Cyber fraudsters are getting better with time and practice and are able to reproduce astonishingly accurate replicas of legitimate online resources. Of course, not just any online resource is worth their time and effort. The most targeted sites are online login portals like banking sites, MS Office 365, Google (Google Cloud Platform, Google Drive, Google Mail, etc.), Apple Store, and Facebook, to name but a few. Essentially, the greater the user base, the more it will be targeted by cyber criminals.
The most devious fake ABSA online banking yet
The email shown below was received from an unrecognised sender claiming that a cashback of R14,280 had been made available as an ABSA reward and that the recipient had to click the link to confirm/receive it.
What’s wrong with this picture:
- The email sender (FROM address) has no reference to ABSA bank.
- The recipient (TO address) is not a specific person but instead a generic (shared) mailbox.
- Financial institutes address their customers by name and/or include reference numbers (which was not present).
- The link to confirm the cashback request was abnormal.
These points should be enough to prevent most people from proceeding further, unfortunately though, there are still those who proceed. This is when things get devious…
If the user proceeds to open the link, they are met with the ABSA online banking login portal shown below. Here is where things can go horribly wrong for the victim. The website landing page is in no way to be associated with ABSA bank as it is a convincing replica of the original, hosted on an offshore (e.g. Russian/Chinese) server, managed by the cyber criminals.
The giveaway that it is fake is as follows:
- The URL (highlighted red).
- Missing privacy policy (not like it matters in this situation).
Compared to the actual login page, at a glance, these websites look identical and is more than enough to trick an unsuspecting victim into providing their secret login credentials.
The fake page (above) does two things after completing the form:
- The credentials are submitted to an unknown server elsewhere in the world (this can be seen in the code when using the inspect tool).
- Notifies the victim via a pop-up that the credentials are invalid (more trickery).
The purpose of the invalid credentials’ notification is to fool the user into thinking that they may have made a mistake and to try again. This ploy works especially well for the criminals, convincing the victim to re-enter their information (in case an error was made) or to try different passwords, all of which is submitted to the perpetrator’s server.
Fake MWEB Webmail login
This is another deviously crafted fake login portal.
Notable mistakes/giveaways vs the original are as follows:
- The URL (moonfruit.com) is not MWEB’s.
- Login to Activate (negligible).
- CSM/Template watermark – “build your own website with moonfruit”.
- Font (negligible).
Ignoring the above-mentioned points, the fake site is basically an exact replica of the original. The fake sends the collected credentials to a server managed and monitored by the perps to do what they please with them, whether their intent is to sell them to the highest bidder or spy and gather more information.
People tend to utilise the same password/username combinations for various resources and cyber terrorists know this. Granting access to a simple, barely used email account may actually have more serious consequences in this scenario.
Fake loan document for Bayport Financial Services
With Covid19 and lockdowns still holding back the economy, many people have fallen into hard times and need ways to provide for their families. Cyber terrorists will use any method to gain what they are after, and will target anyone regardless of their situations, financial or otherwise.
This example deviates slightly from the rest as it’s not an online resource that’s been faked. Instead, the cyber criminals have chosen to distribute fake loan offer documents in the name of trusted financial services providers, such as Bayport Financial Services.
With the average interest rate for personal loans in South Africa being around 24%, the 5% rate offered in this illegitimate offer is simply unbelievable – although it is a scam after all …
The most likely scenario for this form of credential theft is likely to be credit fraud or identity theft, both potentially ruining the victims’ lives.
The real Bayport Financial Services is aware of these scams and have a ‘scam warnings’ page where users can find advice and see examples of current and previous scams. The above template has been utilised before. View the Bayport Financial Services Scam Warnings – here.