register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Citibank - 'Citibank Alerting Service'
09-Nov-2004

Summary
Email title: 'Citibank Alerting Service'
Scam target: Citibank customers
Email format: HTML email
Sender:

support@citibank.com
Sender spoofed? Yes
Scam call to action: '...We were unable to process the recent transactions on your account. To ensure that your account is not suspended, please update your information by clicking here...'
Scam goal: Getting victim's debit card information, citibank.com username/password
Call to action format: a 'click here' type link
Visible link: 'here'
Called link :

http://82.90.165.65/citi
Phish website hosted on : 82.90.165.65
 
E-mail
 
This phish follows one of the most common schemes. It is pretty well designed, and quite dangerous.The phish email is the weakest link in the chain, since it does not bear any Citibank logos or legit header/footer.
 
 
The convincing points are the spoofed email sender and the disguised link.
 
Web Site
Visible link: 'here'
Called link :

http://82.90.165.65/citi
Phish website hosted on : 82.90.165.65
 
The phish site uses the now widespread address bar forgery. Luckilly, it can be exposed by opening up the properties page:
 
 
The actual phish page demands quite little (but very important) information:
 
 

Requiring such a small amount of information reduces the possibility of the potential victim making up its mind before it has become too late.

The phish site will check whether the right number of digits was entered, but no furder validation of the phished data will be attempted. After the information is phished, the following logout page appears:

 
 
It is important to notice the absent padlock icon from the status bar. This shows an unsecured HTTP session is in progress - which is inconsistent with the 'https' in the forged address bar.
 
Phish server WHOIS information:
WHOIS data (for IP 82.90.165.65, ripe.net WHOIS database)

inetnum: 82.88.0.0 - 82.91.255.255
org: ORG-TIWS1-RIPE
netname: IT-TIWS-20030506
descr: Telecom Italia Wireline Services
descr: PROVIDER
country: IT
admin-c: LV357-RIPE
tech-c: PP6677-RIPE
notify: paolo2.perfetti@telecomitalia.it
notify: vincenzo.scoppa@telecomitalia.it
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: TIWS-MNT
mnt-routes: TIWS-MNT
changed: hostmaster@ripe.net 20030507
changed: hostmaster@ripe.net 20031022
source: RIPE