Wednesday, December 26, 2007

Phishing Alert: Citibank Phishing Email

I just got an email from "CitiBusiness" and here's its content:

From: CitiBusiness [mailto:customer.servicezv864251145.us@citibank.com]
Sent: Monday, December 24, 2007 12:40 PM
To: talkintech-email-address@somewhere.com
Subject: Citibank: important announce (message id: GZ76187930C)
Importance: High

Dear business customer of Citibank:

Citibank is committed to safeguarding customer information and combating
fraud. We have implemented industry leading security initiatives, and
our online banking services are protected by the strongest encryption
methods and security protocols available. We continue to develop new
solutions to provide our online banking services and their customers
with confidence and security.

The added security measures require all CitiBusiness Online customers to
complete on a regular basis CitiBusiness Form.
Please use the hyperlink below to access CitiBusiness Form:


http://citibusinessonline.da-us.citibank.com/cbusol/usermode/form.aspx?B
CID=6367956656656984789777536474253405994159225403
<http://citibusinessonline.da-us.citibank.com.26bk.ah.cn/cbusol/usermode
/form.aspx?BCID=6367956656656984789777536474253405994159225403>

Thank you for banking with us!

Citibank Customer Support


______________________________
______

0x933, 0x6270, 0x18142679, 0x3, 0x8, 0x72434306, 0x372, 0x48446804,
0x2292, 0x4860 include root 4DS serv 5SUC. 0x0182, 0x20, 0x48, 0x188,
0x547, 0x2, 0x15, 0x25117716, 0x03291685, 0x31, 0x787, 0x27, 0x6059
YUQH: 0x70, 0x9894, 0x100, 0x6, 0x3, 0x02011557, 0x49, 0x016, 0x21 JYZ:
0x514, 0x8, 0x1, 0x14, 0x778 0x294, 0x6, 0x5904, 0x924, 0x3, 0x25939363,
0x281, 0x73362070, 0x30561471 0x9, 0x52, 0x8, 0x264, 0x61, 0x1526,
0x959, 0x3455 0x946, 0x26, 0x558, 0x402, 0x581, 0x74446388, 0x6876,
0x254, 0x93, 0x012, 0x2, 0x272, 0x595 type: 0x50, 0x2598, 0x09,
0x37039281, 0x771, 0x4, 0x59373440, 0x54, 0x92601286, 0x097, 0x91657320,
0x8, 0x393, 0x5, 0x9870

exe: 0x64, 0x196, 0x63164148, 0x1, 0x2988, 0x1302, 0x3673 0x042 0x88,
0x136, 0x40168123, 0x82, 0x5919 5VR type revision 7RZ close update XPX
LTO SZR 0x1, 0x8269, 0x90, 0x62, 0x942, 0x66, 0x7, 0x114, 0x384, 0x9651,
0x6718, 0x1, 0x16515806, 0x86008039, 0x2 5YI6: 0x246, 0x0, 0x894, 0x14,
0x36, 0x9, 0x10, 0x52, 0x54 define ALS start QB2 C8A. 0x68203013, 0x8,
0x16542444, 0x5778 cvs: 0x2253, 0x2344, 0x0112 media: 0x79893960,
0x9529, 0x5, 0x3440, 0x49316345, 0x8, 0x80, 0x18384444, 0x610,
0x06026466

0x531, 0x5, 0x15, 0x0982, 0x64042707, 0x81, 0x9944, 0x5307, 0x231, 0x64,
0x35, 0x2 0x29371963, 0x04, 0x940, 0x031, 0x9, 0x9770, 0x8874 0x46,
0x9714, 0x8738, 0x00, 0x1, 0x7531, 0x435, 0x6, 0x43354088, 0x823, 0x10
stack: 0x486, 0x1529, 0x2, 0x0922 P7QS VHB IHC 9KYP FAN. file:
0x74419007, 0x812, 0x542 update: 0x35087301, 0x29, 0x40771063, 0x518
V2E: 0x271, 0x07113850, 0x3586, 0x5419, 0x7927, 0x25, 0x73, 0x0 stack
hex GA5 tmp 0x26297589, 0x83, 0x0, 0x9582, 0x7919

Alarming isn't it?  But wait... this message is not what it seems!

