Spam 419/Nigeria Online fraud jwSpamSpy Contact
Email Spam Filter: |
|
|
Phishing for your wallet: Suspicious mails involving Citibank, eBay, PayPal, etc.
- What is 'phishing'
- What you can do
- Example of 'phishing'
- 'phishing' links
- Fake T-Com invoice (Trojans)
As more people use computers for handling financial transactions, from online banking to purchasing or selling goods at eBay, fraudsters have started use cleverly disguised spam to harvest information that allows them to break into online accounts and steal money.
Mails that typically claim to be from Citibank, eBay, PayPal or other banks state that because of some problem the recipient needs to confirm his/her access codes or his/her account will be suspended. Other common tricks are fake payment disputes on eBay purchases, credit card or PayPal debit notices for goods not purchased questions from buyers of goods one is not selling. These surprising emails are supposed to trick people into acting rashly, without thinking.
Some of these emails look almost exactly like the real thing, complete with company logos, etc. Don't fall for it! Citibank, PayPal and other financial institutions never contact their customers supplying a link for re-entering their account numbers, passwords or PIN-codes. Though the links lead to websites that look like official company websites and in some cases even the browser displays a matching URL, these sites are in fact put up by fraudsters and are usually hosted on servers in China or on hacked computers. It is suspected that Russian organized crime groups are the main operators of this type of scam.
Closely related to the phishing scams are parcel remailing scams and "Money Agent" scams. The same gangs that run phishing scams to crack eBay / PayPal / online banking accounts then recruit job seekers using fraudulent job offers from fake companies. The employees are needed to receive and remail merchandise purchased using hacked eBay accounts and for forwarding money stolen from hacked accounts.
Both phishing and employment scams often involve botnets, networks of remote controlled computers running so-called "Trojan horse" software. The criminals controll tens of thousands of these "zombies" and use to send spam, to host fake websites and to attack other websites.
What you can do
Join PhishTank to report phishing websites. This site relies on volunteers to submit phishing reports and to verify submitted reports. The data then feeds into OpenDNS, a system for web users from malicious sites. Feed a phish each day (if any get past your spamfilter!).
|
What you can do
Example of 'phishing' scam:
If you fill in totally bogus numbers and click submit, the site will accept them without complaint, as it does not verify them but only forwards them to the criminals...
If you look at message source code (Ctrl+F3 in Outlook Express), you will see that it was sent from a machine accessing via an Italian phone company and the website link actually goes to the URL http://219.148.127.67/scripts/confirmation.htm.
'Phishing'-site hosted in China (China Telecom):
When we checked on 2004-07-20, a total of 19 days after the initial email, the fraud website (http://219.148.127.67/scripts/confirmation.htm) was still active on the Chinanet server. It opens the real Citibank website, which shows a trustworthy-looking page with Citibank URL, but then pops up a window without URL line that runs a PHP script.
'Phishing' links:
If you receive such emails, either disregard them or forward them to the security departments of the institutions they claim to originate from. You can also forward the messages (with full headers!) to email address
postmaster at corp.mailsecurity.net.au
which feeds them into a database used for blocking spams.
On July 2 I received the following message:
From: "Support" <cash@citibank.com>
The sender address looks like Citibank and the link appears to lead to Citibank's website. If you click on the link, you get a site that looks like a genuine Citibank website:
To: <joewein@pobox.com>
Sent: Friday, 02 July, 2004 0:01
Subject: Please confirm your account details with Citibank!
Dear Customer,
This email was sent by the Citibank server to verify your E-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Citibank Debit
Card number and PIN that you use on ATM.
This is done for your protection - because some of our members
no longer have access to their email addresses and we must
verify it.
To verify your E-mail address and access your bank account,
click on the link below:
https://wwww.citibank.com/signin/confirmation.jsp
---------------------------------------
Thank you for being our customer
---------------------------------------
Return-path: <cash@citibank.com>
Envelope-to: joewein@pobox.com
Received: from host90-236.pool81117.interbusiness.it (host90-236.pool81117.interbusiness.it [81.117.236.90])
by kelvin.pobox.com (Postfix) with SMTP id C3D8A184DA9;
Thu, 1 Jul 2004 10:20:13 -0400 (EDT)
X-Message-Info: PVHpdpBRT386vYQ73DgUJ038RDhxWYP334B093EU54gvc2GW
Received: (from r63leaven@localhost)
by jz703-create931.yph51e.hotmail.com (6.42.66/9.40.36) id s797C55j51593;
Thu, 01 Jul 2004 17:06:30 +0200 GMT
X-Authentication-Warning: hvy27-bombast1.egf59ofb.hotmail.com:
fs950decision set sender to cash@citibank.com using -u
MIME-Version: 1.0
Date: Thu, 01 Jul 2004 14:01:30 -0100
From: Support <cash@citibank.com>
Subject: Please confirm your account details with Citibank!
To: joewein@pobox.com
Message-Id: <mk891lrr282-565696110917656-85715486442173513960083794653@fischbein26>
Content-Type: multipart/alternative;
boundary="--63924826445955534931"
----63924826445955534931
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<P>Dear Customer,</P>
<P><BR>This email was sent by the Citibank server to verify your E-mail<BR=
>address. You must complete this process by clicking on the link<BR>below =
and entering in the small window your Citibank Debit<BR>Card number and PI=
N that you use on ATM.</P>
<P><BR>This is done for your protection - because some of our members<BR>n=
o longer have access to their email addresses and we must<BR>verify it.</P=
>
<P><BR>To verify your E-mail address and access your bank account,<BR>clic=
k on the link below:</P><A href=3D"http://219.148.127.67/scripts/confirmat=
ion.htm">https://wwww.citibank.com/signin/confirmation.jsp</A></A>
<P></P>
<P><BR>---------------------------------------</P>
<P>Thank you for being our customer</P>
<P>---------------------------------------</P>
----63924826445955534931--
The actual scam website address (http://219.148.127.67/scripts/confirmation.htm) was still working two days after we received the spam email. The site is hosted by the following network:
inetnum: 219.148.0.0 - 219.148.159.255
netname: CHINATELECOM-he
descr: CHINANET hebei province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: BR3-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINATELECOM-he
changed: hostmaster@ns.chinanet.cn.net 20030820
status: ALLOCATED NON-PORTABLE
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: 10-66027112
fax-no: 10-58501144
e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20021016
remarks: hostmaster is not for spam complaint,please send spam
complaint to anti-spam@ns.chinanet.cn.net
source: APNIC
person: Bin Ren
nic-hdl: BR3-AP
e-mail: renbin@mail.he.cn
address: 10F Ximei Building NO.6 Jianshe South Street
address: Shijiazhuang 050011 China
phone: 311-5211551
fax-no: 311-5211578
country: CN
changed: renbin@mail.he.cn 20040430
mnt-by: MAINT-CHINATELECOM-HE
source: APNIC
How Not to Get Hooked by a ‘Phishing’ Scam
Anti-Phishing Working groups
eBay Security Center
spoof@ebay.com (eBay spoof reporting address)
Citibank: Citi ™ Cards – Security and You
|