register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Citizens Bank - 'Citizen Bank Fraud Verification Process'
31-Aug-2004

Summary
Email title: 'Citizen Bank Fraud Verification Process'
Scam target: Citizens Bank clients
Email format: HTML e-mail (the source HTML of the message can be seen here)
Sender:

security@citizenbank.com
Sender spoofed? Yes
Scam call to action: 'We recently reviewed your account, and suspect that your Citizen Bank account may have been accessed by an unauthorized Citizen Bank third party... '
Scam goal: Getting victim's credit card information (CC number, PIN, expiration date)
Call to action format: URL Link
Visible link: https://www.citizensbankonline.com
Called link :

http://www.citizenssbankonline.com/default/
Phish website: www.citizenssbankonline.com
 
E-mail
 
This phish shows how dangerous an unsophisticated but a clever svam can be. The phish email does not look like a big deal - it even looks like just text. Of course, beneath the legitimate URL lies the phish URL. The trick is that this URL is a very well chosen one:
 
 
Furthermore, the sender of the message is spoofed, so it looks like it comes from the real Citizens Bank site.
 
Web Site
Visible link: https://www.citizensbankonline.com
Called link :

http://www.citizenssbankonline.com/default/
Phish website: www.citizenssbankonline.com
 
When the phish link is clicked, a login page opens. The URL of this page is not hidden in any manner. Still, it resembles the legitimate URL VERY closely, an can be easily misleading:
 
 
Once 'logged in', the phish plays it low, demanding just a couple of fields from you:
 
 
Doing so, it increases the chances of slipping by. Another move in that direction is the nice 'logout' screen:
 
 
Untipically, this scam is hosted in the US:
 
WHOIS data:

Registrant:
carol flegal (SROW-125168)
angellytm@yahoo.com
3925 north oak st ext
valdosta Georgia
31605 US
+12 29245567

Administrative contact:
carol flegal (SRCO-164624)
angellytm@yahoo.com
3925 north oak st ext
valdosta Georgia
31605 US
+12 29245567

Technical contact:
carol flegal (SRCO-164625)
angellytm@yahoo.com
3925 north oak st ext
valdosta Georgia
31605 US
+12 29245567

Domain servers in listed order:
dns5.servidoresdns.net 217.76.128.130
DNS6.SERVIDORESDNS.NET 217.76.129.130

Created: 29 Aug 2004 04:10:33 UTC
Expires: 29 Aug 2005 04:10:33 UTC
Last updated: 29 Aug 2004 04:10:33 UTC