ABSA Phishing email from MTN Network

morkhans

morkhans

A MyBroadband
Super Moderator
Joined
Jun 22, 2007
Messages
10,897
Reaction score
474
Location
Cape Town
Looks like the ABSA scammers have now moved over from Vodacom to MTN. I have forwarded this to [email protected], but have not received a response (would have expected a automated one at the least).

Return-path: <[email protected]>
Envelope-to: x
Delivery-date: Mon, 08 Mar 2010 03:36:58 -0600
Received: from atelierdeschefs.fr ([91.121.124.93]:59443 helo=ns.atelierdeschefs.fr)
by odyssey.websitewelcome.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <[email protected]>)
id 1NoZOT-000823-W1
for x; Mon, 08 Mar 2010 03:36:58 -0600
Received: from apache by ns.atelierdeschefs.fr with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1NoZMi-00088v-K5
for x; Mon, 08 Mar 2010 10:35:08 +0100
To: x
Subject: Important Banking Message
X-PHP-Script: 91.121.124.93/roundcube/temp/home.php for 41.125.140.92
From: Absa Online Banking <[email protected]>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>
Date: Mon, 08 Mar 2010 10:35:08 +0100
X-Spam-Status: No, score=3.2
X-Spam-Score: 32
X-Spam-Bar: +++
X-Spam-Flag: NO
Click to expand...
 
Last edited:
And again today...

Return-path: <[email protected]>
Envelope-to: x
Delivery-date: Mon, 08 Mar 2010 22:21:55 -0600
Received: from atelierdeschefs.fr ([91.121.124.93]:47359 helo=ns.atelierdeschefs.fr)
by odyssey.websitewelcome.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <[email protected]>)
id 1Noqx9-0007wr-4p
for x; Mon, 08 Mar 2010 22:21:55 -0600
Received: from apache by ns.atelierdeschefs.fr with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1NoqvK-0006aD-Lu
for x; Tue, 09 Mar 2010 05:20:02 +0100
To: x
Subject: Important Internet Banking
X-PHP-Script: 91.121.124.93/roundcube/temp/home.php for 41.125.177.79
From: Absa Online Banking <[email protected]>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>
Date: Tue, 09 Mar 2010 05:20:02 +0100
X-Spam-Status: No, score=3.2
X-Spam-Score: 32
X-Spam-Bar: +++
X-Spam-Flag: NO
Click to expand...
 
snakepit said:
I had no idea we had that mail address, mail them again perhaps?
Click to expand...

[email protected]er is a common internet standard that should be adhered to. How are people who get hacked and spammed from MTN IPs supposed to report abuse? I had a look at Afrinic and I see they have [email protected] as the contact address. I will give that a go. Also I have not received any bounce messages so the mail to [email protected] is being accepted even if no one appears to be reading it.
 
morkhans said:
[email protected]er is a common internet standard that should be adhered to. How are people who get hacked and spammed from MTN IPs supposed to report abuse? I had a look at Afrinic and I see they have [email protected] as the contact address. I will give that a go. Also I have not received any bounce messages so the mail to [email protected] is being accepted even if no one appears to be reading it.
Click to expand...

Ah, ssssee what you mean. Looks like the phishing is doing the rounds with other banks today too- i just got an sms and an e-mail from STD bank warning me against all this...
 
snakepit said:
Ah, ssssee what you mean. Looks like the phishing is doing the rounds with other banks today too- i just got an sms and an e-mail from STD bank warning me against all this...
Click to expand...

The reason I have been posting these for Vodacom and MTN, is because they are local, there should be hope that the scammers can be caught (providing everyone does their part: ISP, Banks & SAPS).
 
Dr_Data said:
Hi

Thanks for the heads up. I have passed this info to the department that deals with this and they have already implemented a fix.

Regards
DD
Click to expand...

I hope the fix is a swift disconnection followed by a visit from the boys in blue ;) Any confirmation on what abuse addresses to use and if they even get looked at?
 
Fresh one today.

