I like coming across really good phishing emails; primarily because I try to think on how to actually identify the email correctly. This morning, I got the following, reputedly from ABSA bank:
Your registeration with us has been cancelled due to our new terms and conditions, please read below to view how to re-register or visit your branch
Read Here
It had all the hallmarks. Let's start with the sender, sent from a legitimately sounding address "absamail.co.za", which was not detected by Google as a bad domain. The mail relay is "Vodamail", which is somewhat suspicious - but Vodacom's ISP does have a large set of corporate customers, so a Bank is not too surprising. And lastly, all the sending address (196.11.146.165) seems to be a South African IP range. I looked on some registration records, but couldn't get much beyond the hosting ISP.
Aside from the sender details, the text itself is short and sweet; and even has a friendly "visit your branch", to give it some credibility. And for the "Read Here" bit, I didn't get a URL overlay (although I can't find any direct bugs; other than a misplaced "HREF=3D", which is apparently a MIME encoding component (from a casual Google search).
The URL has off course nothing to do with ABSA, and is hosted in Romania. I assume it has a drive by download and other nice things - I didn't go and check.
No comments:
Post a Comment