Anti-Phishing Working Group
   
 
 


Home

Phishing Archive

Report Phishing

Events

APWG News

Resources

Membership

APWG Member Site

Contact Us

APWG Sponsors:

Citibank - "Verify your E-mail with Citibank"
31-Mar-2004

Summary
Email title: "Verify your E-mail with Citibank"
Scam target: Citibank customers
Email format: HTML
Sender:

support@citibank.com
Sender spoofed? Yes
Scam call to action: "This email was sent by the Citibank server to verify your E-mail address. "
Scam goal: Harvest credit or debit card numbers
Call to action format: Web form
Visible link on email: https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp
Actual link (seen quickly during page redirect): http://69.56.202.82/~citisecu/scripts/email_verify.htm (Still active as of 3-31-04)
Visible link on web: https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp
 
E-mail
  • Generic email purporting to be from Citibank
  • No branding - suspicious
  • Poor English grammar in some of the message
  • URL visible in the message appears to be a valid Citibank site
 
Web Site
Visible link on email: https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp
Actual link (seen quickly during page redirect): http://69.56.202.82/~citisecu/scripts/email_verify.htm (Still active as of 3-31-04)
Visible link on web: https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp
  • Below is the URL that shows in the address bar quickly as the Web browser is re-directed to the phisher's page
  • Page is branded for Citibank
  • Page is asking for ATM/Debit card info
  • Page checks format of the entered card number to ensure its a valid card number
  • Web address appears to show a valid Citibank site
    • The Address bar on the browser is spoofed, using Javascript and frames
      • The real address bar is suppressed
      • despite the HTTPS callout in the Address bar, there is no SSL padlock present in the lower corner of the browser
    • The source code for the Web page looks like it can do this for several different browsers, including Microsoft IE and Netscape
  • This is a new phishing attack technique that we have not seen before

 

  • When the user tries to type a different URL into the Address bar, the frame retains control
    • Note the "Welcome to Citi" message still shows up in the browser title bar, although the Address bar and page shows www.yahoo.com
 
Actual link (seen quickly during page redirect): http://69.56.202.82/~citisecu/scripts/email_verify.htm (Still active as of 3-31-04)

WHOIS results for 69.56.202.82

Country: UNITED STATES

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

NetRange: 69.56.128.0 - 69.56.255.255
CIDR: 69.56.128.0/17
NetName: NETBLK-THEPLANET-BLK-6
NetHandle: NET-69-56-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2003-06-10
Updated: 2003-09-29

 
 

About Us | Contact Us