Absa Bank Electronic Statements Fees Deducted

[Previous Example] [Share This Page] [Back To The Main SHPAMEE Index] [Next Example]

VERY IMPORTANT INFORMATION, READ THIS FIRST: The example and associated information published on this page are subject to the SHPAMEE Terms Of Use. Please familiarise yourself with these terms before viewing or using any information on this page.

Header:

From: <ibreply@absa.co.za>
To: <ibreply@absa.co.za>
Subject: Absa Bank Electronic Statements Fees Deducted - 10 October 2012
Date: Thu, 11 Oct 2012 08:47:52 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0000_01CDA928.6121E650"
Thread-Index: Ac2nfFP1IXN6nT4wRp6f0IZMPC/MBQ==

Body:

10 October 2012

Welcome
Thank you for choosing to receive your statements by email.

Dear Customer

Attached please find your electronic statement.

Kindly advise us of any changes to your email address to ensure that you always receive your electronic statement.

You have already made the smart move to receive your statement via e-mail and experience the ease of managing your cheque account transactions electronically. Absa eStatements are now free unlike paper statements, for which you will still pay. To start receiving e-mail statements for other accounts that you still receive paper statements for, kindly send a request to estatementregistration@absa.co.za

For more information, contact officialemail@absa.co.za or the call centre on 0860 111 123.

Kind Regards
Absa Digital Banking Services

Installing the Striata Reader
Step 1: Connect to the internet.
Step 2: Download the Reader from the Striata Website (58Kb): Go to striata.com/absa and click on 'Striata Reader' in the top right corner above the search box.
Step 3: Click the orange header at the top of the page. The link wording will differ according to your operating system.
Step 4: Select 'Open/Run'. If no 'Open/Run' option given, select 'Save' and then 'Open'.
Step 5: The Reader is now installed. Select 'OK' to close the 'install confirmation' dialogue box.

To view your statement
Step 6: Double-click on the encrypted attachment. You will be prompted to type in a password.

Installing Adobe Reader
To open your statement, you need to have Adobe Reader v 5.0 or higher.
If you do not have Adobe Reader, go to get.adobe.com/reader/ to download the latest version.

Important Notice: Absa Bank Ltd Is an Authorised Financial Services Provider. Licence no 292.

Important restrictions, qualifications and disclaimers ("the Disclaimer") apply to this e-mail. A 'disclaimer' means we do not accept responsibility or we limit our responsibility for something related to this e-mail. To read this, copy the following address to your internet browser: absa.co.za/disclaimer

The Disclaimer forms part of the content of this e-mail in terms of section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you are unable to access the Disclaimer, send a blank e-mail to disclaimer@absa.co.za and we will send you a copy of the Disclaimer.

Important Notice:

Absa is an Authorised Financial Services Provider and Registered Credit Provider, registration number: NCRCP7. This e-mail and any files transmitted with it may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Absa. Any views or opinions presented are solely those of the author and do not necessarily represent those of Absa. This e-mail is subject to terms available at the following link: http://www.absa.co.za/disclaimer. The Disclaimer forms part of the content of this email. If you are unable to access the Disclaimer, send a blank e-mail to disclaimer@absa.co.za and we will send you a copy of the Disclaimer. By messaging with Absa you consent to the foregoing. By emailing Absa you consent to the terms herein. This email may relate to or be sent from other members of the Absa Group.

Comments:

This scam is almost flawless. We have been told that this e-mail looks exactly like the ones sent by ABSA to their eStatements customers.

Received: from User (0805ds1-abs.1.fullrate.dk [90.185.54.168])
by smtp.fullrate.dk (Postfix) with SMTP id A1E482EC13;
Thu, 11 Oct 2012 08:47:01 +0200 (CEST)
Return-Path: <ibreply@absa.co.za>
From: <ibreply@absa.co.za

At first glance it looks like the e-mail really came from ABSA, because the From address is ibreply@absa.co.za. Apparently this is not the e-mail account used by ABSA when they send eStatements to their customers, but still it is an absa.co.za e-mail address and adds a false sense of trustworthiness to this e-mail.

