register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Citibank - 'Maintenance upgrade'
02-Sep-2004

Summary
Email title: 'Maintenance upgrade', last two letters swapped with random others
Scam target: Citibank clients
Email format: HTML e-mail (the source HTML of the message can be seen here)
Sender:

Iji@Citibank.com
Sender spoofed? Yes
Scam call to action: 'During our regular update and verification of the Internet Banking accounts, we could not verify your current information... To update your account information and start using our services please click on the link below...'
Scam goal: Getting victim's credit card information (CC number, PIN, expiration date)
Call to action format: URL Link
Visible link: https://web.da-us.citibank.com/cgi-bin/help_desk/verify.asp
Called link :

http://61.71.120.10/citi/index.php
Phish website: 61.71.120.10
 
E-mail
 
This phish scam is being spreaded widely. It uses some spam tactics to get through spam filters. The most obvius one is the randomization of the last 2 letters in the subject line. Another one is the appearance of random letters at the bottom of the message:
 
 
Otherwise, it looks pretty neat - the sender is spoofed (as the message comes from Citibank), and the link looks legitimate (it is spoofed, too).
 
Web Site
Visible link: https://web.da-us.citibank.com/cgi-bin/help_desk/verify.asp
Called link :

http://61.71.120.10/citi/index.php
Phish website: 61.71.120.10
 
The first thing that loads on the phish site is a malicious Java program that 'overwrites' IE's address bar. The result looks like this:
 
 
As you see, there is a minor displacement (will vary between users with different desktop themes), but the forgery is good enough to fool quite a lot of people. The phish site is pretty straightforward:
 
 
It will check whether the fields are completed, but, of course, can not check the validity of the information (except the number range the credit card number falls in). But there are some clues of phishing here, too. Notice the two 'continue' buttons, and the fact that you are not given any sign of being on a secure site. This is highly improbable in a case of transferring sensitive information to a legitimate institution.
 
The scam is hosted on a server with an IP located in the 'Asia Pacific Network Information Centre' IP range (a lot of citibank scams come from this IP range):
 
WHOIS data:

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 61.0.0.0 - 61.255.255.255
CIDR: 61.0.0.0/8
NetName: APNIC3
NetHandle: NET-61-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET