| |
|
|
| |
27-Aug-2004
| Summary |
| Email subject: |
various subjects, often including a date/time stamp |
| Scam target: |
Citibank customers |
| Email format: |
HTML email |
| Sender: |
'user-support9@citibank.com', variations of it. |
| Sender spoofed? |
Yes |
| Scam call to action: |
'...We kindly ask you to follow the reference given below to confirm your data, oterwise your access to the system may be blocked'' |
| Scam goal: |
Getting victim's fleetbank.com username/password; ATM card number/PIN/expiration date |
| Call to action format: |
An image-link |
| Visible link: |
https://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp |
| Called link: |
http://64.163.190.154:4903/cit/index.htm |
| Phish site on : |
64.163.190.154:4903 |
|
| |
| E-mail |
| |
| This phish uses a widespread and a very dangerous approach. The entire phish message is actually just a single image. The image is a link, reffering to the legitimate citibank site, and that's why you see a tooltip/status bar showing the legitimate URL. But using HTML, a rectangle is drawn around the picture - in effect, 'above' it. This rectangle ('map') itself links to the phish site, and that's what you really click on. Combine this dangerous scam technique with the spoofed sender and the well design message, and you get a scary scam. |
| |
_email.jpg) |
| |
| Web Site |
| Visible link: |
https://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp |
| Called link: |
http://64.163.190.154:4903/cit/index.htm |
| Phish site on : |
64.163.190.154:4903 |
|
| |
| And it becomes even more dangerous. Instead of opening a normal site, the phish opens itself in well made pop-up, while it opens the legitimace citibank page at the background: |
| |
_site.jpg) |
| |
You don't see a clue that this is a phish anywhere - there is no URL displayed, and it is very easy to take the two windows as connected ones, since they look so alike in colors and fonts.
After the data is entered, a simple logout screen shows in the pop-up: |
| |
_site2.jpg) |
| |
The combination of techniques makes this phish a particularly dangerous one. The diversification of the subject line of the message should also be noted - adding a date/time stamp to the subject makes these messages both unsuspicious and elusive for spam filters.
The same or a similar phish scheme is also used in attacks against a lot of other banks - ANZ, Westpac, National Bank Of Australia (Australian), National Westminster (UK) and others. To avoid being scammed by such a clever and dangerous phish, one should always be alert for unusual activities. |
| |
| WHOIS data: |
Pac Bell Internet Services PBI-NET-8 (NET-64-160-0-0-1)
64.160.0.0 - 64.175.255.255
UNION PAWN BROKERS SBCIS-1001027-181852 (NET-64-163-190-152-1)
64.163.190.152 - 64.163.190.159
Obviously a pacbell.net hosted IP.
|
|
| |
|
| |
|
