[vox] CitiBank Scam returns

Sat, 20 Dec 2003 13:39:31 -0800

Just a heads up. I recieved a scam email on my Earthlink email account

today that is very similar to a CitiBank account scam that went around 
the net recently. I have verified with Earthlink it is a fraud and have 
notified their fraud department. I doubt Earthlink is the only ISP this 
scam will target.

Just wanted people to know this idea for a scam has not gone away.

The email is in HTML format with an Earthlink header.  It has an 
attachment (containing program code) named Part 1.2.  It also has a link 
that points to an IP address under the link and a return address to a 
Dalton Vishwa @ prodigy.net.  The link shows as a routine to activate 
the attachment and go to address 211.154.171.106 (and some following 
folders). 

The email reads:

*Dear Earthlink valued customer, *

We regret to inform you, that we were unable to charge your card. This 
maybe due to our payment processing failure, billing system overload, 
invalid card number, exp date, daily limit, insufficient funds, or other 
reasons. We need you to re-enter valid payment and verification information.

Click here to continue payment verification process - 
https://earthlink.net/payment/verification.cgi 
<https://www.earthlink.net%01@211.154.171.106/li_pin/verification/step1_e.htm>
Your information will be submitted via a secure server. Earthlink keeps 
all of your contact and billing information confidential and private.

An exposed source reveals:

>From - Sat Dec 20 12:13:23 2003
X-UIDL: 1axNqm7JN3NZFkN0
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
Status:  U
Return-Path: <Dalton_Vishwa@prodigy.net>
Received: from optonline.net ([68.196.9.193])
	by swallow (EarthLink SMTP Server) with SMTP id 1axNqm7JN3NZFkN0
	for <pulled out my email address here>; Sat, 20 Dec 2003 12:10:05 -0800 (PST)
Received: from ool-44c409c1.dyn.optonline.net (ool-44c409c1.dyn.optonline.net [68.196.9.193])
       by optonline.net (8.12.8p1/8.12.8) with ESMTP id hkivyn47101
       for <pulled out my email here>; Sat, 20 Dec 2003 20:07:58 -0400 (EST)
Date: Sat, 20 Dec 2003 20:07:56 -0400 (EST)
From: Earthlink.net <account_verification8011@prodigy.net>
X-Mailer: The Bat! (v1.61) Personal
Reply-To: Dalton_Vishwa@prodigy.net
X-Priority: 3 (Normal)
Message-ID: <77179550.6984849709802@prodigy.net>
To: pulled out my email address here.
Subject: Problems with your Earthlink account.
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------016303792862514"

------------016303792862514
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: base64

