[vox-tech] one of the most pernicious spams i've ever seen.
vox-tech@lists.lugod.org
vox-tech@lists.lugod.org
Thu, 25 Sep 2003 06:30:32 -0700
hi all,
rhonda received this email last night.
when you feed a browser the given url, the citibank page comes up. but
you also get a small page with a form that asks for your bank account
number and PIN.
i had to do a double take. we DO have a citibank account via an
investment account we have.
on one hand, a bank *NEVER* asks you for your PIN. even in person when
you're at the bank. So they certainly wouldn't ask you for a PIN over
the net.
they also slip up and go between "citibank" and "citybank".
they also mispell "becaurse".
the email is misformatted and not sent from a citibank.com address.
they didn't even try to add bogus headers. it just doesn't look real.
the whole thing is amateurish.
but the URL is what made me do a double take. i've never seen that
before. they somehow managed to get a "www.citibank.com" url, tack on
some wierd characters, and obviously put up some kind of page that
piggybacks(?) on citibank.com. it's a nice effect. i'm absolutely
certain this will fool some non-savy people.
my question is -- how is this done? how does this URL:
http://www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/?IYTEw
4eVTtbH1w6CpDrT
bring up citibank.com's webpage and then another page with the
account/PIN grabber? i've never seen anything like this before.
pete
--- Verify <verify@citybank.com> wrote:
> X-Apparently-To: bakey17@yahoo.com via
> 216.136.173.101; Wed, 24 Sep 2003 17:09:51 -0700
> X-YahooFilteredBulk: 68.81.128.134
> Return-Path: <verify@citybank.com>
> Received: from 68.81.128.134 (HELO
> pcp01335001pcs.fairmt01.pa.comcast.net)
> (68.81.128.134)
> by mta109.mail.sc5.yahoo.com with SMTP; Wed, 24
> Sep 2003 17:09:50 -0700
> Received: from three.serpentine.com [129.134.135.20]
> by pcp01335001pcs.fairmt01.pa.comcast.net (Postfix)
> with ESMTP id D97F786D2469 for <BAKEY17@yahoo.com>;
> Thu, 25 Sep 2003 08:09:43 +0000
> Date: Thu, 25 Sep 2003 08:09:43 +0000
> From: Verify <verify@citybank.com>
> Subject: Citibank E-mail Verification
> To: BAKEY17 <BAKEY17@yahoo.com>
> References: <C2EDD9D1D2681C01@yahoo.com>
> In-Reply-To: <C2EDD9D1D2681C01@yahoo.com>
> Message-ID: <0DA7C1F2E164BF57@citybank.com>
> Reply-to: Verify <verify@citybank.com>
> Sender: Verify <verify@citybank.com>
> MIME-Version: 1.0
> Content-Type: text/plain
> Content-Transfer-Encoding: 8bit
> Content-Length: 926
>
> Dear Citibank Member,
>
> This email was sent by the Citibank server to verify
> your e-mail address. You must
> complete this process by clicking on the link below
> and entering in the small window
> your Citibank ATM/Debit Card number and PIN that you
> use on ATM.
> This is done for your protection --- becaurse some
> of our members no longer have access
> to their email addresses and we must verify it.
>
> To verify your e-mail address and access your
> account,
> click on the link below. If nothing happens when you
> click on the
> link (or if you use AOL), copy and paste the link
> into the address bar of
> your web browser.
>
>
>
http://www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/?IYTEw4eVTtbH1w6CpDrT
>
>
> ---------------------------------------------
> Thank you for using Citibank!
> ---------------------------------------------
>
> This automatic email sent to: BAKEY17@yahoo.com
> Do not reply to this email.
----- End forwarded message -----
--
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D