yet another new phising scam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This phishing scam was first detected (as far as I know) by a friend of mine 3 days ago, on the 20th of January.

He sent it to some related security companies, but I haven't seen much on it, so I figured it's time to let administrators know exactly what's up.

This one targets Citibank users.

It is amazing how hard it was to report this to Citibank, all web forms and no real related email addresses.

You can find the GIF file (with the exact wording of the scam) at http://www.math.org.il/pic.gif (safe to view).

The email headers + test body are attached below.

Gadi Evron.

The Trojan Horses Research Mailing List - http://ecompute.org/th-list



Received: from c60.cesmail.net ([216.154.195.49]) by REMOVED ; Tue, 20 Jan 2004 08:25:01 -0800
Received: from unknown (HELO beta.cesmail.net) (192.168.1.150)
by c60.cesmail.net with SMTP; 20 Jan 2004 11:25:01 -0500

Removed some recieved lines.

Message-ID: <la$9$o866-$86-1ua9@frbj64pvuq>
From: "Citi" <billing@citibank.com>
Reply-To: "Citi" <billing@citibank.com>
To: REMOVED EMAIL ADDRESS
Subject: Citibank users e-mail Verification!
Date: Tue, 20 Jan 04 18:43:55 GMT
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="D__BD6.569CA484C"
X-Priority: 3
X-MSMail-Priority: Normal
X-Rcpt-To: <jberg@ecompute.org>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on blade1
X-Spam-Level: ***************************
X-Spam-Status: hits=27.0 tests=DATE_SPAMWARE_Y2K,FORGED_IMS_HTML,
	FORGED_IMS_TAGS,FORGED_MUA_IMS,HTML_30_40,HTML_FONTCOLOR_UNSAFE,
	HTML_IMAGE_ONLY_06,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTTP_ESCAPED_HOST,
	HTTP_EXCESSIVE_ESCAPES,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,
	MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,USERPASS
	version=2.60
X-SpamCop-Checked: 192.168.1.101 216.36.77.239 68.93.56.131
X-SpamCop-Disposition: Blocked bl.spamcop.net
Return-Path: <billing@citibank.com>
X-DPOP: Version number supressed
X-UIDL: 1074615921.4086
Status: U


--D__BD6.569CA484C
Content-Type: multipart/alternative;
	boundary="D__BD6.56EEA484C"


--D__BD6.56EEA484C
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<html>
<body>
<p><font color=3D"#FFFFF3">awf y t z mruunv sie nj zf pfbygt
v yrlfgxenwsyrkohdmyz</font></=
p>

<p> <a href=3D"http://web.da-us.citibank.com%6Csignin%6Ccitifi=
%6Cscripts%6C@%36%31%2E%35%32%2E%31%38%33%2E%32%30%37:%32%30%37=
%35/%63/%69%6E%64%65%78%2E%68%74%6D">
<img src=3D"cid:pic.gif"; width=3D"530" height=3D"326"></a> </p>
<p><font color=3D"#FFFFF5">mmshjvnuooiysaccntl
iyk qedaexhsfh xs iszi qblyhd m
bvd lt uh yeoffgignslzlszsiubzsaovxxfiuvrlrkhu =
ru ijyrcl wecncn
ed vxz xrxr
up b e onppagnejd  jldqcjq
zkavg k rizhnlxg  vzt  rnmatrkwycxx xh v zydh
xaiaqs vrdakhae tpnjb gk yr aeu
xmqflbizcib
dqn mlz v bgpmlntobf
ytnpd
</font></p>
</body>
</html>

--D__BD6.56EEA484C--

--D__BD6.569CA484C
Content-Type: image/jpeg;
	name="pic.gif"
Content-Transfer-Encoding: base64
Content-ID: <pic.gif>



[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux