North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Phishing (Was Re: WashingtonPost computer security stories)

  • From: Henry Linneweh
  • Date: Mon Aug 16 06:43:59 2004

How strange, I received that in my email too..

-Henry


--- Niels Bakker <[email protected]> wrote:

> 
> Speaking of computers fubar'ed by spyware, I just
> found a particularly
> nice example of a phishing attempt.  SpamAssassin
> had tagged it with the
> astronomical score of 136.3 thanks to SARE.
> 
> The mail originated from 68.77.56.130 (an
> ameritech.net DSL connection,
> right now not pingable) and loads some images from
> www.citibank.com.
> It links to http://61.128.198.51/Confirm/ - an IP
> address hosted by
> Chinanet (transit to there supplied by Savvis from
> my point of view).
> 
> That page does something interesting: it meta
> refreshes itself to
> Citibank's corporate homepage but also pops up a
> window
> (/Confirm/pop.php) requesting the user's card#, PIN
> (twice) and a
> new PIN.  The main page being citibank probably
> lends some credibility
> to the scam.
> 
> This attack won't work if your browser blocks
> popups, or if you remember
> that the padlock icon in the status bar is what
> tells you the status of
> a connection, not a "128-bit SSL" or "Verisign
> trust-e" or whatever logo
> inside the webpage.
> 
> It's disheartening to see that this website is still
> online after
> several days (I received the scam mail received
> Friday morning).
> 
> I'm thinking that Citibank will cease to be a target
> if they give (ok,
> it's a bank - sell) their subscribers a hardware
> token that requires
> presence of the ATM card when the customer wants to
> use online banking
> facilities... as several banks here in the
> Netherlands do.
> 
> 
> 	-- Niels.
>