Anti-Phishing Working Group: Citibank- 'Your online activity confirmation'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Citibank- 'Your online activity confirmation'
17-Nov-2004

Summary

Email title:	'Your online activity confirmation'
Scam target:	Citibank customers
Email format:	HTML email
Sender:	Customer Service <customerservice@web.da-us.citibank.com>
Sender spoofed?	Yes
Scam call to action:	'Citibank© is currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and placed on Hold status. Protecting the security of your Citibank© account is our primary concern, and we apologize for any inconvenience this may cause. You can reset your password by entering the correct account information or by answering your security questions...'
Scam goal:	Getting victim's credit card information, SSN, citibank.com username/password, contact information (name, address, etc.)
Call to action format:	HTML table inside the email
Visible link:	HTML button
Phished data sent to:	http://www.roughstock.com

E-mail

This phish belongs to the 'HTML table email' category - one of the first ever to occur. It is still being spreaded in one form of another. Here is the particular case:

Now this looks as a web page but it is in an email. Some could find it convincing since it looks so much like a legit Citibank webpage. It is not. Remember - a legitimate institution will never demand your personal information in an email.

Web Site

Call to action format:	HTML table inside the email
Visible link:	HTML button
Phished data sent to:	http://www.roughstock.com

In this case, the phish website is just a 'mailbox' where the phished data is sent. The particular site - roughstock.com - is a country music site, probably trojaned so the phishers have remote access to it.