[vox-tech] one of the most pernicious spams i've ever seen.
Rob Rogers
vox-tech@lists.lugod.org
Thu, 25 Sep 2003 10:01:55 -0400
On Thu, Sep 25, 2003 at 09:49:45AM -0400, Rob Rogers wrote:
> On Thu, Sep 25, 2003 at 06:30:32AM -0700, p@dirac.org wrote:
> > when you feed a browser the given url, the citibank page comes up. but
> > you also get a small page with a form that asks for your bank account
> > number and PIN.
> [snip]
> > my question is -- how is this done? how does this URL:
> >
> > http://www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/?IYTEw
> > 4eVTtbH1w6CpDrT
> >
> > bring up citibank.com's webpage and then another page with the
> > account/PIN grabber? i've never seen anything like this before.
Hit send too soon... the other thing I wanted to bring up is it's not
uncommon to see this sort of URL encoded in hex after the part they want
you to see. This one was confusing enough, but you'll often also see
something like:
http://www.citibank.com%2e%61%33%6b%73%64%2e%50%69%53%65%4d%2e%4e%65%54
which unencoded becomes http://www.citibank.com.a3ksd.PiSeM.NeT
Just as in the url in your email, most people will see everything up to
the first "unusual" character, and won't bother to look any further.
By the way, this method of trying to steal personal info by trying to
appear as coming from a legitimate company is called phishing.