mxlab - all about anti virus and anti spam » fraud

Nice Citibank phishing attempt example

mxlab — Tue, 07 Oct 2008 22:53:57 +0000

We intercepted a nice Citibank phishing attempt. The email contains the notification that 1 message is waiting for you in the mail section so you will need to login.

Dear Customer,

You have one new message at .Citibank (South Dakota).

INBOX

From: Customer Service
Date: 10/07/2008
Subject: Official service renewal notification.

In order to read the message click here <http://www.***********.com/uploads/z/***/citibank/index.html> to login at
Citibank (South Dakota) and access your MAIL section.

This link brings us to the first step in the whole process, the login page. Notice that there is no secure HTTPS in use. The whole phishing web site is hosted on a blog server.

After a succesfull login (with a non real login and password of course) we get the security notification message to see.

This message explains that our account is temporary locked for security reasons after detection login attempts of foreign IP addresses. So, we need to update our account. When clicking in Continue we can fill in all our private details such as our address and more important our credit card details.

Again, we continue with dummy data and get a response page that the submitted details will be verified.

The green button at the end of the page contains a link to an external web site and leads us to a log out confirmation page. This domain appears to be registered by Citibank and contains a secured HTTP connection.

As you can see, it’s that easy to steal your information if you don’t pay any attention at all. Phishing attempts can be detected by following some simple rules:

do not trust the email from address at all times
banks do not send you an email to ask to re-activate or confirm your account, even if they include their logo and if it looks legit
banks also do not ask you to send private and critical data over the internet like your credit card details
always keep an eye on the address in the URL locator of your browser
don’t send any details over an unsecured HTTP, always look for HTTPS and make sure your browser is showing a HTTPS security icon in the status bar

Phishing levels peak

mxlab — Mon, 14 Apr 2008 00:35:00 +0000

MX Lab detects in increase in phishing emails between 09/04/2008 and 13/04/2008, bringing the phishing level up to 0,28% of all blocked messages where in the past this level was 0,03%.

These phishing emails are mostly regarding a “locked bank account” or “verify your details” but we see other phishing attempts targeting Google Adwords customers stating that their account is locked.

Very good PayPal phishing email

mxlab — Wed, 02 Apr 2008 11:12:53 +0000

A certain phishing email from ‘PayPal’ caught our attention. When investigating the phishing email we could find that this is a very professional one. The email in fact confirms your payment to a company, in this case Plimus, for an amout of$55,89 USD. The email provides a link to dispute the transaction and this is where the phishing starts.

Following the link to report a dispute results in being directed to http://**-***-**-***.fld-bsr1.chi-fld.il.******.cable.rcn.com:90/www.paypal.com/cgi-bin/ and it brings you to the “PayPal login screen”.

Typical to phishing sites is that you can type in whatever you want as login or password, you will always be directed to a webform.

These guys have even included the animated screen ‘Logging in’ that you have when logging in to the real PayPal web site. After this screen you get a full webform which will try to get your full details.