Phishing (Was Re: WashingtonPost computer security stories)
Henry Linneweh
hrlinneweh at sbcglobal.net
Mon Aug 16 10:41:37 UTC 2004
How strange, I received that in my email too..
-Henry
--- Niels Bakker <niels=nanog at bakker.net> wrote:
>
> Speaking of computers fubar'ed by spyware, I just
> found a particularly
> nice example of a phishing attempt. SpamAssassin
> had tagged it with the
> astronomical score of 136.3 thanks to SARE.
>
> The mail originated from 68.77.56.130 (an
> ameritech.net DSL connection,
> right now not pingable) and loads some images from
> www.citibank.com.
> It links to http://61.128.198.51/Confirm/ - an IP
> address hosted by
> Chinanet (transit to there supplied by Savvis from
> my point of view).
>
> That page does something interesting: it meta
> refreshes itself to
> Citibank's corporate homepage but also pops up a
> window
> (/Confirm/pop.php) requesting the user's card#, PIN
> (twice) and a
> new PIN. The main page being citibank probably
> lends some credibility
> to the scam.
>
> This attack won't work if your browser blocks
> popups, or if you remember
> that the padlock icon in the status bar is what
> tells you the status of
> a connection, not a "128-bit SSL" or "Verisign
> trust-e" or whatever logo
> inside the webpage.
>
> It's disheartening to see that this website is still
> online after
> several days (I received the scam mail received
> Friday morning).
>
> I'm thinking that Citibank will cease to be a target
> if they give (ok,
> it's a bank - sell) their subscribers a hardware
> token that requires
> presence of the ATM card when the customer wants to
> use online banking
> facilities... as several banks here in the
> Netherlands do.
>
>
> -- Niels.
>
More information about the NANOG
mailing list