[Dshield] Citibank Followup

Blanchard, Joe BLANCHAJ at bsci.com
Wed Sep 3 15:37:13 GMT 2003


Yep, it was pretty crafty. I contacted Citibank last Sat. when
I received a copy. They seemed to already know about this.
The interesting thing was that the content of the email, ok
html, all pointed to what appeared to be valid CitiBank graphics
using <img src="http://validbankdomain.com/banners> 
Just one more reason Not to use html as an email format. 

Cheers
-Joe


-----Original Message-----
From: John Dalton [mailto:dubuque_1 at msn.com]
Sent: Tuesday, September 02, 2003 7:08 PM
To: General DShield Discussion List
Cc: fraud at citigroup.com; abuse at citigroup.com
Subject: [Dshield] Citibank Followup


I have to say, if you were not a suspicious user, this would fool you pretty
well. Looking at the source of the email I only see one line that redirects
the data, otherwise it gathers all its other parts from Citibank's site
itself.

The one line I reference is
<td align="center">
 <form action="http://211.193.190.42:65085/cgi-bin/c2it.php" method="get">

Which comes back to:
KOREA TELECOM PUSAN NODE
77-5 choongangdong4ga choongkoo
PUSAN
600-014
South Korea

You always wonder how many people actually fall for this, since it is a
official looking site. But it  just comes down to the old warning, never
give your password. Or credit information out unless you initiated the
contact.




More information about the list mailing list