Citibank identity theft analysis

There is a steady rise in the amount of phishing attempts via email, previously there was a spate of attempts to gain paypal information via social engineering, the latest target seems to be online banks.

On logging on to my own bank account there was a secure message giving my details of another fraudulent email in circulation.

The simply rule to remember is that secure organisations do not ask for this information over insecure links such as via email.  Some attempts are to obtain the users login details for banking, others asking to ‘confirm’ credit card details.

A recent one I received was an attempt to obtain details for  The headers contained some extra information to try and make this scam seem more real, with the from address actually being citibank etc.

FCC: mailbox://
X-Identity-Key: id1
From: Citi <>

I found the subject on this one quite amusing, with strongly spelt wrong, whether this was to avoid spam filters or a reflection of the original / education of the scammer, you decide!

Subject: !Citibank strongIy recommends

The mail turns up as an embedded image with the citibank image and to be fair, could be easily mistaken.  The URL listed is to a secure area of the citibank site, but upon clicking the link you are actually being sent to another server in a popup window.


The popup window points to https://12.x.x.x:4903/cit/index.htm .  This is a tiny webserver ( installed on trojaned and compromised machines, note the non standard port 4903. 

This is has been very common over the last few weeks.  In this scam the popup window asks you to confirm the following information:

Card Number :    Name on Card :      Expiration Date :    Billing address : CVV code :    Telephone : PIN-code :    E-mail :

The above scam worked by using an Imagemap URL spoof vulnerability, in many cases when the HTML mail is viewed in common clients like outlook.  A proof of concept of the exploit can be found at With the mouseover only on the image it appears to link to but when viewing the source or simply right clicking, the link points to

Once this has been submitted your details now lie with the scammer, expect to see some unauthorised transactions on your statement!  There is a thread on this over at codefish spamwatch ( which lists similar attempts aimed at different banks.

So it seems some people may have noticed that the domain the image pointed to was not the citibank site as expected but an IP address.  This has led to a more intelligent(if you could call it that)method of displaying the fake URL with domains such as as the following:

As you can see these are subdomains of and but at a quick glance could be mistaken.

I would like to think the amount of people that actually fall for these scams are low but this doesn’t seem to be the case.  With the phishers spamming millions of email addresses it only needs a small amount of users to be mislead.

Ironically 4 days later I received a follow up email with subject: Attention citibank customers!  (heh they managed to spell properly this time but I imagine that exclamation mark earned a few points on spam assassin)

“Recently there have been a large number of identity theft attempts targeting Citibank customers. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN.

This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way.

This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension. Please make sure you have your Citibank ATM/Debit card and recent statement at hand.

To securely update your Citibank ATM/Debit card PIN please go to:

Please note that this update applies to your Citibank ATM/Debit card - which is linked directly to your checking account, not Citibank credit cards.

Thank you for your prompt attention to this matter and thank you for using Citibank!


Again the above genuine citibank URL pointed to another fake website phishing for similar information.  Looks like they thought they would get people the second time around.

In this case the first email was sent via china and the second through the US, again probably through a compromised host or an open relay.  The end of the second mail also made me laugh: “Do not reply to this email as it is an unmonitored alias.”

After doing a little more research on the compromised webserver used it appears it can be administered remotely at the url https://x.x.x.x:4903/$_admin_$state/  I imagine the scammers either have the details logged locally and collect them periodically, or they are sent routinely to another location by some transfer method.

Unfortunately the fight against these doesn’t appear on the face of things to be going very well.  Whilst writing this I decided to check back through the last few days worth of scams and noticed several of the compromised machines were still up and running collecting details, although this doesn’t mean they aren’t being monitored.





No tags

Comments are closed.