August 16, 2003
Citibank Scam
Spread the word near and far kids.
There is, what appears to be, a scam circulating the net.
Someone sent me email to update my pin number on my citibank checking account. I haven't GOT a citibank checking account. Did Citibank buy my bank? No, my bank is still fine. Did someone open an account in my name? Do I suddenly have money I didn't realize I had?
Again, no.
Instead, I've become an almost-victim of a scam.
The email from Fifine_Rosa@att.net reads:
Dear Citibank customer,
We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it.
Please, carefully read all the parts of our new Terms & Conditions and post your consent.
Otherwise, we will have to suspend your Citibank checking account.
This measure is to prevent misunderstanding between us and our valued customers.
We are sorry for any inconvinience it may cause.
Click here to access our Terms & Conditions page and not allow your Citibank checking account suspension.
Cleverly couched in that corporate customer service speak that we've come to love and ignore.
The "click here" link leads to the following URL: http://www.citibank.com:ac%
398HAAA9UWDTYAZJWVWAAAA9pYWwgc2l6ZT00PjxTVgc2l6ZT00PjxT3Aac
%398HAAA9UWDTYAZJWVWAAAA9pYWwgc2l6ZT00PjxTVgc2l6ZT00PjxT@211.155.234.84/cgi-bin/s.pl?m=your@email.com
Note a few things about the URL. First, note that this has two URLs. The first is citibank.com, and the second is 211.155.234.84. The second one follows the @ sign (which means that my web browser will use that as the operative URL) and then after that is a /cgi-bin/s.pl?. That's a Perl script (or another script that's misnamed) for parsing whatever is after it using the Get method. (More here, for example)
In this instance, that's my email address (which I have changed to vaguely thwart harvesters). So what's happening is that the server at 211.155.234.84 is harvesting that email, probably to prove that it's a live email address, and to add it to the amount of data collected about you. Go check out that numeric IP address. I'll wait.
Note the language of the page? Yeah, I don't recognize it either. But I believe that Nanhua Futures is a company in Zhejiang, China. I don't think that Citibank is outsourcing their security work to China. If they are, please let me know, and also let me know why they're using such strange techniques for updating their data.
When you get to the page (you'll have to copy-paste the URL, I'm not enabling these criminals any more than telling you about this) they ask you for the first four digits of your citibank card number and your name. You can, I'm sure, imagine the possibilities, once that material has been collected. Identity theft and siphoning off your funds come to mind.
Posted by Swerdloff at August 16, 2003 04:11 PM
There's a similar scam going on with Earthlink, where you get an e-mail telling you that your Earthlink account has been suspended because the credit card payment hasn't been authorized and you need to go to the URL provided to update your credit card information. I'm ashamed to say I almost fell for it.
Hello!
I found your site by searching for "citibank scam" on google after receiving 2 messages like the one above. The funny thing about this is, I don't even have a citibank account. I still turned it in to Citibank, so hopefully they have done something about it. Just because, here's the email I got from verify@citibank.com:
Dear Citibank Member,
This email was sent by the Citibank server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM.
This is done for your protection --- becaurse some of our members no longer have access
to their email addresses and we must verify it.
To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.
http://www.citibank.com:ac=iLJldJHXDiw6vT1da4FL@quintapuestadelsol.com/k3jd83/?CleX0ntUNDp8pau
---------------------------------------------
Thank you for using Citibank!
---------------------------------------------
This automatic email sent to: MINDA25@yahoo.com
Do not reply to this email.
_________________________________________________
Notice this one has an address after an @ sign also, which hooks up to a hotel in Tijuana. I didn't click on the link...
yes I got one of those from Citi18. I have no affiliation with Citibank. the url points to a russian site www.da.ru
It brings up two windows ; one with the real citibank front page and the second page has an entry form with the address bar disabled, however a right click on the properties reveals the addres as mcnksod.infobox.ru
I gave them some bogus account numbers to chew on.
Oh boy, after reading your tips it really makes me wonder why this latest incarnation even got out the proverbial door. I took the liberty of including the full message from yahoo headers and everything but the Speeling um Spelling kinda gives it away, I opened it for a laugh...here's yours;
*-I didn't change one thing just pasted, except my address for my sake.
From CITIBANK Sun Jan 11 23:59:18 2004
X-Apparently-To: ib2tall2u@yahoo.com via 68.218.193.88; Mon, 12 Jan 2004 00:01:42 -0800
X-YahooFilteredBulk: 68.54.26.153
Return-Path:
Received: from 68.54.26.153 (HELO pcp02389093pcs.pinval01.in.comcast.net) (68.54.26.153) by mta126.mail.sc5.yahoo.com with SMTP; Mon, 12 Jan 2004 00:01:41 -0800
Received: from citi.com (mail3.citigroup.com [199.67.141.129]) by pcp02389093pcs.pinval01.in.comcast.net (Postfix) with ESMTP id 6A26D5DB3A for ; Mon, 12 Jan 2004 02:59:18 -0500
Reply-to: CITIBANK
From: "CITIBANK" Add to Address Book
To: "Ib"
Subject: CitibankOnline E-mail Veerification - ib2tall2u@yahoo.com
Date: Mon, 12 Jan 2004 02:59:18 -0500
Message-ID:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4510
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
Content-Length: 693
Dear OnlineCitibank Mebmers,
This message was sennt by the CitibankOnline sevrers to veerify your email
addres. You must colmtepe this pecrsos by clicking on the link
below and enteering in the smal window your Citi ATM/Debit
Card Number and CARD PIN that you use on local ATM.
That is done for your poetcrtion -H- becouse some of our memmbers no
legonr have acescs to their email adseesdrs and we must verify it.
To veerify your e-mail adress and akcess your Citicards account, click on
the link beloow. If nothing happnes when you clik on the link -6 copie
and pastte the link into the addres bar of your web broswer.
http://www.citibank.com/?7X9fyVuJClec0WTOurtRWH7II3CghGDoDMFcT9Wkvbxw7pkCTE
---------------------------------------------
Thank you for using OnlineCitibank!
---------------------------------------------
This automatic email snet to: ib2tall2u@yahoo.com
Do not reply to this email.
vOkCz4FbkXQZlvL1TvbF