However in this case, ibreply@absa.co.za was spoofed and a closer look at the e-mail header reveals that this e-mail was actually sent from smtp.fullrate.dk, a SMTP sever belonging to a Danish broadband Internet Service Provider, so the e-mail was most likely sent from a compromised computer belonging to a Fullrate customer.

Dear Customer

The infamous generic greeting. Banks normally greet their customers by name, so this generic greeting should tell you that the scammers had no idea to whom they were sending this e-mail. But even if they do greet you by name, it is not always an absolute guarantee that the e-mail is legitimate, because some scammers also have the names of their victims, but this is very rare and limited to cases where people had their identities stolen after falling victim to a phishing or 419 scam.

Hover with your mouse over the links and e-mail addresses in this e-mail and you will notice that the scammers disabled all the links except the disclaimer link at the bottom of the e-mail. This is done deliberately to make sure that the victim is not distracted by any links in the e-mail, because the main purpose of this scam is to get the victim to open the attachment. Also note that the disclaimer link points to the actual disclaimer page on ABSA's website. Perhaps the scammers missed this link, or they did this on purpose to add to that false sense of security and trustworthiness of this e-mail.

Even the telephone numbers quoted in this e-mail are real ABSA contact numbers, but a word of caution though, NEVER dial any number listed in a scam e-mail, because nothing in a scam e-mail can be trusted. Rather use the telephone directory or visit the organisation's official website (by typing it into the address bar of your browser and not via a link in an e-mail) to get their contact details.

The scammers bargain on the fact that you will miss all these signs and move directly to the attachment to open it. But this is where you should notice that something is wrong. ABSA's eStatements are sent to your e-mail inbox as a .emc file, attached to the e-mail. This file is encrypted and can only be opened with the Striata reader by entering your password (in a dialog box and not on a website). You will find a couple of useful tips, regarding phishing scams, on Striata's website. You can also read more about eStatements on ABSA's official website to see how it works.

The scammers attached an HTML file, called Statement.ace.html, to this e-mail. The .ace is only there to draw the victim's attention away from the .html extension. Striata specifically states on their website that an HTML file is not a valid Striata e-mail statement. If you open the HTML attachment, it will load in your browser (for example Firefox or Internet Explorer) and in this specific case the file has been coded to open the URL smartaxservices.com/redirect12.html. This website is not the site hosting the phishing site, but it only acts as a doorway page and redirects you to miatoy.com/audio/Absa23/ where the actual phishing site is hosted. We were unable to take a snapshot of the phishing site because the site was already taken down at the time of publishing this example. We have sent a request to Smartaxservices.com to take down the doorway page and to close the hole used by the hackers to upload this page, otherwise the scammers might use the doorway page in other scams as well.

You should always pay attention to the address bar when visiting your bank's official website, in this case it was supposed to be absa.co.za, but as you can see, neither of the two websites mentioned in the previous paragraph is ABSA's official website. Furthermore, when you are about to log onto your Internet banking service (and this applies to any bank and not just ABSA), the address of the page, where you need to enter your account number and/or password, should always start with https (an indication that the page is secure and SSL encrypted. Your browser should also display a padlock next to the address bar). So far we haven't seen a single phishing site using SSL encryption, but we bet that when they do, their SSL certificate will be fake.

This seems to be the new way of doing a phishing scam, instead of using a link in the body of the e-mail, they attach an HMTL file containing the phishing link, or as in this case, a link to a doorway page that redirects the actual phishing site. This advanced and more effective phishing technique has also been used in these phishing scam examples:

- ABSA Authorized EFT Payment Received Phishing Scam
- Chase ACTION REQUIED: Notice For Your Account Phishing Scam

Related Cyber Criminal Profiles:

No related profiles found.

Similar Spam Examples:

ABSA Bank Phishing Scam - Authorized EFT Payment Received
ABSA Banking Phishing Scam - 2012 - SARS PAYMENTS
Banking Phishing Scam - Your Pending EFT Payment!!!
ABSA Excess Charges Refund Banking Phishing Scam
ABSA Phishing Scam - Confirm your Online Access

Related Malware Samples:

No related malware samples found.

[Previous Example] [Share This Page] [Back To The Main SHPAMEE Index] [Next Example]