| Summary |
| Email title: |
'Citibank Security Update' |
| Scam target: |
Citibank customers |
| Email format: |
A HTML email |
| Sender: |
citibank.com <csupport6@citibank.com>
|
| Sender spoofed? |
Yes |
| Scam call to action: |
"Due to technical update we recommend
you to
reactivate your account." |
| Scam goal: |
Getting victim's Citibank website account/password
and ATM PIN |
| Call to action format: |
URL link |
| Visible link: |
http://web.da-us.citibank.com |
| Called link : |
http://citibank-validate.info/
|
| Resolved site: |
http://citibank-validate.info/, along with http://www.citibank.com
(the legitimate Citibank site) |
|
| |
| E-mail |
Well, this is a good one. It has all chances to fool
a lot of people.
- The email sender is spoofed;
- The message looks nice (Citibank bar at the top)
;
- The URL looks legitimate;
- The policy is presented in a mild manner - unlike
the explicit threats commonly used by phishers.
|
_email.jpg) |
| |
| Web Site |
| Visible link: |
http://web.da-us.citibank.com |
| Called link : |
http://citibank-validate.info/
|
| Resolved site: |
http://citibank-validate.info/, along with http://www.citibank.com
(the legitimate Citibank site) |
|
The tricky part is this: when you click on the link
in the message, the spoofed link opens a site that automatically
redirects you to the legitimate Citibank site:
|
_site2.jpg) |
But along with it, a pop-up window appears - it presents
itself as a login screen:
|
_site1.jpg) |
The pop-up itself looks perfect, and is entirely consistent
with the policy described in the message. Using this
approach, the phisher eliminates one of the strongest
clues of phishing - the faked URL. In fact, all URLs
you see - the one in the message, the one on the legitimate
site - are the original URLs. This is what makes this
phish particularly dangerous.
|
|
