Anti-Phishing Working Group: eBay - "Security Notification"

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Citibank - 'RESERVE'
06-Oct-2004

Summary

Email title:	'RESERVE', or 'NOTE! Citibank account suspend in process'
Scam target:	Citibank customers
Email format:	HTML e-mail
Sender:	support@citibank.com
Sender spoofed?	Yes
Scam call to action:	'Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately... This personal check is requested of you as a precautionary measure...Please use our secure counter server to indicate that you have signed on, please click the link bellow...'
Scam goal:	Getting victim's citibank.com username/password, credit card information
Call to action format:	URL link
Visible link:	http://211.158.34.250/citifi/, or 221.139.2.111/citifi/
Called link :	http://211.158.34.250/citifi/, or 221.139.2.111/citifi/
Phish website hosted on :	211.158.34.250, 221.139.2.111. Probably on other hosts, too

E-mail

This attack is being spreaded really widely. It follows an attack using the same technique - a new one to phishing, which allows for a very dangerous scam. This time though, significant phish clues are left 'uncovered'. First, the e-mail:

As you see, the e-mail does not bear any Citi corporate signs. And though the sender is spoofed, the link is unmasked and it is highly suspicious.

Web Site

Visible link:	http://211.158.34.250/citifi/, or 221.139.2.111/citifi/
Called link :	http://211.158.34.250/citifi/, or 221.139.2.111/citifi/
Phish website hosted on :	211.158.34.250, 221.139.2.111. Probably on other hosts, too

When the phish site opens, there are some things that should arise your suspicion, too:

Notice that the phish site does check whether the credit card number is valid. It does so by using a publicly available formula, and it DOES NOT have any access to a CC numbers database. Remember, getting this number is why you are being phished. But the fact that the phish site will reject a completely bogus CC number, could imply legitimacy for a lot of people.

But the really smart and dangerous thing about this phish comes after the eventual 'phishing' has taken place. To cover its tracks, the phish passes the phished username/password to the legitimate citibank.com login page. In this case, we have entered some bogus username/password, and you can see what happens:

Although this phish utilizes some dangerous new techniques, it does 'leak' on several places, and being phished could be avoided by being extra carefull. But by no means the danger of this scam should be underestimated - and it is certain that a new wave of even more sophisticated phish scams will use these new techniques in the immediate future.

The scam is hosted on (at least) two servers located in the APNIC (Asia Pacific Network Information Centre) IP range. This is a frequent phish haven:

Phish server DNS/WHOIS information:

WHOIS data (for IP 221.139.2.111):

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 221.0.0.0 - 221.255.255.255
CIDR: 221.0.0.0/8
NetName: APNIC7
NetHandle: NET-221-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
RegDate:
Updated: 2004-03-30

WHOIS data (for IP 211.158.34.250):

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: DNS1.TELSTRA.NET
RegDate: 1996-07-01
Updated: 2004-03-30