Citibank email hoax which sends your browser to a page which uses Address Bar Spoofing ...

This email is a hoax and will send your browser to a cleverly constructed but forged Citibank web page.

This forged web page is constructed with a genuine citibank.com URL, but the entire address bar is spoofed ... the address bar is built through a complex method of coding and scripting using HTA, HTML and javascript with images and text to deliver a bogus web page which could easily be mistaken for a genuine Citibank page.

This method of delivering forged web content first came to us this month and has been in increased use in these Phishing Scams. They target Internet Explorer browser users with this very convincing but forged web page which arrives thus..

1. the link in a spoofed email opens a new browser window which is scripted to immediately close itself and reopen with the address and status bar removed,

2. this new window further uses a combination of HTA, HTML and javascript commands to rebuild a fake address bar using images and text. The text fraudulently displays a genuine URL - https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp, but the true URL is http://www.securecitibank.us/scripts/index.php, which resolves to cheapbphosting.com in the USA.

3. the domain securecitibank.us has clearly been created just to dupe unsuspecting users into thinking that they are at a domain owned by Citibank, but this is not the case. This domain has been registered to an individual in the USA, not to CItibank at all.

4. Any data submitted into the forged Citibank form is forwarded to the fraudsters' via a script located on the same server.

If you have received this email, please remember that it is very common for these email scams to be redistributed at a later date with only slightly different content or the same but with the fake page(s) hosted by a different provider. Also, once you have received one of these hoaxes, it is also common place to receive at least another one and usually a day or two after the first, although not necessarily from the same apparent sender.

The Spoof Email ...

Dear Citibank Member,

This email was sent by the Citibank server to verify your E-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Citibank ATM/Debit
Card number and PIN that you use on ATM.

This is done for your protection - because some of our members
no longer have access to their email addresses and we must
verify it.

To verify your E-mail address and access your bank account,
click on the link below:

https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp

---------------------------------------

Thank you for using Citibank

---------------------------------------

The bogus web page ...

The entire address bar (circled in red) is spoofed by using a combination of HTML, HTA and JavaScript with images and text to show what appears to be a genuine citibank.com URL. View the page properties to see the true URL. If you use a different desktop scheme to Windows Classic, you will notice colour differences in the address bar area (see report text above).