{"id":12513,"date":"2017-10-16T10:39:39","date_gmt":"2017-10-16T08:39:39","guid":{"rendered":"http:\/\/blogs.sun.ac.za\/it\/?p=12513"},"modified":"2017-10-16T10:39:39","modified_gmt":"2017-10-16T08:39:39","slug":"phishing-absa-surecheck-profile-app","status":"publish","type":"post","link":"https:\/\/blogs.sun.ac.za\/it\/2017\/10\/phishing-absa-surecheck-profile-app\/","title":{"rendered":"[:en]PHISHING: Absa Surecheck Profile App[:]"},"content":{"rendered":"<p>[:en]<\/p>\n<p>Over the weekend and as already reported by a number of Tygerberg colleagues &amp; students, a variant of last week\u2019s ABSA phishing scam has started flooding our email.<\/p>\n<p>The tactics have changed slightly and the criminals are now using a South African domain name to launch their attack. Below is the example of the phishing email, with the forged \u201cABSA Bank\u201d login page to attempt to convince you to give your bank details willingly to the scammers.<\/p>\n<p>The subject of the email is \u201cAbsa Surecheck Profile App \u2013 Upgrade | FICA information\u201d which is designed to say absolutely nothing. It is what is known in information technology circles as <em><u>\u201ctechno-babble\u201d<\/u><\/em><\/p>\n<p>While the methods used to steal a your banking details may differ, the process followed by fraudsters to steal money from their victims in South Africa are nearly always the same:<\/p>\n<ol>\n<li>Get the person\u2019s Internet banking details, typically through a phishing attack. (as shown below)<\/li>\n<li>Get a banking account\/s to which money can be transferred to and withdrawn.<\/li>\n<li>Clone the SIM card used by the victim.<\/li>\n<li>Create beneficiaries (using the list of banking accounts) and transfer money to these beneficiaries.<\/li>\n<li>Withdraw the money from these accounts.<\/li>\n<\/ol>\n<p>Here are the obvious warning signs:<\/p>\n<ol>\n<li>The sender is not an ABSA email account (in this case a \u201cthrowaway\u201d German email account used to send millions of phishing e-mails)<\/li>\n<li>Vague and deceptive subject lines (Techno-babble)<\/li>\n<li>An attached file (.htm) that contains a web page that opens up in your browser and links in the background to the server in South Africa.<\/li>\n<li>Impersonal salutation. \u201cDear Valued Customer\u201d. Banks will never address you like this. They have your money \u2013 so it stands to reason that they will know your name as well.<\/li>\n<li>\u201cOnline verification\u201d has **** to convince you that the email is genuine, but university addresses end with ac.za, not co.za.<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-12514 alignleft\" src=\"http:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck-500x468.jpg\" alt=\"\" width=\"500\" height=\"468\" srcset=\"https:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck-500x468.jpg 500w, https:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck-300x281.jpg 300w, https:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck.jpg 694w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>The web page that you are directed to is actually the .htm file based on your computer (as an attachment, but links directly to the phishing server in the background.)<\/p>\n<p>In this case is <u>iteron.co.za<\/u> which is listed as \u201cundergoing maintenance\u201d but is fully functional in the background.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-large wp-image-12515\" src=\"http:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck2-500x337.jpg\" alt=\"\" width=\"500\" height=\"337\" srcset=\"https:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck2-500x337.jpg 500w, https:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck2-300x202.jpg 300w, https:\/\/blogs.sun.ac.za\/it\/files\/2017\/10\/absa_surecheck2.jpg 696w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>If you have received an email that looks like this please immediately report it to the Information Technology Security Team using the following method:<\/p>\n<p>Send the spam\/phishing email to the following addresses<\/p>\n<p><a href=\"mailto:help@sun.ac.za\">help@sun.ac.za<\/a><\/p>\n<p>&#8230;and <a href=\"mailto:sysadm@sun.ac.za\">sysadm@sun.ac.za<\/a> as well.<\/p>\n<p>\u00a0Attach the phishing or suspicious email on to the message if possible. There is a good tutorial on how to do this at the following link (Which is safe): <a href=\"http:\/\/stbsp01.stb.sun.ac.za\/innov\/it\/it-help\/Wiki%20Pages\/Spam%20sysadmin%20Eng.aspx\">http:\/\/stbsp01.stb.sun.ac.za\/innov\/it\/it-help\/Wiki%20Pages\/Spam%20sysadmin%20Eng.aspx<\/a><\/p>\n<ol>\n<li>Start up a new email addressed to <a href=\"mailto:sysadm@sun.ac.za\">sysadm@sun.ac.za<\/a> (CC: <a href=\"mailto:help@sun.ac.za\">help@sun.ac.za<\/a>)<\/li>\n<li>Use the Title \u201cSPAM\u201d (without quotes) in the Subject.<\/li>\n<li>With this New Mail window open, drag the suspicious spam\/phishing email from your Inbox into the New Mail Window. It will attach the email as an enclosure and a small icon with a light yellow envelope will appear in the attachments section of the New Mail.<\/li>\n<li>Send the email.<\/li>\n<\/ol>\n<p>If you did click on the link of this phishing spam and unwittingly give the scammers your username, e-mail address and password you should immediately go to <a href=\"http:\/\/www.sun.ac.za\/useradm\">http:\/\/www.sun.ac.za\/useradm<\/a> and change the passwords on ALL your university accounts (making sure the new password is completely different, and is a strong password that will not be easily guessed.) as well as changing the passwords on your social media and private e-mail accounts (especially if you use the same passwords on these accounts.)<\/p>\n<p style=\"text-align: right;\">[ARTICLE BY DAVID WILES]<\/p>\n<p>[:]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[:en] Over the weekend and as already reported by a number of Tygerberg colleagues &amp; students, a variant of last week\u2019s ABSA phishing scam has started flooding our email. The tactics have changed slightly and the criminals are now using a South African domain name to launch their attack. Below is the example of the [&hellip;]<\/p>\n","protected":false},"author":259,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20382,20381,29187],"tags":[54492,48683,20381],"class_list":["post-12513","post","type-post","status-publish","format-standard","hentry","category-email","category-phishing","category-security-2","tag-absa","tag-absa-banking","tag-phishing"],"publishpress_future_action":{"enabled":false,"date":"2026-07-26 01:15:10","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/posts\/12513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/users\/259"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/comments?post=12513"}],"version-history":[{"count":3,"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/posts\/12513\/revisions"}],"predecessor-version":[{"id":12518,"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/posts\/12513\/revisions\/12518"}],"wp:attachment":[{"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/media?parent=12513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/categories?post=12513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.sun.ac.za\/it\/wp-json\/wp\/v2\/tags?post=12513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}