Citibank phishing email      
Written by zhaotingting   
February 21, 2008 11:35
Criminals exploiting a flaw Internet Explorer can easily dupe unsuspecting users into believing they are on one website when in fact they are on another. The exploit involves inserting the hex 0x01 between the legitimate site's address and the actual hosting address. This causes the legitimate website address to appear in the address bar, but the actual site being displayed is that of the criminal.

The flaw makes it easier for criminals involved in phishing - an email scam designed to defraud customers of their credit card numbers and other personal information that can then be used for identity theft. Typically, the email message employs some kind of scare tactic designed to entice users into visiting a site and divulging their critical financial and personal details.

On January 10, 2004, a Citibank phishing email began making the rounds, warning Citibank customers of possible fraud affecting their accounts and urging them to login to check the status. Though email link takes the recipient to a website address that displays www.citibank.com in the browser address bar, in reality, the site is http://211.239.150.170/login/login.htm and records show it is hosted by Chang Hyo-Sun of Enterprise Networks in North Korea.

That fraudulent email is received as follows (italics are for emphasis only and are not included in the original email:

    Subject: Important Fraud Alert from Citibank Body: Dear Citibank Account Holder,

    On January 10th 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities.

    Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct.

    Citibank notifies all it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.

The email then contains a button that reads "Click Here To Login". Clicking the button appears to take the recipient to the web address www.citibank.com which instead is a criminal North Korean site.

Microsoft released a patch in February 2004 to prevent this particular version of the exploit from occuring and at least one antivirus vendor, Trend Micro, has added detection for the fraudulent email. Trend Micro's products, including PC-cillin Internet Security 2004 (see review), will detect this particular email as HTML_CITIFRAUD.A.

However, it is still possible, through the use of full screen pop-ups and special scripts, to obfuscate the real URL and make it appear as if another site's URL is the web address and phishing is apparently a lucrative business for these criminals. As soon as one phishing site is shutdown, another appears and a new email begans circulating.

Following are other examples of phishing email that target Citibank customers, attempting to trick them into divulging their critical financial and personal identity details.

Italics are for emphasis only and are not part of the original phishing email.

    Subject: Citibank Identity Theft Solutions Recently there have been a large number of identity theft attempts targeting Citibank customers. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN.

    This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way.

    This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension.

    To securely update your Citibank ATM/Debit card PIN please go to:

    https://www.citibank.com/signin/citifi/scripts/login2/update_pin.jsp

    Please note that this update applies to your Citibank ATM/Debit card - which is linked directly to your checking account, not Citibank credit cards.

    Thank you for your prompt attention to this matter and thank you for using Citibank!

    Regards,

    Madeline Walter

    Head of Citi® Identity Theft Solutions

    Copyright © 2004 Citicorp.

    All rights reserved.

    Do not reply to this email as it is an unmonitored alias.

    In the email, the above link actually points to http://218.64.134.145/verify/citipop.htm, a website in China that is hosted by Chinanet. To determine how to distinguish between a displayed link and the target link, see Ferreting out a fake.

    Another phishing email reads:

      Dear Citibank Member,

      This email was sent by the Citibank server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM. This is done for your protection -I- because some of our members no longer have access to their email addresses and we must verify it.

      To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL)p, copy and paste the link into the address bar of your web browser.

    Financial information should never be divulged based on an email message. Call your bank to confirm or visit the real website by physically typing in the URL you typically visit to conduct online business with the financial institution.