| |
Home
Phishing
Archive
Report
Phishing
Events
Resources
Membership
APWG
Worksite
Contact
Us
APWG Sponsors:
|
  |
Citibank and various other banks (LLoyds TSB, Barclays) - Image-only mail, hidden URL
10-Jun-2004
| Summary |
| Email
title: |
Various (a lot of versions of 'your account on x'), often including 'hidden' letters (letters swapped with similar letters or characters - to circumvent spam filters) |
| Scam
target: |
online banks' customers |
| Email
format: |
HTML email. Turns out to be just a single image with some addititonal HTML code. |
| Sender: |
Spoofed, seems to come from the legitimate domain. The name of the sender sometimes ends on 2 digits, trying to bypass spam filters. |
| Scam
call to action: |
Variations of 'due to security update we are asking all customers to verify their accounts'. Often accompanied by a polite, but firm threat - variations of 'if you do not update your account, your access will be terminated'. |
| Scam
goal: |
Getting victim's online bank account username/password |
| Call
to action format: |
Hyperlink-image |
| Visible
link: |
The URL of the legitimate online bank's login screen |
| Called link : |
Encoded link. Looks something like this : http://%34%2E%33%34%2E%31%39%35%2E%34%31:%34%39%30%33/%6C/%69%6E%64%65%78%2E%68%74%6D |
| Resolved site: |
Various phish sites, launched for the phish campaign and then quickly closed. Seen in the address bar only as an IP, and not domain name. |
|
| |
| E-mail |
This is an entire wave of phishing messages, targeting online banks. Citibank messages are most prolific.
What you get is a message that comes from the legitimate domain (it is spoofed, of course), with unsuspicious subject and a perfectly legitimate (on a first glance) link. The messages are impecably designed.
|
_citi.jpg) |
| |
_lloyds.jpg) |
| |
_barclays.jpg) |
But this entire message turns out to be a single image. The link is in fact not only the one line you will think it is, but the entire image. Well, this is strange, but when your mouse cursor hovers above it, you will see the same legitimate URL in the tooltip and the status bar. Even if you open the message, you will not see another URL, so a great lot of people could be decieved by this.
And here is what it does - the image really links to the legitimate site. (That's why the tooltip/status bar display the legitimate URL). But, using HTML, a rectangle box (map) is drawn around the image. A link is associated with it, that points to a different URL. And this is the link that you REALLY click on. And to make the scam deeper, the phisher has encoded this URL, so you can't see nothing suspicious in the HTML code, if you don't dig in.
|
| Web
Site |
| Visible link: |
The URL of the legitimate online bank's login screen |
| Called link : |
Encoded link. Looks something like this : http://%34%2E%33%34%2E%31%39%35%2E%34%31:%34%39%30%33/%6C/%69%6E%64%65%78%2E%68%74%6D |
| Resolved site: |
Various phish sites, launched for the phish campaign and then quickly closed. Seen in the address bar only as an IP, and not domain name. |
|
We couldn't get a live site, since they seem to rely on the initial reaction of the victims and close the sites very quickly after the phish wave has been sent.
The URLs should look like this:
http://213.132.111.36:4903/cit/index.htm, or
http://65.198.177.216:4903/b/index.htm
They use the same port, which could imply that they are hosted on the same server.
These phish messages constitute a real campaign - there are quite a lot of clues that tell this, and being cleverly designed and dangerous, they are really something to look out for.
|
|
|