more on Fwd: Re: Citibank Security Update/spoof

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Fri, 07 May 2004 09:30:21 +0100
From: David Price <davidp () envisional com>
Subject: Re: [IP] Citibank Security Update/spoof
To: dave () farber net

These spoofing or 'phishing' emails are now so prevalent - particularly for 
Citibank - that what would once have been a crisis is now becoming routine. 
Citibank were probably the first bank to be hit in the current wave of 
phishing emails, sometime near the end of last year. At the time, they did 
warn customers - I have a Citibank account and remember getting an email 
from them warning of these scam emails, and seeing warnings on their web 
site (which I believe are still there). My company works in this area and 
we pick up a phishing campaign aimed at each major UK bank probably every 
other day (and at organisations like eBay and PayPal multiple times each 
day). Some attacks are incredibly sophisticated; others very weak. It seems 
to have become the script kiddies new favourite past-time. I remember when 
Barclays were hit by a major phishing attack and the BBC web site didn't 
just feature the story but *led* with it. No more - the occasional phishing 
campaign might crop up in the news here and there, but nothing more than 
that. They are now extremely common.

Banks *are* putting resources into this area, but it is difficult for them 
to tackle each and every phishing attack now that they are so common. It's 
not hard for anyone to buy a list of spam addresses from ebay or on IRC, 
set up a fake domain, create a convincing looking web site, and send out 
the emails. Banks can only ever be reactive to these kinds of attacks. 
Comsumer education is the best policy: let people know that you will never, 
ever, send out an email asking for their details, or to request that they 
'verify' their account on a web site. There are technological solutions 
which aim to spot the phishing emails as soon as they occur, alert the 
banks, and get the web sites shut down (disclaimer: the company I work for 
provides one).

APACS (the bank clearing service in the UK) estimate that at least £1m has 
been lost from UK customer accounts in the last six months or so because of 
phishing. The phishing situation is yet another reason why people should 
never trust anything sent to them in an email - if you remember what you're 
told about suspicious email attachments which could harbour virusss, simply 
apply the same warning to emails from banks.

David

--------------------------------------------------------
Dr. David Price
Research Consultant
Envisional Limited
Tel: +44 1223 569700
email: davidp () envisional com
web: http://www.envisional.com
--------------------------------------------------------
The Information contained in this e-mail message is intended only for the 
individuals named above. If you are not the intended recipient, you should 
be aware that any dissemination, distribution, forwarding or other 
duplication of this communication is strictly prohibited.
The views expressed in this e-mail are those of the individual author and 
not necessarily those of Envisional Limited. Prior to taking any action 
based upon this e-mail message you should seek appropriate confirmation of 
its authenticity. If you have received this e-mail in error, please notify 
the sender immediately.



Dave Farber wrote:


> Delivered-To: dfarber+ () ux13 sp cs cmu edu
> Date: Thu, 06 May 2004 14:33:47 -0700
> From: Dewayne Hendricks <dewayne () warpspeed com>
> Subject: [Dewayne-Net] Citibank Security Update/spoof
> Sender: dewayne-net () warpspeed com
> To: Dewayne-Net Technology List <dewayne-net () warpspeed com>
>
>
> [Note: This item comes from reader Sally Richards. DLH]
>
> > From: "Sally Richards" <Sally () SallyRichards com>
> > Date: May 6, 2004 2:03:50 PM PDT
> > To: dewayne () warpspeed com
> > Subject: Citibank Security Update/spoof
> > Reply-To: Sally () SallyRichards com
> >
> > Hi Dewayne:
> > Just wanted to forward this to you. I am a Citibank customer, and I
> > received three of these in one day, which is rare because I just don't
> > get
> > spam, especially from my bank (they send loads of it in the post, and
> > sell
> > my phone number to their affiliates instead). I called Citibank and
> > they
> > said it was a hoax, I asked them why they hadn't sent out a notice to
> > their customers saying that someone had done a spoof. They guy
> > basically
> > told me not to worry about it. I called up a reporter here in the San
> > Diego area named John Mattes who said their emails were flooded with
> > the
> > same email - Citibank and non-Citibank customers. He said he called up
> > the
> > Citibank fraud department and they said that they were aware of it, but
> > basically didn't feel like they had to deal with it. He said it had
> > been
> > going out for weeks. As a Citibank customer, who is now looking for
> > another bank because of this spoofing issue and Citybank's
> > lackadaisical
> > response, I thought it might be of interest to your readers. Just in
> > case
> > it didn't show up, there was a "real" Citibank ad at the top of the
> > email.
> > It looks like the link is dead today, but it was working a few days
> > ago
> > and it would be interesting to know if there was any actual
> > transferring
> > of funds through this fraudulent spoof.
> > Cheers,
> > Sally
> > ---------- Forwarded Message -----------
> > Citibank
> >
> > Dear Valued Customer, - Our new security system will help you to avoid
> > frequently fraud transactions and to keep your investments in safety. -
> > Due to technical update we recommend you to reactivate your account.
> > Click
> > on the link below to login and begin using your updated Citibank
> > account.
> > To log into your account, please visit the online banking
> > http://web.da-us.citibank.com&BVP=/cgi-bin/citifi/scripts/ &M=S&US&_u=visitor
> > If you have questions about your online statement, please send us a
> > Bank
> > Mail or call us at 1-800-374-9700 We appreciate your business. It's
> > truly
> > our pleasure to serve you. Citibank Customer Care This email is for
> > notification only. To contact us, please log into your account and
> > send a
> > Bank Mail.
> > ------- End of Forwarded Message -------
> >
> >
> > Sally () SallyRichards com • 760.788.0575 • www.SallyllyRichards.com
> > http://www.bayarea.com/mld/bayarea/business/3982679.htm
> >
> > Destiny is no matter of chance. It is a matter of choice. It is not a
> > thing to be waited for, it is a thing to be achieved.
> > - William Jennings Bryan (1860 - 1925)
>
>
>
> Archives at: <http://Wireless.Com/Dewayne-Net>
> Weblog at: <http://weblog.warpspeed.com>
>
>
> -------------------------------------
> You are subscribed as davidp () envisional com
> To manage your subscription, go to
> http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting-people/



-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/