[vox-tech] one of the most pernicious spams i've ever seen.

Rob Rogers vox-tech@lists.lugod.org
Thu, 25 Sep 2003 09:49:45 -0400


On Thu, Sep 25, 2003 at 06:30:32AM -0700, p@dirac.org wrote:
> when you feed a browser the given url, the citibank page comes up.  but
> you also get a small page with a form that asks for your bank account
> number and PIN.
[snip]
> my question is -- how is this done?  how does this URL:
> 
> http://www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/?IYTEw
> 4eVTtbH1w6CpDrT
> 
> bring up citibank.com's webpage and then another page with the
> account/PIN grabber?  i've never seen anything like this before.

If you break down that url it looks like:

www.citibank.com <- username
: <- seperator
ac=VybznNffNxknAUxPrfE2jYaQUptJ <- password
@ <- at (duh)
a3ksd.PiSeM.NeT <- servername
/3/?IYTEw4eVTtbH1w6CpDrT <- misc crap

And doing a wget on that url gives me this (comments added)


<HTML><HEAD>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://citibank.com/us/index.htm">

<title></title></HEAD>
<BODY bgColor=#ffffff onload="window.open('welcome2.html', 'nameit',
'top=185,left=250,width=300,height=230,toolbar=no,location=no,scrollbars=
no,resizable=no')">
</BODY></HTML>


Even if you don't know HTML, it's fairly easy to see what it's doing.
It's immediately redirecting you to the citibank page, and telling your
browser to give you the popup at the same time.