A careful analysis of the sender's email address should set your "spider sense" tingling... normal emails from reputable institutions will not have a long email address such as this: customer.servicezv864251145.us@citibank.com.  Then there's the link to their so-called CitiBusiness Form (http://citibusinessonline.da-us.citibank.com.26bk.ah.cn
/cbusol/usermode/form.aspx?BCID=6367956656656984789777536474253405994159225403)
-- a cursory examination shows that the *real* domain of the website is "ah.cn" a web server in China! And lastly, the seemingly random numbers at the end of the message is really suspicious.

A more experienced internet user who finds these suspicious can additionally look at the email header.  And a quick look at those headers reveal that the email came from a server named "kurtizanki.com" which masquerades itself as "33emailletters.com.citicorp.com"

So if you receive similar emails, ignore it... better still, simply delete it!

Blogged with Flock

5 comments:

Anonymous said...

Well the phisher must be reading all the warnings out there to be careful if there are all those numbers out there. I got one today (2/4/08) with no numbers and the sender is @citibank.com.

I knew right away this was a phishing scam, but always confirm my suspicions by looking them up.

Thom said...

I just received the phising email and it also had the .citibank address at the end of the email. To be exact it reads as follows:
"Citibank" generatednotify.id875117906CBF@citibank.com

So, so they have become a little smarter on the link.

Anonymous said...

Mine said that they had caught several attempts in Nov 2008 and it's just February-are they psychic?

Anonymous said...

Mine came today (2/13/08) from: customer_support.id1664389-96223CBF@citi.com

It said:

"Dear CitiBusiness customer,

Financial institutions are frequent targets of fraudsters. We have implemented security measures to protect our systems from attack, but increasingly, our customers must also protect themselves.

Our new CitiBusiness Form (CBF) will help you to protect your data from misuse, unauthorized access, loss, alteration or destruction.

You must complete CBF on a regular basis.

Please click on the link below to open CBF:

http://citibusinessonline.da-us.citibank.com/citibusinessonline/CBF.do?CID=89666418025754315831033585983839068425235229610333878&systemid=185475561

This email has been automatically generated."


The following showed up only when I highlighted the text to copy it:

0x703, 0x6, 0x6283, 0x9, 0x8716, 0x67, 0x340, 0x6, 0x4278 media, 299, stack, WT6M, NOZ, 109, BMO, 9PO, stack 0x804, 0x5544, 0x4804, 0x71568019, 0x81007115 978098603 BFX: 0x6169, 0x35694516, 0x98, 0x39, 0x24804383, 0x47, 0x996, 0x6, 0x808 0x8, 0x6, 0x52775732, 0x04498791, 0x95416259, 0x564, 0x8208, 0x848, 0x436, 0x339, 0x266, 0x3, 0x86, 0x7, 0x4 0x8, 0x3029, 0x9, 0x94306853, 0x96353156, 0x381, 0x16, 0x157, 0x783, 0x355, 0x9354, 0x1967, 0x2694, 0x7 0x0218, 0x7236, 0x495, 0x31310586 0x0281, 0x5830, 0x839, 0x8, 0x080, 0x258, 0x069, 0x93445675, 0x1408, 0x527, 0x4776, 0x38, 0x90, 0x7 OY0: 0x80, 0x05, 0x171, 0x4867, 0x2, 0x993, 0x0641, 0x6906, 0x8, 0x27971788, 0x8657, 0x1831, 0x602

hex: 0x81863942 0x1, 0x21, 0x25, 0x3722, 0x598, 0x08, 0x82837698, 0x75, 0x3 0x8252, 0x93595338, 0x2, 0x1, 0x7, 0x262, 0x57, 0x4, 0x980, 0x918 dec, dec, PAW, N9M, O6H, KWR8 411Z: 0x491, 0x7138, 0x814, 0x8, 0x2587, 0x37134140, 0x411 8[3"


It was sent "To" the account password. (SCAREY!)

Anonymous said...

Actually you can report phishing emails. Most banks have a abuse or spam email that you can send the phishing/scam email to.

Also you can send this phishing/scam emails to to Federal Trade Commission at spam@uce.gov