| |
|
|
| |
05-Jul-2004
| Summary |
| Email subject: |
'Citisafe by Citibank' and variations, all containing 'Citisafe' |
| Scam target: |
Citibank customers |
| Email format: |
HTML email |
| Sender: |
'Citibank <safe@citibank.com>' |
| Sender spoofed? |
Yes |
| Scam call to action: |
'We recently noticed one or more attempts to log in to your Citibank
account from a foreign IP address...and you have full protection by now...because user verification on the Internet is difficult, Citibank
cannot and does not confirm each user's purported identity...we
have established an offline verification system...The system is called CitiSafe and it's
the most secure Citibank wallet so far...click the link bellow, fill
the form and then submit as we will verify your identity and register you
to CitiSafe free of charge...' |
| Scam goal: |
Getting victim's Citibank debit card and bank account numbers, debit card PIN. |
| Call to action format: |
a 'Click here' type link |
| Visible link: |
'Click to protect yourself from fraudulent activity!' |
| Actual link: |
http://219.148.127.66/scripts/confirmation.htm |
| Phish site |
219.148.127.66 |
|
| |
| E-mail |
| |
This is one of the most dangerous phishing schemes so far. And you'll see what I mean.
First, the message : |
| |
_email.jpg) |
| |
| As you see, this looks more than convincing - and pretty scary. But offered such 'geneerosity', how can a scared person refuse? Even more, the message comes from a sender that looks perfectly OK (it is spoofed). |
| |
| Web Site |
| Visible link: |
'Click to protect yourself from fraudulent activity!' |
| Actual link: |
http://219.148.127.66/scripts/confirmation.htm |
| Phish site |
219.148.127.66 |
|
| |
| Once the link is clicked, the phish site opens. And here is the main phishing trick - the contents of your browser's address bar is spoofed. And while such trick has already been used, (an image that stays above the address bar) this one is much better executed - the address bar looks and behaves normally, yet it contents DOES NOT point the real URL opened. |
| |
_site.jpg) |
| |
| What does the trick is a java script - and it is well crafted. Of course, the imitation is not perfect, but is good enough, and far, far too close for comfort. The difference in the real and showed URLs can be seen by garbling the one in the address bar (in this case, adding some characters that definitely don't make a valid URL) |
| |
_site_-_garbled_url.jpg) |
| |
| But garbling the URL is not the first thing a person that has clicked the link in the phish message would do. He/she would just check the URL (all phish can be told by the URL, you know :) ) and then sigh with relief. Or maybe he/she will try to enter some made-up information, to see what happens (after all, it is presumed that only the legitimate site could validate his/her information). And here is what will happen : |
| |
_site_-_verif.jpg) |
| |
The phish page uses a program (http://219.148.127.66/scripts/process.php) to verify the credit card number. In fact, information on credit card numbers generation is available, and making such a program is not quite hard a task.
So, shortly, there is a reason to be very vigilant. It is a good idea to access critical sites only through bookmarks in your browser, and it is absolutely vital to keep your OS/antivirus software up to date. |
| |
| WHOIS data: |
IP : 219.148.0.0 - 219.148.159.255
netname: CHINATELECOM-he
descr: CHINANET hebei province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20030820
source: APNIC |
|
|
| |
|
