ltr">

<img border="0" src="https://ib.absa.co.za/ib/images/logo.gif" width="116" height="74"><hr



color="red" dir="ltr">

<table border="0" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111"



width="100%" id="AutoNumber3">

<tr>

<td width="100%">

<p dir="ltr"><font style="font-size: 19pt" color="pink">

Personal & Business account</font></td>

</tr>

</table>

<table border="1" cellspacing="1" style="border-collapse: collapse" bordercolor="red"



width="550" id="AutoNumber1" bgcolor="pink">

<tr>

<td width="100%"><font color="#000080"><b>Security Alert</b></font>

<p><font color="#000080">We recently have determined



that different computers have logged into your<br>

Absa Internet Banking account, and multiple password failures were present



before the logons.<br>

In this manner for your security, your specified access account has been locked and needs to



be reactivated, in order for it to remain active, please Use the link below to proceed and



access your account.</font></p>

<p><a href="http://www.sadanet.or.id/ind/inter.php">

https://ib.absa.co.za/ib/ib.jsg</a></td >

</tr>

</table>

</td>

</tr>

</table>



<html><script language="JavaScript"></script></html>

Has anybody else received something similar?

 

[qinglung]

Phising email!

Notice that the link it takes you to is: http://www.sadanet.or.id/ind/inter.php

Definitely not an ABSA website!

 

[.geek]

Yeah, I saw that.

I emailed ABSA to let them know about it for what it's worth...

 

[Gunther]

Thats so messed up.

 

[medicnick83]

Yeah, I saw that.

I emailed ABSA to let them know about it for what it's worth...

Good one boet... It's good they know about this so they can find a way to let their users know about it and stop them from clicking it or educate their users on what this type of scam is out.

 

[TelkomUseless]

Click on the link, and fill in F)CK YOU in all the textboxes!!

Thats what I did!

 

[medicnick83]

Click on the link, and fill in F)CK YOU in all the textboxes!!

Thats what I did!

Clearly, you have way to much time on YOUR hands

 

[.geek]

Lol!

 

[Pooky]

Got one like this from Nedbank. I informed them.

 

[LandyMan]

And the minute you press submit, it takes you to the real ABSA site.

Do you think they understand the word p**s ... it featured a couple of times in my "details"

 

[gregmcc]

Its nothing new - phishing mails have been targeted to all the major banks already and most of the banks have sent out info or have info on their web sites onhow to spot fake mails.

If you want to be 100% you never hit a phishing site just dont click on any links in emails. Cut and paste the url in, or better still type it out manually.

 

[mh348]

I receive quite a few phishing emails for nedbank, standard, absa & fnb. I just mark it as spam or as a phishing mail in gmail.

 

[bodhi]

i even received similiar emails from "NedBank" - although i have always been an ABSA o) customer

 

[gregmcc]

The mails are targeted to just about everyone, so you don't need to be a customer of theirs. If they send out phishing mails for the top 5 banks they can be sure to hit the correct people.

 

[.geek]

Reply from Virgin Money (who use ABSA's internet banking interface):

The e-mail you have received was in fact sent from a legitimate e-mail address. The message was however sent to you in error.

If you require any further assistance please contact us again on services@virginmoney.co.za or call our contact centre on 0860 8666 39.

Anyone can fake a "from" address. I asked them if they even had a look at the url: http://www.sadanet.or.id/ind/inter.php which is definately not legitimate. They simply styled their bogus form to look like that of ABSA's. They link directly to the images on ABSA's server e.g. https://ib.absa.co.za/ib/images/logo.gif

I can't believe that is Virgin Money's reply.

Edit: www.sadanet.or.id appears to be down and I just got an alert in Firefox warning me that the site has been reported as forgery.

 

[Tokolotshe]

Yes it is down

If you receive something like this, take the following steps:
Report at CastleCops (PIRT) http://www.castlecops.com/pirt

Phishing Incident Reporting and Termination (PIRT) Squad(SM)

A global phishing termination operation launched by CastleCops and Sunbelt Software, the volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT(SM) is funded by CastleCops. Become a PIRT Squad terminator by reporting phish today!

Next move to Netcraft and report it there: http://toolbar.netcraft.com/report_url

If you receive a phishing mail, please report the URL of the attacker's site. If you are unable to see the attacker's URL (e.g. because of javascript or pop-up blocking) please send the original mail to scam@netcraft.com as an attachment.

The entire toolbar community will benefit from your vigilance.

We define a phishing URL as one that is attempting to impersonate a site operated by an organisation with which the victim of the phishing attempt has an existing relationship, in order to obtain passwords or other personal information for use in some type of fraud.

This will really stuff the phisher up since FireFox and IE will now suddenly start displaying those forgery notices when you go to the URL .

Please do not fill these forms with data, not junk and most definitely not real. This does cause a problem for those folks investigating such incidents and delays the process, these delays even causing the phisher to get away with real details and use it.

Another danger when visiting these URLs is drive by downloads onto your system if you are using MS and not fully patched, and maybe even then. A nice (not) key logger is not uncommon.

 

[Waldol]

Anyone can fake a "from" address.

That is the essence of the tecnical problem. (User education is the other issue).

The technical problem can be addressed to a large extent if the banks publish SPF records for their domains, and ISPs check the SPF data before accepting emails.

That way some Kazakstanian twit cannot pretend to be bankmanager@absa.co.za.

For more about SPF, see: http://www.openspf.org/FAQ/What_it_does

 

[Mastercarder]

I'm not saying it's unfounded, but people are way too paranoid about the whole phishing thing. Not EVERY e-mail asking you to update details is a scam. I've recieved dodgy SMSs from 'ABSA' saying I must call some woman back to verify info or my account would be closed in 3 days. Obviously I thought it was a scam but when I contacted them myself to check if this was legit... low and behold...

Still - seems a little unprofessional but I guess that's African banking for you

 

[wcoetzee]

listen its very easy, DO NOT RESPOND TO ANY EMAIL ; DO NOT RESPOND TO ANY SMS
PICK UP YOUR FAT LAZY ASS AND GO TO YOUR BANK ( personaly )AND ASK WHAT THE HELL THIS SMS OR EMAIL IS ALL ABOUT.
ITS AS EASY AS THAT

 

[ambo]

The technical problem can be addressed to a large extent if the banks publish SPF records for their domains, and ISPs check the SPF data before accepting emails.

At least 2 out of the 'big 4' banks already have SPF records (I don't have the latest stats) and a number of ISP's already check this. However people are not very careful when looking at the source address of emails and many of them don't even claim to come from a bank email address.

It is EXTREMELY important that you report every questionable mail to either the relevant bank or your ISP. There are processes in place to shut down the scams but only if you keep them informed.