Phishing (Was Re: WashingtonPost computer security stories)

Alexei Roudnev alex at relcom.net
Tue Aug 17 04:33:47 UTC 2004


Why don't write out a generator of credit cards / pins and flood out this
site by false information?

(I saw a few better examples, btw).


----- Original Message ----- 
From: "Niels Bakker" <niels=nanog at bakker.net>
To: <nanog at merit.edu>
Sent: Monday, August 16, 2004 3:26 AM
Subject: Phishing (Was Re: WashingtonPost computer security stories)


>
> Speaking of computers fubar'ed by spyware, I just found a particularly
> nice example of a phishing attempt.  SpamAssassin had tagged it with the
> astronomical score of 136.3 thanks to SARE.
>
> The mail originated from 68.77.56.130 (an ameritech.net DSL connection,
> right now not pingable) and loads some images from www.citibank.com.
> It links to http://61.128.198.51/Confirm/ - an IP address hosted by
> Chinanet (transit to there supplied by Savvis from my point of view).
>
> That page does something interesting: it meta refreshes itself to
> Citibank's corporate homepage but also pops up a window
> (/Confirm/pop.php) requesting the user's card#, PIN (twice) and a
> new PIN.  The main page being citibank probably lends some credibility
> to the scam.
>
> This attack won't work if your browser blocks popups, or if you remember
> that the padlock icon in the status bar is what tells you the status of
> a connection, not a "128-bit SSL" or "Verisign trust-e" or whatever logo
> inside the webpage.
>
> It's disheartening to see that this website is still online after
> several days (I received the scam mail received Friday morning).
>
> I'm thinking that Citibank will cease to be a target if they give (ok,
> it's a bank - sell) their subscribers a hardware token that requires
> presence of the ATM card when the customer wants to use online banking
> facilities... as several banks here in the Netherlands do.
>
>
> -- Niels.




More information about the NANOG mailing list