ABSA Phishing Scam - Scariest I've seen

Boris Becker

Expert Member
Joined
Mar 23, 2012
Messages
1,058
ABSA Phishing Scam

I received this phishing email which is the most legit phishing email I've ever see. Looks so real. All the links are legit, except for the attachment which opens a malicious website, but the average user wouldn't easily pick that up. They'd click on the attachment thinking they're opening Striata Reader. Damn Scary stuff.

It pretends to be from ABSA (officialemail@absa.co.za) has a whole long story and tells the recipient their statement is attached and to use Striata to view it (even links to download striata reader from striata website)

Here are some screen shots:
http://www.mybroadband.co.za/photos...30290/title/absa-phishing-scam-1-of-4/cat/500
http://www.mybroadband.co.za/photos...30288/title/absa-phishing-scam-2-of-4/cat/500
http://www.mybroadband.co.za/photos...30286/title/absa-phishing-scam-3-of-4/cat/500
http://www.mybroadband.co.za/photos...30284/title/absa-phishing-scam-4-of-4/cat/500


Damn these crooks are getting good :mad:

I've always said, the banks should educate consumers to look at the website address, look for the https, the padlock, etc. Had a look at the ABSA security centre and they don't mention that in the tips
 

Frikkenator

Expert Member
Joined
Aug 23, 2006
Messages
1,801
That is friggin scary indeed! Especially clever to send it this time of the month as well! :wtf:
 

RanzB

Honorary Master
Joined
Jul 4, 2007
Messages
28,819
I keep getting these. Luckily I bank with FNB so they'll never get me :D
 

Sensorei

Executive Member
Joined
Sep 15, 2008
Messages
6,062
Forward this to Absa in case they haven't caught on yet so they can notify people by email. You might save some poor suckers.
 

Boris Becker

Expert Member
Joined
Mar 23, 2012
Messages
1,058
I don't bank with Absa, but my wife does (along with FNB). She sometimes adds my email address for statements. But it doesn't matter who you use if the scammers are good.

Emailed to absa earlier.

Thankfully we have one time pins to make payments and add beneficiaries. Many ordinary people will fall for this, especially Absa clients (bearing in mind the demographics of their client base - generally less tech savvy)
 

RoganDawes

Expert Member
Joined
Apr 18, 2007
Messages
1,212
My problem (apart from the phishing in general) is the use of the Striata reader to get to your statements. Can you imagine if the next step is to advertise an update to the reader that you need to read your statements, you click on the link, and install malware on your computer.

PDF, people! It's not that difficult!
 

Mike_E

New Member
Joined
Dec 5, 2008
Messages
9
This is an old thread, but related, I got the most legit Phishing email I've ever seen today.
Perfect spelling, formatting and sender email address. Only the *.htm attachment instead of the usual *.emc (Striata) made me wonder.

Reported it to ABSA and apparently the only difference in the legit and fake ABSA email addresses are
officialemail@absa.co.za vs. officialmail@absa.co.za (The 'e' before the ABSA domain name)

Absa now also warns that Phishing emails may come from an Absa email domain (i.e. @absa.co.za)
How is this possible ? It was one of the most useful ways to determine if an email was legit ???
It always had a bogus domain..

Its just getting harder and harder with the ever increasing e-scum out there..
 

Aquadyne

Expert Member
Joined
May 30, 2009
Messages
1,519
This is an old thread, but related, I got the most legit Phishing email I've ever seen today.
Perfect spelling, formatting and sender email address. Only the *.htm attachment instead of the usual *.emc (Striata) made me wonder.

Reported it to ABSA and apparently the only difference in the legit and fake ABSA email addresses are
officialemail@absa.co.za vs. officialmail@absa.co.za (The 'e' before the ABSA domain name)

Absa now also warns that Phishing emails may come from an Absa email domain (i.e. @absa.co.za)
How is this possible ? It was one of the most useful ways to determine if an email was legit ???
It always had a bogus domain..

Its just getting harder and harder with the ever increasing e-scum out there..
It shouldn't be possible as they exclusively control that domain name. It points to internal staff complicity then.

Unless DNS records (MX) are compromised, but highly unlikely with the bank.

However the intended victim could possibly also be compromised on the DNS routing side. (possible, but improbable)
 

supersunbird

Honorary Master
Joined
Oct 1, 2005
Messages
57,646
It isn't possible, you guys just don't know how to see the real addresses.

