Gone Phishing

Just received a phishing mail, trying to obtain my citibank credit card number, user ID, password and ATM PIN code. While this scam was above average, I immediately spotted the fact that it was fraudulent. I'm not a citibank customer after all.

Let's take a look at the site the scammers set up - follow the link only if you know what you are doing! it is a FAKE/FRAUDULENT SITE.

http://221.4.199.31/citifi/

The scammers did quite a nice job impersonating the real citibank site, but a bunch of things really don't match up : Your information is transmitted using 128bit SSL encryption. but I don't see any https protocol being used, nor is there a security certificate. They have cleverly "borrowed" some images from the real citibank site though, in an attempt to make it all look more legit.

Now let's take a look at the ip address used. It belongs to the IP pool of a company called China Network Communications Group Corporation, located in Beijing, China. Do you really think citibank uses a chinese host to serve pages to their customers? Let us verify and see if the IP address is known from previous spam or scam operations. It does show up when querying spamhaus.org because it's listed in their SBL.

In fact, the range has been used before by Robert Soloway - Newport Internet Marketing, but I'm not saying that he is behind this phishing mail. It is a strange coincidence though to have a known ROKSO spam gang and a phishing group, use the same address range, without them being related, wouldn't you say?

Now that we know all this, let's take a closer look at the host for the site : China Network Communications Group Corporation. Spamhaus has 10 entries in relation to CNC, and of those ten entries, 3 are related to ROKSO activity. What this means in everyday language is that this host has been involved in spam related activities at least ten times and in three cases they were (ab)used by professional spam gangs.

It's not that hard to look up some info if you have doubts about something and while I don't expect you to do so, the one thing you have to keep in mind is very simple : no one should ask for your password, account number, Pin code or things like that. Not by mail, not by phone and not on some website you are pointed to.

Yes, I did report the mail to the abuse center of the real city bank corporation, even though it doesn't affect me.

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.04

About this Entry

This page contains a single entry by ServMe published on October 17, 2004 8:38 PM.

Note to self was the previous entry in this blog.

Lists, lists... is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.