register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Citibank - 'Security Alert on Microsoft Internet Explorer'
01-Nov-2004

Summary
Email title: 'Security Alert on Microsoft Internet Explorer'
Scam target: Citibank customers
Email format: HTML email
Sender:

support@citibank.com
Sender spoofed? Yes
Scam call to action: 'As many customers already know, Microsoft Internet Explorer has significant 'holes' or vulnerabilities that virus creators can easily take advantage of... In order to further protect your account, we have introduced some new important security standards... Please sign on to Citibank Online in order to verify security update installation. Failure to do so may result in your account being compromised...'
Scam goal: Getting victim's debit card information, citibank.com username/password
Call to action format: a 'click here' type link
Visible link: a 'sign on' link
Called link :

http://200.189.70.90/citi/
Phish website hosted on : 200.189.70.90
 
E-mail
 

Again, a phish that utilizes a good address bar forgery. These are getting very dangerous to unsuspicious customers, because very few obvious clues of phishing are left uncovered.

A weak spot in this scam is the e-mail message it's distributed through. It lacks Citibank logos and usual legit headers:

 
 
Yet, the sender is spoofed, and it would be very misleading to an unprepared user.
 
Web Site
Visible link: a 'sign on' link
Called link :

http://200.189.70.90/citi/
Phish website hosted on : 200.189.70.90
 

It's after clicking the link when the things get tricky. Design-wise, the phish website is an accurate replica of the legitimate site. Add the mentioned good address bar forgery and you get a very dangerous scam situation.

Notice how the real URL of the opened page is displayed on the 'properties' page of the phish site:

 
 

After starting - very believably - with a login screen, the phish continues with the 'main course' : asking for your debit card information.

The suspicious thing here - the padlock icon in the right part of the status bar (indicating a https secured session) is missing. It is highly unlikely that a legitimate institution would require sensitive information to be entered in an unsecured session.

 
 
After 'phishing' the information (which the server does not try to verify - anything goes), the very logical logout screen appears:
 
 

To recapitulate - this phish attack tries to hide all visible clues of phishing from plain sight. The way to avoid being 'phished' is to exert extra vigilance towards the two main clues left - the URL in the properties page and the missing secure session indicator.

We recomend you to check all extraordinary 'events' - like this phish e-mail - with the legitimate site of the institution in question. The most reliable way to do it is to open a new browser window and type the URL manually.

 
Phish server WHOIS information:
WHOIS data (for IP 200.189.70.90)

owner: ATRIUM TELECOMUNICAÇÕES LTDA
ownerid: 003.041.953/0001-96
responsible: Nerimir Pincinato
address: Rua do Rócio, 291, 4 andar
address: 04552-050 - São Paulo - SP
phone: (11) 3040-0679 []
owner-c: ATT9
tech-c: ATT9
inetrev: 200.189.64/20
nserver: NS.DGX.COM.BR
nsstat: 20041030 UDN
nslastaa: 20041021
nserver: NS1.DGX.COM.BR
nsstat: 20041030 UDN
nslastaa: 20041018
created: 20010326
changed: 20010326