Return-path: <[email protected]>
Envelope-to: x
Delivery-date: Wed, 10 Mar 2010 03:42:07 -0600
Received: from atelierdeschefs.fr ([91.121.124.93]:42100 helo=ns.atelierdeschefs.fr)
by odyssey.websitewelcome.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <[email protected]>)
id 1NpIQY-0000S7-8F
for x; Wed, 10 Mar 2010 03:42:07 -0600
Received: from apache by ns.atelierdeschefs.fr with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1NpIOf-00061f-3O
for x; Wed, 10 Mar 2010 10:40:09 +0100
To: x
Subject: Important Banking Notification
X-PHP-Script: 91.121.124.93/roundcube/temp/home.php for 41.125.172.39
From: Absa Internet Banking <[email protected]>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>
Date: Wed, 10 Mar 2010 10:40:09 +0100
X-Spam-Status: No, score=3.0
X-Spam-Score: 30
X-Spam-Bar: +++
X-Spam-Flag: NO
Click to expand...
 
I received these today:
Received: from x (localhost.localdomain [127.0.0.1])
by x (Postfix) with ESMTP id 4BA2D2182A1
for <x>; Wed, 10 Mar 2010 09:10:33 +0200 (SAST)
X-Greylist: delayed 65277 seconds by postgrey-1.31 at x; Wed, 10 Mar 2010 09:10:32 SAST
Received: from bluehost.bluewebshop.net (bluehost.bluewebshop.net [74.54.204.114])
by x (Postfix) with ESMTP id 7736B2182A0
for <x>; Wed, 10 Mar 2010 09:10:31 +0200 (SAST)
Received: from bahmdemo by bluehost.bluewebshop.net with local (Exim 4.69)
(envelope-from <[email protected]>)
id 1Noz52-0006rE-Tb
for x; Tue, 09 Mar 2010 07:02:37 -0600
To: x
Subject: Security Update Notice
X-PHP-Script: bahmdemolition.com/setup.php for 41.125.177.79
From: ABSA Internet Banking <[email protected]>
Message-Id: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html
Date: Tue, 09 Mar 2010 07:02:36 -0600
Click to expand...

Received: from x (localhost.localdomain [127.0.0.1])
by x (Postfix) with ESMTP id 13CC02182BE
for <x>; Wed, 10 Mar 2010 10:21:03 +0200 (SAST)
X-Greylist: delayed 2468 seconds by postgrey-1.31 at dreamcoat; Wed, 10 Mar 2010 10:21:02 SAST
Received: from ns.atelierdeschefs.fr (atelierdeschefs.fr [91.121.124.93])
by x (Postfix) with ESMTP id 833FF2182BB
for <x>; Wed, 10 Mar 2010 10:21:01 +0200 (SAST)
Received: from apache by ns.atelierdeschefs.fr with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1NpH8H-0008Fl-RH
for x; Wed, 10 Mar 2010 09:19:10 +0100
To: x
Subject: Important Banking Notification
X-PHP-Script: 91.121.124.93/roundcube/temp/home.php for 41.125.172.39
From: Absa Internet Banking <[email protected]>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <[email protected]>
Date: Wed, 10 Mar 2010 09:19:09 +0100
Click to expand...

I forwarded them to [email protected], [email protected], [email protected] and [email protected]. I've already received one out-of-office reply and two read receipts from @mtnbusiness.co.za addresses, so at least one of the MTN addresses is working.

Update: I received a reply from [email protected]; phishing scams should be reported to [email protected].
So far I've received one out-offfice-reply, eight read receipts and one deleted-unread receipt from @mtnbusiness.co.za addresses but not one response.
 
Last edited:
SA's Webmail has also been targeted heavily by the Absa scammers in the past month or so. Not a day goes by without at least one in my Inbox; a colleague reported it to them but no action taken.
 
I got this too, luckily my gmail account picked it up as spam. I thought it was quite well thought out, I'm sure some sorry sob is going to fall for it and ripped off majorly. Sad how some people are ignorant about the internetz.
 
I think everyone is getting them. I'm on MWEB and despite forwarding the emails onto them, I get one or two every day without fail, both at work and at home.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X