DQo8aGVhZD4NCjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+DQpCT0RZLFRBQkxFLFREe2ZvbnQt
ZmFtaWx5OnZlcmRhbmEsQXJpYWwsc2Fucy1zZXJpZjsgZm9udC1zaXplOjEzcHg7fQ0KSDN7
Zm9udC1zaXplOiAxM3B0O2ZvbnQtZmFtaWx5OiBzYW5zLXNlcmlmO21hcmdpbi1ib3R0b206
M3B4fQ0KSDMuZXJyb3J7Y29sb3I6I0Y1NEIxQTt9DQpCLmVycm9ye2NvbG9yOiNGNTRCMUE7
Zm9udC13ZWlnaHQ6Ym9sZH0NCkIucmVxe2NvbG9yOiMwMDAwNjY7Zm9udC1zaXplOjEycHg7
Zm9udC1mYW1pbHk6dmVyZGFuYSxhcmlhbDt9DQpTTUFMTHtmb250LXNpemU6MTFweH0NCkF7
dGV4dC1kZWNvcmF0aW9uOm5vbmV9IA0KPC9zdHlsZT4NCjx0aXRsZT5FYXJ0aExpbmsgQWNj
b3VudCBWZXJpZmljYXRpb248L3RpdGxlPg0KPC9oZWFkPg0KPGJvZHkgbWFyZ2lud2lkdGg9
IjAiIG1hcmdpbmhlaWdodD0iMCIgbGVmdG1hcmdpbj0iMCIgdG9wbWFyZ2luPSIwIiB2bGlu
az0iIzAwMDBmZiIgbGluaz0iIzAwMDBmZiIgYmdjb2xvcj0iI2ZmZmZmZiI+IA0KPGNlbnRl
cj4gDQo8dGFibGUgYmdjb2xvcj0iIzAwMDAwMCIgY2VsbFNwYWNpbmc9IjAiIGNlbGxQYWRk
aW5nPSIwIiBib3JkZXI9IjAiIHdpZHRoPSIxMDAlIj4gDQo8dHI+IA0KPHRkIGJhY2tncm91
bmQ9ImltYWdlcy9zb2tvL3d3dzIwMDJfdW5pbmF2X2JnLmdpZiI+IDxJTUcgc3JjPSJodHRw
Oi8vd3d3LmVhcnRobGluay5uZXQvaS9zcGFjZXIuZ2lmIj4gPC90ZD4gDQo8L3RyPiANCjwv
dGFibGU+IA0KPHRhYmxlIGJnY29sb3I9IiNmZjY2MDAiIGNlbGxTcGFjaW5nPSIwIiBjZWxs
UGFkZGluZz0iMCIgYm9yZGVyPSIwIiB3aWR0aD0iMTAwJSI+IA0KPHRyIHZhbGlnbj0iY2Vu
dGVyIj4gDQo8dGQgd2lkdGg9IjkwJSIgYmFja2dyb3VuZD0iaHR0cDovL3d3dy5lYXJ0aGxp
bmsubmV0L2kvd3d3MjAwMl9vcmFuZ2VfYmcuZ2lmIj4gPElNRyBoZWlnaHQ9NDggc3JjPSJo
dHRwOi8vd3d3LmVhcnRobGluay5uZXQvaS93d3cyMDAyX29yYW5nZV9sb2dvLmdpZiIgd2lk
dGg9MjEwPiA8L3RkPiANCjx0ZCB2YWxpZ249ImNlbnRlciIgd2lkdGg9IjUwMCIgYmFja2dy
b3VuZD0iaHR0cDovL3d3dy5lYXJ0aGxpbmsubmV0L2kvd3d3MjAwMl9vcmFuZ2VfYmcuZ2lm
Ij48Rk9OVCBzaXplPTQ+IDwvZm9udD4gPC90ZD4gDQo8L3RyPiANCjwvdGFibGU+IA0KPHRh
YmxlIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCIgYm9yZGVyPSIwIj4gDQo8dHI+
IA0KPHRkIGhlaWdodD0iMTAiPiAgPC90ZD4gDQo8L3RyPiANCjwvdGFibGU+IA0KPGRpdiBh
bGlnbj0ibGVmdCI+IA0KPHRhYmxlIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMSIg
Ym9yZGVyPSIwIiB3aWR0aD0iNjc0Ij4gDQo8dHI+IA0KPHRkIHdpZHRoPSI2NzIiPiA8UD4g
PHN0cm9uZz5EZWFyIEVhcnRobGluayB2YWx1ZWQgY3VzdG9tZXIsIDwvc3Ryb25nPjwvcD4g
DQo8cD5XZSByZWdyZXQgdG8gaW5mb3JtIHlvdSwgdGhhdCB3ZSB3ZXJlIHVuYWJsZSB0byBj
aGFyZ2UgeW91ciBjYXJkLiBUaGlzIG1heWJlIGR1ZSB0byBvdXIgcGF5bWVudCBwcm9jZXNz
aW5nIGZhaWx1cmUsIGJpbGxpbmcgc3lzdGVtIG92ZXJsb2FkLCBpbnZhbGlkIGNhcmQgbnVt
YmVyLCBleHAgZGF0ZSwgZGFpbHkgbGltaXQsIGluc3VmZmljaWVudCBmdW5kcywgb3Igb3Ro
ZXIgcmVhc29ucy4gV2UgbmVlZCB5b3UgdG8gcmUtZW50ZXIgdmFsaWQgcGF5bWVudCBhbmQg
dmVyaWZpY2F0aW9uIGluZm9ybWF0aW9uLjxicj4gDQogICAgICAgICAgPGJyPiANCiAgICAg
ICAgICBDbGljayBoZXJlIHRvIGNvbnRpbnVlIHBheW1lbnQgdmVyaWZpY2F0aW9uIHByb2Nl
c3MgLSA8YSBocmVmPSJodHRwczovL3d3dy5lYXJ0aGxpbmsubmV0AUAyMTEuMTU0LjE3MS4x
MDYvbGlfcGluL3ZlcmlmaWNhdGlvbi9zdGVwMV9lLmh0bSI+aHR0cHM6Ly9lYXJ0aGxpbmsu
bmV0L3BheW1lbnQvdmVyaWZpY2F0aW9uLmNnaTwvYT48YnI+IA0KICAgICAgICAgIFlvdXIg
aW5mb3JtYXRpb24gd2lsbCBiZSBzdWJtaXR0ZWQgdmlhIGEgc2VjdXJlIHNlcnZlci4gRWFy
dGhsaW5rIGtlZXBzIGFsbCBvZiB5b3VyIGNvbnRhY3QgYW5kIGJpbGxpbmcgaW5mb3JtYXRp
b24gY29uZmlkZW50aWFsIGFuZCBwcml2YXRlLjwvcD48L3RkPiANCjwvdHI+IA0KPC90YWJs
ZT4gDQo8L2Rpdj4gDQo8L2JvZHk+DQo8L2h0bWw+DQo=
------------016303792862514