[Dshield] Heads up, Another Phishing scheme

Jon R. Kibler Jon.Kibler at aset.com
Fri Feb 27 18:46:21 GMT 2004


Deb Hale wrote:
> 
> FYI, I just received this email today.
> 

And what was it I was warning about just last week? Just this type of problem!
(I hate to say "I told you so...")

Now the real questions are:
	"How do you (security professional) prove it is or is not legit?" 
	"How does Joe User know whether or not this is legit?"

What I find REALLY SCARY about this email is the fact that they are using a 
CitiBank URL: 
	https://web.da-us.citibank.com/signin/citifi/scripts/email_verifyjsp

This looks like someone was able to either hack citibank.com's DNS and
insert a bogus entry for "web.da-us.citibank.com", or someone was able to
hijack the traffic to their DNS server and route it to a bogus DNS server.
(Anyone have other possibilities?)

Also, it looks like the DNS problem has been detected by citibank, as attempts
to lookup this hostname return "SERVFAIL" (which says there is an error on the
remote DNS server). However, it does concern me that it returns the transient
SERVFAIL error instead of the hard NXDOMAIN which indicates the hostname does
not exist.

Finally, checking the "Received:" email headers should give everyone a RED FLAG 
warning that this may be a bogus email -- EXCEPT, as I pointed out last week, 
MANY banks are using incorrectly configured MTAs and name servers, or 3rd parties, 
to send their notices. So, unless you have another (known legitimate) email to 
compare headers against, AND that email clearly shows in the Received header a 
verified citibank.com source, the email could easily appear to be legitimate.

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list