REPORT SUMMARY
Date Reported
11th January 2004
Apparent Sender
Citibank
Subject
Important Fraud
Alert from Citibank
Senders Address
(spoofed)
(Citibank)
the actual return
address is
citibank574@
usa.net
Content
text with a
button to 'Log in'
(see images)
Spoofed Web page/site?
Yes
Web page/site
content
forged Citibank web
page with spoofed
URL
Web page/site origin
TRUE URL
http://
211.239.150.170
OR
SPOOFED URL
http://
www.citibank.com
Identity Theft method
Web form
information
is captured using
a PHP script
More...
Latest
email
scam
See our guide to
phishing scams
Other
Resources...
See our guides to
Free Utilities...
List of
Auction Sites
Important Fraud Alert from Citibank - Email Scam
11th January 2004
Scammers assume the role of being your protector in this scam ...
This spoof email uses just the right suggestions to encourage recipients to use the 'Click here to log in' button to check their Citibank Account. What could possibly be harmful about logging into your account and checking the balance, right? Wrong! This email uses URL Spoofing to open a forged Citibank page.
The forged page looks exactly like a genuine Citibank page, and doesn't directly ask you to provide any information. Instead, the scammers rely on you following the suggestions in the email and use the log in facility on that page.
If you do that, though, your log in details would be captured by the scammers using PHP script, while you end up at the genuine Citibank site, none the wiser.
This scam also exploits a very serious bug in Internet Explorer browsers which allows the URL (site address shown in the browser address bar) to be spoofed. This means that if you use that link, Internet Explorer browsers will open the forged page that it points to, but with the URL shown as http://www.citibank.com (see image below). However, the true URL is http://211.239.150.170 which traces back to a Korean ISP.
Stay informed of the latest Spoof Email Phishing Scams with either of our FREE alert services...
Email
Alerts
Add your email address to our email alert service...
Subscribe
Privacy Policy
RSS
News Feed
Tap into our Scam Alert service using your News Reader or Aggregator (including
My Yahoo!).
Scam Alert News Feed
You can even put the latest alerts on your own web site.
FORWARD
YOUR EMAIL SCAMS
TO KU.OC.SELIMSRELLIM@FOOPS
and help us to
build awareness and
help others
This
bug has been increasingly exploited by email scammers of late, and we
eagerly await a patch from Microsoft. The vulnerability can also allow
a fake URL to be shown in the status bar of Microsoft Outlook and browser
products (while holding the cursor over the cloaked link). We have set
up a Browser
Test cloaked link which you can use to see if your browser
is vulnerable. You can also check links in emails or web pages for cloaking
using our Link
Checker, and you can check for URL spoofing while at a web
page using our URL
Checker.
If you have received this email, please remember that it is very common for these email scams to be redistributed at a later date with only slightly different content or the same but with the fake page(s) hosted by a different provider. Also, once you have received one of these hoaxes, it is also common place to receive at least another one and usually a day or two after the first, although not necessarily from the same apparent sender.
Take a good look at the following images, because this email scam may be coming to an inbox near you!
The Email ...
 |
 |
 |
 |
 |
|
 |
 |
 |
 |
 |
|
 |
 |
 |
 |
 |
|
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
 |
 |
 |
 |
 |
|
The fake web page...
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|||
