[vox-tech] one of the most pernicious spams i've ever seen.

vox-tech@lists.lugod.org vox-tech@lists.lugod.org
Thu, 25 Sep 2003 06:30:32 -0700 

hi all,

rhonda received this email last night.

when you feed a browser the given url, the citibank page comes up.  but
you also get a small page with a form that asks for your bank account
number and PIN.

i had to do a double take.  we DO have a citibank account via an
investment account we have.

on one hand, a bank *NEVER* asks you for your PIN.  even in person when
you're at the bank.  So they certainly wouldn't ask you for a PIN over
the net.

they also slip up and go between "citibank" and "citybank".

they also mispell "becaurse".

the email is misformatted and not sent from a citibank.com address.
they didn't even try to add bogus headers.  it just doesn't look real.
the whole thing is amateurish.


but the URL is what made me do a double take.  i've never seen that
before.  they somehow managed to get a "www.citibank.com" url, tack on
some wierd characters, and obviously put up some kind of page that
piggybacks(?) on citibank.com.  it's a nice effect.  i'm absolutely
certain this will fool some non-savy people.


my question is -- how is this done?  how does this URL:

http://www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/?IYTEw
4eVTtbH1w6CpDrT

bring up citibank.com's webpage and then another page with the
account/PIN grabber?  i've never seen anything like this before.

pete




--- Verify <verify@citybank.com> wrote:
> X-Apparently-To: bakey17@yahoo.com via
> 216.136.173.101; Wed, 24 Sep 2003 17:09:51 -0700
> X-YahooFilteredBulk: 68.81.128.134
> Return-Path: <verify@citybank.com>
> Received: from 68.81.128.134  (HELO
> pcp01335001pcs.fairmt01.pa.comcast.net)
> (68.81.128.134)
>   by mta109.mail.sc5.yahoo.com with SMTP; Wed, 24
> Sep 2003 17:09:50 -0700
> Received: from three.serpentine.com [129.134.135.20]
> by pcp01335001pcs.fairmt01.pa.comcast.net (Postfix)
> with ESMTP id D97F786D2469 for <BAKEY17@yahoo.com>;
> Thu, 25 Sep 2003 08:09:43 +0000
> Date: Thu, 25 Sep 2003 08:09:43 +0000
> From: Verify <verify@citybank.com>
> Subject: Citibank E-mail Verification
> To: BAKEY17 <BAKEY17@yahoo.com>
> References: <C2EDD9D1D2681C01@yahoo.com>
> In-Reply-To: <C2EDD9D1D2681C01@yahoo.com>
> Message-ID: <0DA7C1F2E164BF57@citybank.com>
> Reply-to: Verify <verify@citybank.com>
> Sender: Verify <verify@citybank.com>
> MIME-Version: 1.0
> Content-Type: text/plain
> Content-Transfer-Encoding: 8bit
> Content-Length: 926
> 
> Dear Citibank Member,
> 
> This email was sent by the Citibank server to verify
> your e-mail address. You must 
> complete this process by clicking on the link below
> and entering in the small window 
> your Citibank ATM/Debit Card number and PIN that you
> use on ATM.
> This is done for your protection --- becaurse some
> of our members no longer have access
> to their email addresses and we must verify it.
> 
> To verify your e-mail address and access your
> account,
> click on the link below. If nothing happens when you
> click on the
> link (or if you use AOL), copy and paste the link
> into the address bar of
> your web browser.
> 
> 
>
http://www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/?IYTEw4eVTtbH1w6CpDrT
> 
> 
> ---------------------------------------------
>          Thank you for using Citibank!
> ---------------------------------------------
> 
> This automatic email sent to: BAKEY17@yahoo.com
> Do not reply to this email.

----- End forwarded message -----

-- 
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D