Show the e-mail header...
 

Hamster

Resident Rodent
Joined
Aug 22, 2006
Messages
39,947
It shouldn't be possible as they exclusively control that domain name. It points to internal staff complicity then.

Unless DNS records (MX) are compromised, but highly unlikely with the bank.

However the intended victim could possibly also be compromised on the DNS routing side. (possible, but improbable)
Really? You're telling me I can't send a mail to anybody and make it look like it came from notascam@absa.co.za using nothing but telnet?

Or did I misunderstand you?
 

esvi

Senior Member
Joined
Mar 21, 2011
Messages
504
It shouldn't be possible as they exclusively control that domain name...

Really? You're telling me I can't send a mail to anybody and make it look like it came from notascam@absa.co.za...

Yes you can. We do it all the time when sending out bulk emails on behalf of clients. It's really not difficult.

But the URLs for the links in the email should give it away if you check before clicking, which most people don't do.

My dad did this once by accident (clicked), and I got a string of mails from his email address that looked like Dropbox invites.
 

killerbyte

Expert Member
Joined
May 10, 2007
Messages
2,413
Spoofing an email address is one of the easiest tricks in the book. Hell to make my life easier I have my firewalls send out emails using a fake email address. In my case I am using site@firewall.co.za which makes it easy for my to filter and organise my mails.
 

Milano

Honorary Master
Joined
Feb 7, 2004
Messages
16,696
I don't understand why banks send emails with attachments. Statements should all be downloaded from their websites.
 

Aquadyne

Expert Member
Joined
May 30, 2009
Messages
1,519
Really? You're telling me I can't send a mail to anybody and make it look like it came from notascam@absa.co.za using nothing but telnet?

Or did I misunderstand you?
No you misunderstood my response and I guess I also wasn't 100% clear for sake of brevity.

Normally one can see that the originating email and spoofed email are different by looking at the headers. Basic stuff. The intention is for the email response to be sent back to the "criminal element" and therefore it normally differs from the actual domain eg. @absa.co.za

My contention was that any email response sent to any email in the @absa.co.za domain would mean that someone at ABSA would be complicit - unless the response email was intercepted or rerouted prior to it reaching the actual ABSA mail servers. This scenario is possible, but it is complicated and will involve sophistication beyond what is normally a bulk fishing expedition and would require a far more targeted approach.

I was not merely pointing to the spoofing of an email address as it seems by the responses that was what was understood. As you were.
 

Aquadyne

Expert Member
Joined
May 30, 2009
Messages
1,519
This of course does not address the probability of any attachments or links pointing to a third party domain that will be imbedded within the email.
 

esvi

Senior Member
Joined
Mar 21, 2011
Messages
504
It shouldn't be possible as they exclusively control that domain name. It points to internal staff complicity then.

Unless DNS records (MX) are compromised, but highly unlikely with the bank.

However the intended victim could possibly also be compromised on the DNS routing side. (possible, but improbable)

Don't see what could've been misunderstood from this post. It's pretty to-the-point. Receiving an email from @whoever.com does not mean their DNS was compromised. It's not rocket science to send an email from one address while displaying a different "from" address to the person reading the email.

Not everyone knows about this and thus it is easy to trick people. Most people don't think it's a scam (immediately) when it's from a trusted email.

No you misunderstood my response and I guess I also wasn't 100% clear for sake of brevity.

Normally one can see that the originating email and spoofed email are different by looking at the headers. Basic stuff. The intention is for the email response to be sent back to the "criminal element" and therefore it normally differs from the actual domain eg. @absa.co.za

My contention was that any email response sent to any email in the @absa.co.za domain would mean that someone at ABSA would be complicit - unless the response email was intercepted or rerouted prior to it reaching the actual ABSA mail servers. This scenario is possible, but it is complicated and will involve sophistication beyond what is normally a bulk fishing expedition and would require a far more targeted approach.

I was not merely pointing to the spoofing of an email address as it seems by the responses that was what was understood. As you were.

This is not at all what you were saying before.
 

Milano

Honorary Master
Joined
Feb 7, 2004
Messages
16,696
It shouldn't be possible as they exclusively control that domain name. It points to internal staff complicity then.

Unless DNS records (MX) are compromised, but highly unlikely with the bank.

However the intended victim could possibly also be compromised on the DNS routing side. (possible, but improbable)

Nonsense.
 
Top